Discover how Strong Customer Authentication (SCA) fits into PSD2 and how to get your business ready for it.
Updated: February 2019
So far in this series, we’ve looked into the key changes your business can expect with The Revised Payment Services Directive (PSD2) and the impact it will have on marketplace business models. In this blog though, we’ll be talking about the need for businesses to provide Strong Customer Authentication (SCA) for ecommerce payments.
To make things easier, at least for one piece of the puzzle, we’ll break down what SCA is, how to prepare, and what exemptions are available.
What is Strong customer authentication (SCA)?
SCA is a new European requirement created to make online payments more secure. When a European shopper makes a payment, extra levels of authentication will be required at the time of the transaction.
In the past, customers could simply enter their card number and a CVC verification code, but with PSD2 regulations, more information will be required at the time of payment. There are exceptions, which we’ll cover later.
At present, an authentication tool called 3D Secure 1.0 is used by the card schemes’ as a way to verify ecommerce card transactions. You may be familiar with the process of making an online payment and being redirected to a new page to input a code, this is 3D Secure 1.0 doing its job to make sure you are who you say you are, online. Now a new specification, 3D Secure 2.0, has been introduced. This will make it easier to collect SCA information at the time of the transaction.
How PSD2 defines SCA
SCA is more than just entering a password. The diagram below shows you what a PSD2-approved SCA transaction looks like. Authentication must include two or more of the following:
Instead of relying on the traditional ‘Something you know’ (that ever-evasive password), your customers can combine ‘Something they own’ such as their smartwatch, with ‘Something they are’ like a fingerprint. This approach is often called ‘two factor authentication’.
Prior to 3DS 1.0 and the PSD2 requirements, issuing banks generally only had the ability to challenge users with a single static password that users had to remember. And of course, some passwords are easily forgotten. With SCA and 3DS 2.0, more dynamic data points will be used to verify users’ identities. The number of required authentication data points is increasing, but more customer choice could mean better authentication experiences and less drop-offs.
The intent of PSD2 is to make SCA a requirement for all online transactions. There are however, some exemptions to this mandate and for any given transaction your acquirer can and will request the exemption that is most appropriate.
These exemptions will ensure that consumers still enjoy easy shopping experiences with additional security on their larger and less frequent payments.
Here are the most relevant:
Low Value and Low Risk Transactions
Transactions under 30 EUR will be exempt from SCA. However, the issuing bank will keep track of the amount of payments made.
If the total amount attempted on the card without strong authentication per 24 hours is higher than 100 EUR, or every 5 transactions, SCA will be required.
Low risk transactions are also exempt from SCA. The ability for a payment to be considered low risk is based on the average fraud levels of the card issuer and acquirer processing the transaction.
Subscription or recurring transactions
Subscription or recurring transactions with a fixed amount will be exempt from the second transaction onwards. Only the initial transaction will require SCA. If the amount changes, 3D Secure will be required for every new amount.
This poses a challenge to ‘variable amount’ recurring businesses in which the value changes over time. For example, some products have a variable cost per period based on usage. Thankfully, these types of transactions are considered ‘merchant initiated transactions’. These are exempt from PSD2 and SCA requirements.
Most subscription payments will not need SCA since most are initiated by the merchant and not the cardholder, and because there is an exemption for static amount recurring payments.
Customers can assign businesses to a whitelist of “Trusted Beneficiaries,” which are maintained by their bank. Whitelisted merchants will be exempt from 3D Secure. This allows customers who regularly shop with a given business to never need SCA from that point forward.
Mail Order and Telephone Orders (MOTO) will be exempt from SCA in all cases. MOTO transactions are not considered to be ‘electronic’ payments, so are out of the scope of the regulation.
Payments where the issuer or the acquirer of the card are not based in Europe are also considered exempt. This implies that accepting payments in Europe from non-European shoppers will not be a problem after the regulation changes.
Payments made between two corporations are free from SCA when the payment method used, is a payment instrument dedicated to make such B2B payments.
The list of exemptions and out-of-score scenarios is extensive and relies heavily on bank, scheme, and regulatory interpretation.
The good news for our customers is that our Dynamic 3D Secure service will help businesses navigate these complexities and automatically take advantage of exemptions where possible.
This means that your customers will only need to authenticate transactions when absolutely necessary.
Dates to keep in mind
April 2019 - 3DS 2.0 liability shift. Both Visa and Mastercard are encouraging banks to get ready for PSD2 by being 3DS 2.0 compliant. This is a good target month to be ‘PSD2 ready’ as a business too. From this point forward, if a business requests 3D Secure 2.0 and the issuing bank cannot accept it, the business receives an automatic liability shift.
14th September 2019 - PSD2’s SCA requirements go live in Europe. Any business with substantial European volume will need to have 3D Secure 2.0 implemented by this date in order to most effectively meet SCA requirements.
2020 and onward - 3DS 2.0 launches worldwide. We expect that most banks around the world will accept 2.0 by end of 2020 and phase out 3DS 1.0.
Preparing for PSD2 with 3D Secure 2.0
3D Secure 1.0 isn’t the best experience for customers, especially when they’re using a mobile device. So while it adds a layer of additional security, it can cost you conversions.
To deal with the new requirements of PSD2 and improve 3DS 1.0, EMVco, an organization consisting of representatives from major card schemes and payment industry leaders, created the 3D Secure 2.0 protocol. The new aim: To make authentication more dynamic and secure.
3DS 2.0 removes the clunky redirect, and your customers can authenticate themselves with a tap of their finger or even a smile. 3DS 2.0 uses certified SDKs and APIs to share rich authentication data with banks, make the integration of authentication flows into websites and apps seamless, all while meeting the SCA requirements of PSD2.
In the coming weeks we’ll share more information about our 3DS 2.0 solution and how you can use it to prepare for PSD2.
While SCA will undoubtedly create challenges for businesses, our new 3D Secure 2.0 solution will soften the blow. We hope that, in learning about how PSD2 defines SCA and what exemptions are available, you’ll be able to approach the regulation changes confidently and in the knowledge that we’ve got your back.
If you have any further questions, get in touch.
Read next: 3D Secure 2.0: A new authentication solution