What is PSD2?
The Revised Payment Services Directive (PSD2) is defined by the European Banking Authority and
aims at regulating new stakeholders and improving the security of exchanges. Among these rules is
the RTS-SCA (Regulatory Technical Standard - Strong Customer Authentication) rule which
requires strong customer authentication as of the 14th of September 2019.
Are all transactions affected?
MOTO (Mail Order Telephone Order) type distance selling transactions, payments initiated by the
merchant and unrelated to the customer as well as transactions between cardholders or merchant acquirers outside the European economic area are not subject to this RTS-SCA rule.
Does PSD2/SCA still apply on September 14th?
Yes, September 14th remains the official effective date for the application of the PSD2 SCA. Nevertheless, following the European Bank Authority’s recommendation from July 2019 to provide a grace period for the application of this new payment framework, most of the European National Competent Authorities have granted a grace period to the PSPs they regulate. The following countries already announced this delayed PSD2 enforcement through their local authorities: Austria, Belgium, Germany, Ireland, Italy, Luxembourg, Malta, Netherlands, UK.
Also, because the conditions (duration / milestones / etc.) of the application of this grace period have not yet been communicated by the local regulators and because the issuing banks located in the countries without transition period will likely require SCA to approve transactions, the importance of quickly supporting SCA remains critical.
Why do you need to act now?
The aim of Strong Customer Authentication through 3-D Secure 2.0 is to reduce remote payment fraud, at the same time strongly improving user-friendliness for the cardholder, in particular by providing the issuer (the bank of the cardholder) with more information on the context of the transaction, in order to allow the latter to decide whether it should or should not proceed with Strong Customer Authentication of the cardholder.
What is new in the 3-D Secure 2.0 program?
The major additions of 3-D Secure 2.0 are:
- Smoother and more integrated customer experience, especially for mobile applications.
- New authentication methods of the cardholder bank side.
- Management of exemptions and Frictionless.
What is Frictionless?
Depending on the context and the information provided in the payment request, the card issuer
performs a risk analysis and may decide not to authenticate the transaction. If the Frictionless
initiative comes from the issuer then the merchant will benefit from the liability shift. Conversely, if
the merchant has done their own risk analysis and requests Frictionless from the issuer, then they
will not benefit from the liability shift.
What are the exemptions from Strong Customer Authentication (SCA) for over-the-counter payments?
The RTS stipulates 2 exemption options for over-the-counter payments:
- Low value contactless transactions
The exemption for a contactless transaction can be invoked
➔ If the amount of the transaction does not exceed €50.
➔ If, since the last transaction with Strong Customer Authentication by the cardholder, the maximum amount of contactless transactions, regardless of the merchant, or the number of contactless transactions has not exceeded a maximum (velocity criteria) defined by the RTS-SCA (max €150 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).
- Transactions on unattended terminal for parking or transport
What are the exemptions from Strong Customer Authentication (SCA) for remote payments?
The RTS stipulates 5 exemption options for remote payments (e-commerce):
- Trusted Beneficiaries of White-Listing (not applicable to the merchant)
White-Listing is the option for a cardholder to name, to the issuer of his card, in general his bank, a merchant whom he trusts and for whom he does not wish to make a Strong Customer Authentication while executing remote transaction, provided the latter meets the security criteria set by the bank.
An exemption from Strong Customer Authentication is applied for a series of remote transactions for the same amount to a single beneficiary. However, Strong Customer Authentication is required for the first transaction (the contract) or for each modification of the series conditions.
An exemption from Strong Customer Authentication for a low value remote payment can be invoked:
➔ If the amount of the transaction does not exceed €30.
➔ If, since the last transaction with Strong Customer Authentication of the holder, the maximum amount of low value remote transactions, regardless of the merchant, or the number of low value remote transactions does not exceed a ceiling (velocity criteria) defined by the RTS-SCA (max €100 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).
- Secure Corporate payments (not applicable to the merchant)
Exemptions are also valid for payments initiated by businesses with a debit from the business account (for example, central settlement cards, centralized accounts and virtual cards). In contrast, corporate cards (with debit from the employee’s bank account under special conditions) are similar to B2C transactions and are not covered by this special exemption.
- Transactional Risk Analysis
The exemption from Strong Customer Authentication for a remote transaction referred to as ‘risk analysis’ can be invoked by the acquirer (on behalf of the merchant) and by the issuer if the following two conditions are met:
➔ That the transaction is declared safe (for example, no infection of the user’s workstation by a malware, no abnormal disbursements by the payer, location of the payer, transactions history, etc.).
➔ That the fraud rate (for remote transactions) for the payment establishment (for Bank acquirer and for Bank issuer but and not for the merchant or his PSP) is below preset ceilings:
➩ 0,13% if the amount of the transaction is less than €100.
➩ 0,06% if the amount of the transaction is less than €250.
➩ 0,01% if the amount of the transaction is less than €500.
➩ Exemption not applicable for transactions of over €500.
What happens if an exemption fails?
The exemptions are not routine and even if the conditions for exemption are met, the final decision rests with the issuer (the cardholder’s bank) which may or may not grant it. The Issuer will send a soft decline for the payment leading to a resubmission of the payment requesting Strong Customer Authentication from the cardholder.
When will 3-D Secure 2.0 be implemented?
The 3-D Secure 2.0 implementation, which requires changes throughout the electronic payment
chain, will be carried out gradually depending on the various payment stakeholders (payment
module, merchant banks, networks, issuer banks), starting in September 2019.
We advise you to contact your PSP gateway provider as soon as possible to know if it is already able to support you in implementing 3-D Secure 2.0.
When will 3-D Secure 1.0 come to an end?
The end of 3-D Secure 1.0 is announced for December 2020 for Visa and MasterCard.
What will happen for subsequent recurring transactions in case the first transaction has been performed without SCA before September 14th?
Worldline as acquirer will not block subsequent transactions of an initial transaction that occurred before September 14th whose initial in a first step and will continue to accept the subsequent transactions.
For recurring payments conducted after September 14th, Worldline recommend to perform SCA for the first one and reference this one in subsequent transaction in order to keep the same approval rate.
The national regulator in my country has approved a transition phase for SCA. What does it mean for my business?
The national regulators supervise the local acquirers and issuers activities. The most important for the merchant is however the location of his acquirer because this will determine whether a transition phase could be applied. Furthermore merchants with international business should have a look to the regulations of countries where there are doing business. Indeed some issuers in Europe will be obliged to support SCA by September 14th. That means that those issuers will probably decline card transactions processed without 3-D Secure.