On Saturday, September 14, 2019, the new requirements for online payment authentication went live in Europe. These requirements came from the second Payment Services Directive, or PSD2, a rule established by the European Banking Authority (EBA) to enhance data security and drive payment innovation.
The EBA has promoted the PSD2 as an opportunity to reduce competitive barriers while encouraging standardized technologies and improved security processes. This is good news for consumers, who will see greater data security.
This news has been taken in many was by merchants, however, leaving some unsure what the next steps are. The main point has been around the Strong Customer Authentication (SCA), which is how the new security standards now manifest in online transactions.
Merchants will face new requirements.But there are also exceptions to know about and a detailed timeline of SCA rollout to consider. Ultimately, it’s in every merchant’s best interested to understand the SCA and its impact.
How are payments changing?
In most European countries, some form of an SCA is now required for all digital transactions. This change took effect on September 14. The requirement states that two of the following three items must be verified for online transactions under SCA:
- Something the customer HAS (a credit or debit card)
- Something the customer KNOWS (usually a security key)
- Something the customer IS (for example, fingerprints and retina scans)
How will the SCA impact the customer experience?
Card payments were traditionally processed in two steps: authorization and capture. The SCA adds the authentication step before an authorization takes place. This means that online card payments under the new rules will work this way:
1. To authenticate a payment, a customer will respond to a prompt from his or her bank. For example, this might be done with a password, with a message to the phone associated with the account, or with a fingerprint.
2. With successful authentication, the card will then be authorized for the requested amount. The bank decides whether to approve or deny a payment when an authorization request is received.
3. After the payment amount has been approved by the bank, the merchant captures the specified amount. The card is charged.
What companies are affected?
If you sell any items in theEuropean Economic Area (EEA), or if you sell to consumers whose cards were issued in the EEA, you care about the SCA because it applies to you.Non-compliance will not only put your customers at risk, it can result in fines and negative brand reputation consequences.
If you sell in or have customers whose cards were issued in any of the following countries, you’re subject to SCA:
- Czech Republic
- United Kingdom
Timeline for PSD2-SCA
Several important dates have already come and gone, including:
- The VISA activation date for the SCA in Europe, North America and Latin America
- Mastercard acquirers and merchants now required to support Identity Check in the EU (with all issuers, merchants and acquirers able to request SCA)
- The effective date forSCA throughout the EEA
Over the next several months, other key dates approach:
- In December 2019, Mastercard will require all merchants, issuers and acquirers worldwide to support Identity Check and EMV 3DS (the most common solution to comply with theSCA, more on this below)
- In April 2020, VISA will launch the AP/CEMEA activation for EMV 3DS
- By December 2020, Mastercard will no longer support 3DS 1.0
How can I add authentication to my payment processing?
The most common way of authenticating online payments uses 3D Secure. This is an authentication technology supported by nearly all EEA-issued cards.
3D Secure has recently been updated in light of the SCA requirements. The new version is called 3D Secure 2, and meets all PSD2 standards. Specifically, the new version has an improved user experience so that the extra authentication step does not add any friction to the customer experience at online checkout.
There are other SCA-compliant options, too. Apple Pay and Google Pay both already use payment flows with authentication built-in, either by a fingerprint or password. These are other options businesses can employ to meet the SCA requirements.
DepositFix clients don’t need to add any authentication steps to their payment flows, because we’ve already done it for you. All DepositFix accounts are now SCA compliant.
Summary of SCA Exemptions
Payments below €30
There is an exemption for online payments of low amounts (under €30). These transactions are being considered“low value,” and not all banks require authentication when the customer is out check-out.
However, if the customer’s card has been used and this exemption requested five times since the last authentication was activated, the bank will require authentication on the following transaction.
Customers who make a series of recurring payments for the same amount to the same business can also receive an exemption to SCA. The authentication will be required for the first payment, but future charges generally will not require it.
Merchant-initiated transactions (including variable subscriptions)
Where a customer saves a card with a merchant and a future payment is made, the checkout flow can qualify as a merchant-initiated transaction. While these transactions technically fall outside of the SCA requirements, it’s always up to the bank whether an authentication will be required for any transaction.
There are exemptions beyond these listed, too. In all cases, with 3D Secure 2, your payment flow doesn’t have to be negatively impacted with the adoption of SCA standards. At DepositFix we believe in the strategic adoption of the SCA, which is why authentication has already been built into our payment processing. Our clients don’t even have to think about it.
Do you want to understand these exemptions in terms specific to your company? Read these business scenarios to see how they break down.
Review of exemptions with specific business scenarios
For recurring payments of a fixed amount to the same merchant, membership payments are generally exempt.
For recurring payments with metered billing, these transactions are generally exempt, but ultimately it will be up to each bank whether authentication will be triggered.
With crowdfunding contributions held in escrow until a project is fully funded, payments captured more than seven days after authorization also qualify for an SCA exemption.
For payment captured more than seven days after authorization (where the final payment amount may change), these transactions can qualify for an exemption.
Many banks and payment processors look to the SCA as a way to keep consumer data safe. In the interest of good business, the strategic approach is to comply with the SCA, even though only businesses who charge EEA cards are legally required to.
Exemptions can be very useful, but it’s crucial to remember that it’s ultimately up to each bank whether they’ll require authentication on a transaction. Where some companies are concerned about the checkout flow of their user experience, a declined payment due to a missing authentication would be much more detrimental.
SCA requirements are covered byDepositFix. Our clients don’t need to do anything to their payment workflows.
If you aren’t a DepositFix customer, our recommendation is to add authentication to your purchase journey as soon as you can. The rule is now live, and enforcement could mean lost sales if you aren’t up-to-date.
If you have questions specific to your business model, or if you want to know more about what DepositFix has done to keep our clients compliant, reach out to us today.