The continuing rise in online shopping and, consequently, the rise in cybercrime (both in data breaches and online credit card fraud) has caused European law to evolve. There are generally two elements to European law; the need to encourage competition among financial providers, as well as the need to enhance consumer protection. Thus, the implementation of Payment Services Directive (PSD), known as version PSD2, by the European Union (EU). This new directive has a significant compliance impact on most payment processing services involving credit cards or bank transfers for goods and services sold to customers in the EU. Compliance with PSD2 is the responsibility of every Merchant that performs any online transaction over €30 in the EU. Some Regulatory Technical Standards (RTS) requirements go into effect as early as 14 September, 2019. So if you haven’t familiarized yourself already, you need to take the time to review and understand the new directive, including Strong Customer Authentication (SCA) requirements and updates for 3D Secure 2.0 (3DS).
Strong Customer Authentication will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA. Recurring direct debits on the other hand are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.
Low-risk transactions
A payment provider (like Stripe) will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s or bank’s overall fraud rates for card payments do not exceed predetermined thresholds.
Payments below €30
This is another exemption that can be used for payments of a low amount. Transactions below €30 will be considered “low value” and may be exempted from SCA. Banks will however need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.
Fixed-amount subscriptions
This exemption can apply when the customer makes a series of recurring payments for the same amount, to the same business. SCA will be required for the customer’s first payment—subsequent charges however may be exempted from SCA.
Merchant-initiated transactions (including variable subscriptions)
Payments made with saved cards when the customer is not present in the checkout flow (sometimes called “off-session”) may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA. In practice, marking a payment as a “merchant-initiated transaction” will be similar to requesting an exemption. And like any other exemption, it will still be up to the bank to decide whether authentication is needed for the transaction.
Corporate payments
This exemption may cover payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).
Phone sales
Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO). Similar to exempted payments, MOTO transactions will need to be flagged as such—with the cardholder’s bank making the final decision to accept or reject the transaction.
Trusted beneficiaries
When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
Any U.S. company that does business with Europe needs to have a strong grasp of PSD2 and must be ready to leverage new opportunities and stay ahead of the competition when similar changes take place on American shores.
The implementation of PSD2 is going to shake up the payment sectors. There are a number of potential advantages for merchants, but there will still be work to be done; merchants may need to change their systems to handle 3DS 2.0 or other SCA methods, as well as working on how to meet customers’ expectations.