Mark McMurtrie, Payments Consultancy Ltd
The European Payment Service Directive (PSD2) regulations came into force in January 2018 in order to improve the European payments industry, increase competitiveness, accelerate innovation, protect consumer rights, strengthen security and harmonise payments across markets.
These regulations have been passed into UK law and so apply irrespective of any future Brexit arrangements. As part of PSD2, new Regulatory Technical Standards (RTS) have been created by the European Banking Authority (EBA) in order to enhance security protection levels and reduce the escalating amounts of financial fraud that is occurring. A key element of these security standards is the requirement for Strong Customer Authentication (SCA) to be performed for electronic payments.
Who is impacted?
SCA applies to all forms of electronic payment including bank and card payments unless they fall into a small number of exemptions. It applies to eCommerce, mobile, remote, face-to-face and (bank) faster payment transactions. All payment transactions performed with a card issued by a European card issuer and processed by a European acquirer are impacted. This effectively means all European merchants have to comply.
The new law requires the payer to have been authenticated to prove that they are the genuine cardholder. This is a new processing step that takes place before any funds authorisation and transfer is carried out. The geographic scope is the European Economic Area (EEA), which includes the 28 EU countries plus Norway, Iceland, and Liechtenstein. And the UK is included irrespective of any Brexit outcome. No ‘get out of jail’ card exists!
The law requires card issuers and acquirers to ensure that SCA has been performed and the Financial Conduct Authority (FCA) will enforce this. Merchants will be required to update their business processes and systems to ensure SCA is supported. The authentication applies to each customer and transaction and dynamically links the amount to this merchant transaction.
Card on file transactions will in future require SCA to have been performed. This will mean a major change for many merchants on how they accept and process payments from customers.
What does SCA mean?
In order to authenticate a payer securely at least two factors have to be checked and these must come from two of the
three defined categories, which are: Knowledge, Possession and Inherence. Each category has a range of valid
For face-to-face payments in-store the chip card counts as a valid ‘Possession’ factor and the PIN as a ‘Knowledge’ factor and so there will be less (but not zero) impact.
For eCommerce payments a biometric factor like a fingerprint or facial image can counts as an ‘Inherence’ factor or a One Time Password (OTP) can be used as a ‘Knowledge’ factor. It is acceptable for issuers to send OTPs as ‘text’ messages to mobile phones or via email. Each card issuer will make their own decision on which factors to use and for their cardholders to perform, so merchants and cardholders should expect different user experiences. In this new world of Strong Authentication it is the card issuer not the acquirer who ultimately makes all the risk decisions.
When is this needed?
This is the big issue. The SCA legal requirement comes into effect on the 14th September 2019. That is only seven months away. A very large number of retailers, hospitality providers and other types of merchants have very little, or no, understanding of this new requirement. The final RTS was published on 13 March 2018 but communications to merchants has been poor. Action needs to be taken rapidly if you do not already have a SCA programme underway. This is not something that can be ignored, the deadline will not be changed and big consequences will be seen if no action is taken.
How is this different?
To date the international payment networks have introduced most of the card payment standards either directly or working through joint bodies such as EMVCo and PCI SSC. Merchants have been required to comply with these requirements, use certified solutions and be compliant before payment network mandate deadlines. The RTS SCA requirement is very different: it is a legal obligation not just a network mandate – no extensions can be negotiated or waivers requested. SCA has to be performed from 14 September 2019 or card issuers are required by law to decline transactions. So from September merchants can expect high levels of cardholder confusion, declines and basket abandonment if no actions are taken.
Are some types of payments out of scope?
Although SCA applies to a very wide range of electronic payment types some have been agreed to be out of scope – at least initially. These include paper based and mail order/telephone order transactions, direct debits, cards issued outside the EEA and those using anonymous instruments. Merchant Initiated Transactions (MITs) initiated by the payee only (based on previous payer instructions) may or may not be exempted. A final ruling is awaited from the European Commission at the time of writing. The rules for recurring transactions are also changing.
How about SCA exemptions?
Various exemptions will be allowed and merchants are encouraged to discuss these with their acquirer. A Transaction Risk Analysis (TRA) exemption is perhaps the most significant and this may be applied by the acquirer for transactions of between €100 and €500 as long as fraud levels for both the merchant and acquirers are within certain limits and other conditions have been met. Another key exemption applies to low-value remote transactions of less than €30. But for this there is also a cumulative limit of €100 or five transactions which whenever reached requires SCA to be performed. Contactless card transactions also do not require SCA if they are for less than €50 as long as, once again, the cumulative contactless transactions have not reached €150 or 5 transactions without a SCA. Card issuers can also apply their own TRA exemption after the earlier sets of exemptions have been applied. Transit and parking transactions have been granted an exemption from SCA, but this does not apply to other forms of unattended payments. Cardholders may decide to ask their card issuer to whitelist individual merchants as trusted beneficiaries and thus avoid the need for SCA. However systems to achieve this will unlikely exist before the September 2019 deadline.
How 3DS 2 can help?
The international payment networks under the auspices of EMVCo have created specifications for 3DS 2.0. This is expected to be a major way for merchants to perform SCA for eCommerce transactions. You should not be put off by poor experiences from the earlier 3DS v1. The new offering is radically different and addresses all the key areas of concern. Merchants should be completing integrations to approved 3DS 2 Server applications before September. As soon as they do they will gain liability protection for fraudulent transactions.
Wanting more information
If you are looking for more clarifications then your acquirer should be able to help. Alternatively you can approach a specialist consultant such as Payments Consultancy Ltd who are very active in this area and have been helping merchants understand what has to be done, how to achieve compliance, with supplier selection and to resolve issues related to complex environments such as those in the hospitality sector.
Learn more about SCA at RetailEXPO
Attending the RetailEXPO at London’s Olympia on 1 & 2 May is a great opportunity to learn more about these new SCA requirements. You will find the topic being covered at the Payments Stage in an informative panel discussion and by payment suppliers on the exhibit floor. Don’t miss this chance to learn what has to be done. Make sure you have completed your free RetailEXPO registration and marked up your calendars to attend.