Introduction

Merchants, acquirers, card issuers and customers now face a new challenge in the landscape. The Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the Second EU Payment Service Directive (PSD2) are coming to evolve during the coming weeks and merchants need to be well equipped.  

These regulations mainly require strong customer authentication (also known as two-factor authentication) for payments and takes into account customer experience with frictionless flow and SCA exemptions. These regulations are applicable for both over-the-counter and e-commerce payments. The impact for over-the-counter payments is quite limited since the cardholder already needs to provide his PIN code to complete the transaction (i.e. strong authentication of the cardholder). Yet, some specific sectors can benefit from SCA exemptions (e.g. Parking and transit). The main impacts of the regulation are for e-commerce payments. 

To comply with the requirement of strong customer authentication, the card schemes – together with the technical body EMVCo – have further developed the new version of 3-D Secure process : 3-D Secure 2.0 is PSD2 RTS compliant and is valid in EU countries as well as Switzerland. The new standard has been introduced by Visa and Mastercard in April 2019, and merchants will need to support it.

3-D Secure 1.0 brings also the guarantee to be compliant with the RTS but does not leverage all benefits of exemptions and frictionless flow

Key benefits

frictionless

Smooth payment process (frictionless flow)

Intelligent fraud detection mechanisms to reduce credit card fraud

Intelligent fraud detection mechanisms to reduce credit card fraud

Fewer payment disruptions thanks to risk-based authentication

Fewer payment disruptions thanks to risk-based authentication

Complete integration in web shop and app

Complete integration in web shop and app

 

What exactly does ‘Strong customer authentication’ mean?

With Strong Customer Authentication, all payment transactions (except for defined exemptions) must be “strongly” authenticated. This means that at least two of the three of the following factors must be applied :

Knowledge:

“something you know”

  • Password
  • PIN
  • Secret question
  • Numerical sequence

Possession:

“something you have”

  • Mobile phone (SIM card)
  • Wearable devices
  • Token
  • Card

Inherence:

“something you are”

  • Fingerprint
  • Voice recognition
  • Iris recognition
  • Facial features

 

With the investments in new technology, a customer could keep a very good shopping experience while still doing secure transaction.

A short introduction to Europe's new requirements for Strong Customer Authentication

On September 14, 2019 the face of e-commerce in Europe is set to change forever. Even if a transition period has been granted by most of the European local regulators, this period is only temporary and merchants, banks and payment service providers must be quickly compliant with the strong customer authentication requirements.
This position paper gives a brief introduction about the Regulatory Technical Standards on Strong Customer Authentication and the impacts to the merchants ecosystem. It also explains what will merchants need to do to take all the advantages of this regulation.
Download the Position Paper

 

whitepaper IMPACTS OF EUROPEAN DIRECTIVE PSD2

IMPACTS OF EUROPEAN DIRECTIVE PSD2

Read the Whitepaper

What are the Strong Customer Authentication (SCA) exemptions about?

PSD2 allows for some exemptions in which the cardholder does not need to perform SCA. This aims at improving the user-friendliness for the cardholder thanks to a frictionless and smooth user experience.

The RTS stipulates 2 exemption options for over-the-counter payments:

  • Low value contactless transactions
  • Transactions on a vending machine (unattended terminals) for parking or transport

 

And 5 exemption options for remote payments
(e-commerce):

  • Trusted Beneficiaries or White-Listing (issuer only exemption, not available for the merchant)
  • Recurring transactions
  • Low value transactions
  • Transactional Risk Analysis
  • Secure corporate payments  (issuer only exemption, not available for the merchant)

 

To know more about these exemptions, refer to the FAQ’s.
From September 2019, Worldline will support most of these SCA exemptions. 

Does SCA apply to all kinds of transactions?

The general rule is that all payments transactions initiated electronically by the payer have to be SCA. PSD2 has defined cases where Strong Customer Authentication of the cardholder does not apply:

  • Anonymous prepaid cards
  • Mail order and telephone orders (MOTO transactions)
  • Interregional / “One Leg” transactions
  • Transactions initiated by the payee (= MIT = Merchant Initiated Transactions)

 

What do you need to do as Worldline Commercial Acquiring customer?

Irrespective of the fact that 3-D Secure 1.0 is applied to all your transactions, only some of them of none at all, we recommend you to contact your PSP gateway and then Worldline to move to 3-D Secure 2.0 in order to propose your customers with more secured payment and also frictionless check-out experiences.

FAQ

  • What is PSD2?

    The Revised Payment Services Directive (PSD2) is defined by the European Banking Authority and aims at regulating new stakeholders and improving the security of exchanges. Among these rules is the RTS-SCA (Regulatory Technical Standard - Strong Customer Authentication) rule which requires strong customer authentication as of the 14th of September 2019.

    Are all transactions affected?

    MOTO (Mail Order Telephone Order) type distance selling transactions, payments initiated by the merchant and unrelated to the customer as well as transactions between cardholders or merchant acquirers outside the European economic area are not subject to this RTS-SCA rule.

    Does PSD2/SCA still apply on September 14th?

    Yes, September 14th remains the official effective date for the application of the PSD2 SCA. Nevertheless, following the European Bank Authority’s recommendation from July 2019 to provide a grace period for the application of this new payment framework, most of the European National Competent Authorities have granted a grace period to the PSPs they regulate. The following countries already announced this delayed PSD2 enforcement through their local authorities: Austria, Belgium, Germany, Ireland, Italy, Luxembourg, Malta, Netherlands, UK. Also, because the conditions (duration / milestones / etc.) of the application of this grace period have not yet been communicated by the local regulators and because the issuing banks located in the countries without transition period will likely require SCA to approve transactions, the importance of quickly supporting SCA remains critical.

    Why do you need to act now?

    The aim of Strong Customer Authentication through 3-D Secure 2.0 is to reduce remote payment fraud, at the same time strongly improving user-friendliness for the cardholder, in particular by providing the issuer (the bank of the cardholder) with more information on the context of the transaction, in order to allow the latter to decide whether it should or should not proceed with Strong Customer Authentication of the cardholder.

    What are the advantages of 3-D Secure 2.0?

    1. If you are already using 3-D Secure 1.0 for all your transactions, moving to 3-D Secure 2.0 will allow some of your transactions to go frictionless. This will increase your conversion rate while keeping you safe about fraud.
    2. If you are not using 3-D Secure 1.0 at all (“SSL” transactions only) or you are using it partially (dynamic 3-D Secure), implementing 3-D Secure 1.0 or 3-D Secure 2.0 is anyway mandatory to comply with the principle of SCA. Else, you can expect a lot of non-3-D Secure transactions declined by the issuers. 3-D Secure 2.0 will provide you with a better conversion rate than 3-D Secure 1.0.

    What is new in the 3-D Secure 2.0 program?

    The major additions of 3-D Secure 2.0 are:

    • Smoother and more integrated customer experience, especially for mobile applications.
    • New authentication methods of the cardholder bank side.
    • Management of exemptions and Frictionless.

    What is Frictionless?

    Depending on the context and the information provided in the payment request, the card issuer performs a risk analysis and may decide not to authenticate the transaction. If the Frictionless initiative comes from the issuer then the merchant will benefit from the liability shift. Conversely, if the merchant has done their own risk analysis and requests Frictionless from the issuer, then they will not benefit from the liability shift.

    What are the exemptions from Strong Customer Authentication (SCA) for over-the-counter payments?

    The RTS stipulates 2 exemption options for over-the-counter payments:

    • Low value contactless transactions

    The exemption for a contactless transaction can be invoked

    ➔ If the amount of the transaction does not exceed €50.
    ➔ If, since the last transaction with Strong Customer Authentication by the cardholder, the maximum amount of contactless transactions, regardless of the merchant, or the number of contactless transactions has not exceeded a maximum (velocity criteria) defined by the RTS-SCA (max €150 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).

    • Transactions on unattended terminal for parking or transport

    What are the exemptions from Strong Customer Authentication (SCA) for remote payments?

    The RTS stipulates 5 exemption options for remote payments (e-commerce):

    • Trusted Beneficiaries of White-Listing (not applicable to the merchant)

    White-Listing is the option for a cardholder to name, to the issuer of his card, in general his bank, a merchant whom he trusts and for whom he does not wish to make a Strong Customer Authentication while executing remote transaction, provided the latter meets the security criteria set by the bank.

    • Recurring transactions

    An exemption from Strong Customer Authentication is applied for a series of remote transactions for the same amount to a single beneficiary. However, Strong Customer Authentication is required for the first transaction (the contract) or for each modification of the series conditions.

    • Low value transactions

    An exemption from Strong Customer Authentication for a low value remote payment can be invoked:

    ➔ If the amount of the transaction does not exceed €30.
    ➔ If, since the last transaction with Strong Customer Authentication of the holder, the maximum amount of low value remote transactions, regardless of the merchant, or the number of low value remote transactions does not exceed a ceiling (velocity criteria) defined by the RTS-SCA (max €100 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).

    • Secure Corporate payments (not applicable to the merchant)

    Exemptions are also valid for payments initiated by businesses with a debit from the business account (for example, central settlement cards, centralized accounts and virtual cards). In contrast, corporate cards (with debit from the employee’s bank account under special conditions) are similar to B2C transactions and are not covered by this special exemption.

    • Transactional Risk Analysis

    The exemption from Strong Customer Authentication for a remote transaction referred to as ‘risk analysis’ can be invoked by the acquirer (on behalf of the merchant) and by the issuer if the following two conditions are met:

    ➔ That the transaction is declared safe (for example, no infection of the user’s workstation by a malware, no abnormal disbursements by the payer, location of the payer, transactions history, etc.).
    ➔ That the fraud rate (for remote transactions) for the payment establishment (for Bank acquirer and for Bank issuer but and not for the merchant or his PSP) is below preset ceilings:

    ➩ 0,13% if the amount of the transaction is less than €100.
    ➩ 0,06% if the amount of the transaction is less than €250.
    ➩ 0,01% if the amount of the transaction is less than €500.
    ➩ Exemption not applicable for transactions of over €500.

    What happens if an exemption fails?

    The exemptions are not routine and even if the conditions for exemption are met, the final decision rests with the issuer (the cardholder’s bank) which may or may not grant it. The Issuer will send a soft decline for the payment leading to a resubmission of the payment requesting Strong Customer Authentication from the cardholder.

    When will 3-D Secure 2.0 be implemented?

    The 3-D Secure 2.0 implementation, which requires changes throughout the electronic payment chain, will be carried out gradually depending on the various payment stakeholders (payment module, merchant banks, networks, issuer banks), starting in September 2019. We advise you to contact your PSP gateway provider as soon as possible to know if it is already able to support you in implementing 3-D Secure 2.0.

    When will 3-D Secure 1.0 come to an end?

    The end of 3-D Secure 1.0 is announced for December 2020 for Visa and MasterCard.

    What will happen for subsequent recurring transactions in case the first transaction has been performed without SCA before September 14th?

    Worldline as acquirer will not block subsequent transactions of an initial transaction that occurred before September 14th whose initial in a first step and will continue to accept the subsequent transactions. For recurring payments conducted after September 14th, Worldline recommend to perform SCA for the first one and reference this one in subsequent transaction in order to keep the same approval rate.

    The national regulator in my country has approved a transition phase for SCA. What does it mean for my business?

    The national regulators supervise the local acquirers and issuers activities. The most important for the merchant is however the location of his acquirer because this will determine whether a transition phase could be applied. Furthermore merchants with international business should have a look to the regulations of countries where there are doing business. Indeed some issuers in Europe will be obliged to support SCA by September 14th. That means that those issuers will probably decline card transactions processed without 3-D Secure.