The continuing rise in online shopping and, consequently, the rise in cybercrime (both in data breaches and online credit card fraud) has caused European law to evolve. There are generally two elements to European law; the need to encourage competition among financial providers, as well as the need to enhance consumer protection. Thus, the implementation of Payment Services Directive (PSD), known as version PSD2, by the European Union (EU). This new directive has a significant compliance impact on most payment processing services involving credit cards or bank transfers for goods and services sold to customers in the EU. Compliance with PSD2 is the responsibility of every Merchant that performs any online transaction over €30 in the EU. Some Regulatory Technical Standards (RTS) requirements go into effect as early as 14 September, 2019. So if you haven’t familiarized yourself already, you need to take the time to review and understand the new directive, including Strong Customer Authentication (SCA) requirements and updates for 3D Secure 2.0 (3DS).
PSD2 at a glance
- Update of First Payment Services Directive (PSD1) driven by continual rise of eCommerce and technological innovation in payments sector.
- Second Payment Services Directive was implemented on 13th January 2018. The earliest date that member states are expected to have implemented RTS is August 2019.
- PSD2 includes 112 articles and 11 mandates (specific topics that the regulators asked the European Banking Association to examine).
- One of these mandates is around SCA and includes guidance around exemptions and challenges.
- Another key area is the regulation of Third Party Providers (TPPs) which could help stimulate a new generation of financial companies.
- 3D Secure (3DS) 2.0: eCommerce merchants will need to integrate dynamic authentication tools (e.g., 3D Secure 2.0). An advanced security scheme run by payment brands such as Visa® and Mastercard®. Having 3DS 2.0 makes SCA available to customers for all card processing
- 3DS 2.2: The next iteration of 3DS, which enables merchants to flag SCA exemptions and implement frictionless flow for payments. This improves the buying experience.
- Strong Customer Authentication (SCA): Under PSD2, merchants must offer two-factor authentication, a security system that relies on two steps, not just a password
- Transaction Risk Analysis (TRA): Involves analyzing a number of factors – such as customer location or payment history – to determine whether a transaction is risky or SCA can be avoided
- Limited surcharges: Merchants will not be able to surcharge payment methods with regulated interchange (e.g., 4-party consumer schemes, Single Euro Payments Area (SEPA) SEPA credit transfers).
PSD2 opportunities for merchants
- Reduced fraud rates in the industry and increased trust with consumers.
- Innovation around two-factor authentication to make the process smoother.
- A boost in eCommerce as consumers have more online banking and payment options.
- Merchants can leverage new payment aggregators to increase their strategic information on consumers.
When is Strong Customer Authentication required?
Strong Customer Authentication will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA. Recurring direct debits on the other hand are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.
What transactions are exempt and out of scope of the SCA requirements?
Low-risk transactions
A payment provider (like Stripe) will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s or bank’s overall fraud rates for card payments do not exceed predetermined thresholds.
Payments below €30
This is another exemption that can be used for payments of a low amount. Transactions below €30 will be considered “low value” and may be exempted from SCA. Banks will however need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.
Fixed-amount subscriptions
This exemption can apply when the customer makes a series of recurring payments for the same amount, to the same business. SCA will be required for the customer’s first payment—subsequent charges however may be exempted from SCA.
Merchant-initiated transactions (including variable subscriptions)
Payments made with saved cards when the customer is not present in the checkout flow (sometimes called “off-session”) may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA. In practice, marking a payment as a “merchant-initiated transaction” will be similar to requesting an exemption. And like any other exemption, it will still be up to the bank to decide whether authentication is needed for the transaction.
Corporate payments
This exemption may cover payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).
Phone sales
Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO). Similar to exempted payments, MOTO transactions will need to be flagged as such—with the cardholder’s bank making the final decision to accept or reject the transaction.
Trusted beneficiaries
When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
Any U.S. company that does business with Europe needs to have a strong grasp of PSD2 and must be ready to leverage new opportunities and stay ahead of the competition when similar changes take place on American shores.
The implementation of PSD2 is going to shake up the payment sectors. There are a number of potential advantages for merchants, but there will still be work to be done; merchants may need to change their systems to handle 3DS 2.0 or other SCA methods, as well as working on how to meet customers’ expectations.
