On September 14, 2019 the Revised Payment Services Directive (PSD2) will require Strong Customer Authentication (SCA). The goal of SCA is to protect consumers against eCommerce fraud.
Below is a breakdown of what merchants need to know.
Strong Customer Authentication (SCA) Requirements
Strong Customer Authentication requirements will force merchants to take specific steps to safeguard the information of online shoppers. In the past, merchants only needed a CVC code to verify a cardholder’s legitimacy. Now, more information is required. Merchants will need to implement 3D Secure 2.0.
For many merchants, the words “3D Secure” are scary. The technology is notorious for creating customer friction. The 1.0 version required a customer to remember a randomly assigned code or password. Many customers that couldn’t remember the information simply abandoned their cart. In many cases, the revenue lost from cart abandonment almost certainly exceeded what merchants would have lost to fraud.
Therefore, SCA takes a different approach. Instead of a random code, SCA requires merchants to use two factor authentication (2FA). This requires them to ask online shoppers to verify their identity using two out of three categories of information:
- Something they know. The traditional verification model. This includes passwords/phrases, security questions, PIN numbers, and sequences.
- Something they possess. Interaction with a device that is pre-authorized to make payments using the credit card. This includes mobile phones/watches, smart cards, software security tokens, and badges.
- Something they are. A bio security authentication. This includes fingerprints, facial features like smiles, voice recognition, eye scans, and DNA.
The new requirements apply to all “customer-initiated” online payments. However, they only affect Europeans. The requirements come into effect for transaction where both the merchant and the cardholder’s bank are in Europe. More specifically, the merchant and bank must be located in the European Economic Area (EEA).
In addition, some exemptions exist for transactions in the EEA:
- Transactions for less than 30 Euros. However, if five transactions of fewer than 30 Euros take place in succession, the sixth will require authentication regardless of the amount.
- Low Risk Transactions. Payment providers can exempt transactions they self-determine to be low risk. However, only processors with overall fraud rates below certain thresholds have authorization to make this determination.
- Fixed-amount transactions. Recurring payments on a subscription model.
- Merchant-initiated subscriptions. Things such as add-ons, variable subscriptions, and delayed payments. However, merchants must authenticate the first transaction in the chain.
- Customer White-lists. Cardholders can choose to “whitelist” a merchant they use frequently so they do not have to repeatedly authorize payments.
- Corporate Accounts. Cards used by companies to pay for employee expenses such as travel and lodging.
- Transactions Between Businesses. Payment methods used in B2B transactions, where customer facing information is not at risk.
PSD2 Implementation Delays
Merchants received notification of the new SCA requirements well in advance of the September 14th implementation deadline. However, many eCommerce stores remain unprepared. Due to the fear that market non-compliance would cause disruptions to online selling ecosystems, the European Banking Authority (EBA) agreed to provide an SCA extension.
“The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time,” the EBA said in a press release.
Although some eCommerce merchants will benefit from this extension, it is contingent on them taking steps towards compliance.
“This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA,” the press release said.
Eventually, these general exceptions will lapse. When that happens, all transactions processed by merchants must comply with SCA if no exemption applies.