PSD2: An introduction to Strong Customer Authentication (SCA)

With the volume of payments being processed skyrocketing, the risk of fraudulent behavior is increasing simultaneously. This is unfortunate and inevitable — but most importantly, it is beatable.

To create a safer environment for consumers to process payments, the European Parliament made plans to implement the Revised Payment Services Directive (PSD2) in late 2015. As part of this directive, certain online payments will need higher levels of confirmation from consumers, starting on September 14th 2019, to be in line with what the directive calls “Strong Customer Authentication” or “SCA.”

To make sure business continues as usual once the new regulations take effect, organisations need to act now to ensure the proper steps are taken to comply with SCA — before compliance is required.

Firstly, what is SCA?

As the name suggests, Strong Customer Authentication is simply making sure a customer is who she/he claims to be, before approving their payment — to reduce the risk of fraud. How do you prove people are who they say they are? Great question. As it relates to SCA, customers will need to prove their identity using two of the three following methods:

  • Something the customer HAS:
    • This could be an item such as a smartphone, smart watch, or a badge
  • Something the customer KNOWS:
    • Common examples of this would be a password, PIN, or answer to a secret question
  • Something the customer IS:
    • This is a physical feature which is unique to your customer — such as a fingerprint, face, eyes, or voice

Will customers need to authenticate every payment?

You may be thinking that it sounds like a lot of work to add these steps to every payment you process, and indeed you would be right. However, the intention of SCA is to reduce the risk of fraud for transactions that may have higher rates of fraud than others. Given these intentions, there are several types of transactions that won’t require SCA once the directive takes effect. These exemptions are:

Payments below €30: Payments below this threshold are exempt from SCA. However, banks will request authentication if the card has not been authenticated in the last 5 transactions or if the sum of the unauthenticated transactions totals more than €100.

Low-risk transactions: Transactions that are considered low risk will also be exempt from SCA. ‘Low Risk’ is obviously a subjective term and will be defined by the bank processing the payment based on fraud averages of both the card issuer as well as the entity processing the transaction. In some cases, both the card issuer and the acquirer can ask for exempt.

Recurring transactions: For every first transaction of a subscription, SCA is needed. Companies that operate a subscription model for their billing will be happy to learn that most recurring charges will be exempt from SCA — assuming they are for the same amount. If the amount changes, SCA may be required unless they are exempt under the following exemption…

Merchant-initiated transactions: Companies that have variable amount subscription billing or charge for add-ons when the customer is not present will be exempt under the merchant-initiated transactions exemption. However, the card in question will likely need to be authenticated upon the initial use.

Whitelisted merchants: If a customer frequents a certain business and doesn’t want to authenticate their transactions there in the future, they can add that merchant to a “Whitelist” at their bank. This will prevent them from needing to authenticate their payments in the future.

Mail order and telephone (MOTO) transactions: As orders taken via mail or telephone are not a form of electronic payment, they will not be subject to SCA.

Inter-regional transactions: Companies who accept payment from customers outside of Europe will not need to authenticate them. However, if the customer is located outside of Europe but the issuer of the card and the processor of the transaction are both based in Europe, this will not be considered an inter-regional transaction and could be subject to SCA.

Parking and Transport fees: This applies to unattended terminals, including contactless payments and without amount limits. The indicator is the MCC, as there is no standard exemption for this.

Please note: the issuer takes the decision if authentication is needed as they verify transactions. Therefore an issuer owns the risk in case of exemptions. Additionally, in case of exemptions, the liability shifts from the issuer to the acquirer.

How can businesses get SCA compliant?

With the implementation date rapidly approaching, now is the time for businesses to start thinking about how to become SCA compliant in order to minimise the effect of their day-to-day operations.

Nowadays, businesses typically rely on 3D Secure to process their online transactions — and in response to SCA, 3D Secure 2.0 was released to help achieving SCA compliance. By using 3D Secure 2.0 to authenticate your online payments, you can count on your customers having as little inconvenience as possible as they complete their shopping experience.

By also supporting well known payment methods such as Apple Pay or Google Pay, your customers will do much of the authentication work without realising — as they’ll need to identify themselves to use these services.

Summary: Protecting customers and businesses

As the world of commerce continues to shift towards the online environment, the business and regulatory environments will continue to evolve to keep shoppers safe. While SCA may seem tricky to navigate today, in the long run it will protect both customers and businesses from malicious behaviour.

By thinking about how to remain compliant with the least impact to your shoppers’ experience, you can take steps to minimise the negative impacts of these changing regulations on your business.

Please note this information may be subject to interpretation. If you’re looking for expert help when navigating PSD2 and SCA — to remain compliant as painlessly as possible — contact us today. We make payments happen safely and securely, without compromising on customer convenience. Get in touch to learn more.