PSD2 is here. Are you ready?
The General Data Protection Regulation (GDPR) may still be fresh in people’s minds, but it’s already old news. Europe’s payment industry will witness a profound new digital transformation as early as September 14, 2019: The Payment Services Directive 2 (PSD2).
There are two main priorities to the European law -- encouraging competition among financial providers and enhancing consumer protection.
The Payment Services Directive 2 (PSD2) replaces the previous directive and puts different rules in place for payment service providers.
Part of the new directive is Strong Customer Authentication (SCA), which is especially important for shop owners. The PSD2 mandates that all electronic transactions in the European Economic Area (EEA) will require SCA starting September 14, 2019.
SCA will apply to most customer-initiated online transactions within the EEA, but it’s not only for companies based in the EEA. If you have customers whose cards are issued in the EEA or you sell in (payments are acquired in) the EEA, then the PSD2 requirements might apply to you.
The PSD2 doesn’t include alternative payment methods such as debit, invoice, or payment in advance.
Is the European market ready?
In a survey conducted by Mastercard in July 2019, 75% of Europeans admitted to being unaware of this new safety standard and, above all, unaware of the fact that it is going into effect this September.
Among European payment service providers, only 14% of respondents reported having implemented SCA, while 51% say they have either no intention of doing so at all, or will not do so before September 2019.
How will the buying process change after implementation of SCA?
SCA resembles what many people call two-factor authentication: If a customer makes an online purchase using a debit or credit card, SCA may require them to provide two of the three forms of identification listed below:
- Something they know (like a password, PIN, or signature)
- Something they possess (like a card, phone, or wearable device)
- Something biometric (like facial recognition, fingerprint, or iris scan)
Up until now, making online purchases might require only a debit or credit card number and security code, or -- when using a platform such as Google Pay or PayPal – a login and password. Now, buyers will need a second security factor to complete payments. For example, instead of typing just the CVV code, SCA might ask the user to enter a code generated by their banking application as a second step. This means that even if one element of an SCA transaction is compromised, the other elements will still be secure.
Additionally, each transaction authentication code is dynamically linked to both a transaction amount and payee. If either is changed, the authentication code is invalidated.
While most would agree that this extra step is crucial to ensure the best security standards, we don’t want to forget how important it is to offer the consumer a quick and easy payment experience. The new policies will impact the speed and convenience of online shopping, and ecommerce experts assume that the new regimentation will lead to some drop-offs at checkout.
The reason for this is simple: Customers would first need to register something they own—their smartphone or wearable device, for example—with their payment service provider so they can complete the additional security step. While this may seem easy and worthwhile, the extra step will unfortunately deter some customers.
Exemptions to the new regimentation
The PSD2 has defined some exemptions to the general requirement of SCA for every transaction. While these exemptions are available for consideration, it is ultimately the issuer’s decision as to whether they will accept a waiver. Some exclusions to be noted:
- • Subscriptions: The first transaction in a subscription is customer-initiated, but the recurring payments are merchant-initiated and don’t require SCA. However, if the amount changes—for example, a service bill fluctuates—by more than 30 Euros, it would no longer be exempt.
- • One leg inside the EEA: Transactions involving a merchant within the EEA but a buyer outside of the area (or vice-versa) are exempt. A payment is considered within the scope of the law only if the cardholder AND merchant are both located in the EEA.
- • Low-risk transactions: Low-risk transactions don’t necessarily require SCA; payment processors will do a real-time risk analysis to judge whether to apply SCA.
- • Mail order and telephone order (MOTO): MOTO transactions are not considered “electronic” payments and do not require SCA.
- • Whitelists: Customers can whitelist businesses by placing trusted beneficiaries on a list maintained by the customer’s bank. SCA then is only required for the first payment to whitelisted business and exempted for subsequent payments.
- • Prepaid cards: Payment cards/devices that can only be identified by the issuing bank, such as anonymous prepaid cards, are out of the scope of SCA.
- • Low-value transactions: Any amount less than 30 Euros is exempt. However, SCA is required if the payment method has seen more than five exempt transactions (every fifth transaction below 30 Euros will need to be challenged) or if the total of exempted transactions exceeds 100 Euros in a day.
- • Low-fraud players: For transactions above 30 Euros, the procedure depends on the reference fraud rates of the issuer and the acquiring bank – not the merchant.
- o If the fraud rate is below 0.13%, SCA is not required for transactions of up to 100 Euros.
- o If the fraud rate is below 0.06%, the ceiling rises to 250 Euros.
- o For those with a rate of under 0.01%, a transaction can be as high as 500 Euros before SCA is implemented.
PSD2 versus SCA versus 3DSecure
PSD2 is a European Union (EU) directive launched in 2015.
SCA is a requirement of PSD2 designed to increase security and reduce fraud by ensuring electronic payments are performed with multi-factor authentication.
3D Secure 2.0, also known as EMV 3-D Secure, is one way (but not the only one) to meet SCA requirements. The 3D Secure 2.0 process is as follows:
- 3D Secure 2.0 sends several data points (shipping address, IP address, etc.) on each transaction to the cardholder’s bank.
- The cardholder’s bank uses this information to assess the transaction’s risk.
- If the data is satisfactory and the bank judges the transaction as legitimate, the bank can qualify the transaction for immediate approval. This means the user doesn’t have to do anything else to authenticate the transaction.
- If the data isn’t enough, the transaction is forced into the challenged flow. This is similar to 3D Secure 1.0 – an additional page branded by the bank that asks for more information. This step has two major issues: (1) it’s another step in the checkout flow, which can lead customers to abandon the process; and (2) buyers have to remember another password from the card issuing bank.
What happens to orders placed without SCA?
As of September 14, 2019, banks will decline unauthenticated payments due to fraud risk. Customers will need to resubmit declined payments using SCA.
Is my business ready for PSD2?
SCA should be implemented directly by the payment service providers (PSPs). To comply with these new regulations, please ensure that your PSP complies with the SCA requirements.
How can ClearSale help with PSD2 and SCA?
ClearSale is agnostic in terms of payment methods we work with; therefore, we will continue to provide our services normally under the new directives.
Merchants may well start seeking out financial providers with excellent records of fraud prevention, as this allows them to offer more convenient payment options to consumers with fewer challenges. ClearSale helps many PSPs and merchants control their fraud risk -- and consequently -- become exempt from SCA, which saves buyers from the burden of an extra authentication step.