Merchants, acquirers, card issuers and customers now face a new challenge in the landscape. The Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the Second EU Payment Service Directive (PSD2) are coming to evolve during the coming weeks and merchants need to be well equipped.
These regulations mainly require strong customer authentication (also known as two-factor authentication) for payments and takes into account customer experience with frictionless flow and SCA exemptions. These regulations are applicable for both point-of-sale (POS) and e-commerce payments. The impact for point-of-sale payments is quite limited since the cardholder already needs to provide his PIN code to complete the transaction (i.e. strong authentication of the cardholder). Yet, some specific sectors can benefit from SCA exemptions (e.g. Parking and transit). The main impacts of the regulation are for e-commerce payments.
The implementation of the final part of the PSD2, concerning the security element Strong Customer Authentication has been delayed. The European Banking Authority (EBA) announced a decision that allowed the National Competent Authorities (NCAs) around Europe to postpone the deadline to the 31st of December 2020. This deadline applies only for e-commerce payments, as point-of-sales payments should already been compliant since 14th of September 2019.
To comply with the requirement of strong customer authentication, the card schemes – together with the technical body EMVCo – have further developed the new version of 3-D Secure process: 3-D Secure 2 is PSD2 RTS compliant and is valid in EU countries as well as Switzerland. The new standard has been introduced by Visa and Mastercard in April 2019, and merchants will need to support it.
3-D Secure 1 brings also the guarantee to be compliant with the RTS but does not leverage all benefits of exemptions and frictionless flow.
What exactly does ‘Strong customer authentication’ mean?
With Strong Customer Authentication, all payment transactions (except for defined exemptions) must be “strongly” authenticated. This means that at least two of the three of the following factors must be applied:
“something you know”
- Secret question
- Numerical sequence
“something you have”
- Mobile phone (SIM card)
- Wearable devices
“something you are”
- Voice recognition
- Iris recognition
- Facial features
With the investments in new technology, a customer could keep a very good shopping experience while still doing secure transaction.
Transactions impacted by SCA
The general rule is that all payments transactions initiated electronically by the payer have to be SCA. PSD2 has defined cases where Strong Customer Authentication of the cardholder does not apply:
- Anonymous prepaid cards
- Mail order and telephone orders (MOTO transactions)
- Interregional / “One Leg” transactions
- Transactions initiated by the payee (Merchant Initiated Transactions - MIT)
Exemptions of SCA
PSD2 allows for some exemptions in which the cardholder does not need to perform SCA. This aims at improving the user-friendliness for the cardholder thanks to a frictionless and smooth user experience.
The RTS stipulates:
Point-of-sales: 2 exemption options for payments:
- Low value contactless transactions
- Transactions on a vending machine (unattended terminals) for parking or transport
E-commerce: 5 exemption options for remote payments:
- Trusted Beneficiaries or White-Listing (issuer only exemption, not available for the merchant)
- Recurring transactions
- Low value transactions
- Transactional Risk Analysis
- Secure corporate payments (issuer only exemption, not available for the merchant)
Key benefits of 3-D Secure 2 in this context
Smooth payment process (frictionless flow)
Intelligent fraud detection mechanisms to reduce credit card fraud
Fewer payment disruptions thanks to risk-based authentication
Complete integration in web shop and app
Worldline: ready to deliver compliance of PSD2 SCA requirements
Worldline was one of the first payment providers in Europe to process 3-D Secure 2 transactions in a live environment.
In Q4 2018, we launched a project with banks, card schemes and a selected group of merchants, leading to a pilot phase which since May 2019 has been authenticating real-world transactions with 3-D Secure 2.
Thanks to our payment acceptance solution, which is dedicated to securing and managing e-commerce payments, we are the clear-cut European partner of choice for merchants looking to maximize frictionless flow, manage exemptions and optimize online user experience.
Worldline experts have been sharing our expertise and practical experience in this area over the course of the past years in a series of workshops with merchants, PSPs and banks to explain how payment platforms can effectively apply 3-D Secure 2. We are already working with a growing number of merchants of all sizes to deliver compliance with the new regime.
Our experts are ready to help all merchants successfully embrace these challenges and reap the benefits of online payment processes that will be safer, smarter and easier to use.
Our products are now designed to help you to adapt to SCA requirements and to benefit from any relevant exemptions.
Please contact your usual Worldline Local Contact if you have any questions.
What is PSD2?
The Revised Payment Services Directive (PSD2) is defined by the European Banking Authority and aims at regulating new stakeholders and improving the security of exchanges. Among these rules is the RTS-SCA (Regulatory Technical Standard – Strong Customer Authentication) rule which requires strong customer authentication.Where are we now?
As the initial deadline of 14th of September 2019 came closer, more and more European countries realised that a vast number of their national e-commerce companies and banks were unable to comply with this already once postponed enforcement date.
It was estimated that on average European online shops would lose around 20% in revenue if they were unable to comply timely, and the European Banking Authority (EBA), who is responsible for the Regulatory Technical Standards, finally decided to allow yet another postponement.
The new and final deadline announced in an EBA opinion is the 31st of December 2020, and the National Competent Authorities (NCAs) around Europe have announced the postponement to their respective countries' relevant national players, i.e. banks, PSPs and internet shops.
However, to avoid a situation where the extension of the deadline could lead some of the parties to take no action until the new deadline comes dangerously close, EBA - via the NCAs - have demanded concrete SCA implementation plans from the parties as a condition for a postponement. In other words, EBA has ensured that they will not face the same situation again as the next deadline approaches.
Finally, it is important to underline that merchants and their PSPs should be technically ready no later than the end of H1 2020 in order to get enough time to test the full chain with their acquirers, the schemes and the Issuers, since it is likely that there will be different interpretations of the new rules, and the fine-tuning can take time and must be completed before the winter period - with all the special events like black Friday, single day and Christmas events.What will happen after 31st December 2020?
As of 1st of January 2021, Worldline will no longer process PSD2 incompliant transactions.Are all transactions affected?
MOTO (Mail Order Telephone Order) type distance selling transactions, payment initiated by the merchant and unrelated to the customer (MIT) as well as transactions between cardholders or merchant acquirers outside the European economic area (for instance, Switzerland and the opposite) are not subject to this RTS-SCA rule (considered as one-leg transactions).What will happen to my Bancontact transactions?
The Bancontact transactions are 100% strongly authenticated and therefore compliant with the PSD2 regulation.Why do you need to act now?
The aim of Strong Customer Authentication through 3-D Secure 2 is to reduce remote payment fraud, at the same time strongly improving user-friendliness for the cardholder, in particular by providing the issuer (the bank of the cardholder) with more information on the context of the transaction, in order to allow the latter to decide whether it should or should not proceed with Strong Customer Authentication of the cardholder.What are the advantages of 3-D Secure 2?
What is new in the 3-D Secure 2 program?
- If you are already using 3-D Secure 1 for all your transactions, moving to 3-D Secure 2 will allow some of your transactions to go frictionless. This will increase your conversion rate while keeping you safe about fraud.
- If you are not using 3-D Secure 1 at all (“SSL” transactions only) or you are using it partially (dynamic 3-D Secure), implementing 3-D Secure 1 or 3-D Secure 2 is anyway mandatory to comply with the principle of SCA. Else, you can expect a lot of non-3-D Secure transactions declined by the issuers. 3-D Secure 2 will provide you with a better conversion rate than 3-D Secure 1.
The major additions of 3-D Secure 2 are:
What are the exemptions from Strong Customer Authentication (SCA) for point-of-sale payments?
- Smoother and more integrated customer experience, especially for mobile applications.
- New authentication methods of the cardholder bank side.
- Management of exemptions and Frictionless.
The RTS stipulates 2 exemption options for point-of-sale payments:
- Low value contactless transactions
The exemption for a contactless transaction can be invoked
➔ If the amount of the transaction does not exceed €50.
➔ If, since the last transaction with Strong Customer Authentication by the cardholder, the maximum amount of contactless transactions, regardless of the merchant, or the number of contactless transactions has not exceeded a maximum (velocity criteria) defined by the RTS-SCA (max €150 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).
- Transactions on unattended terminal for parking or transport
An exemption from Strong Customer Authentication is applied for contact and contactless transactions to pay for a transport fare or a parking fee made on an unattended terminal. The exemption can be invoked:
➔ If the transaction is made under specific MCCs.
➔ If the amount of the transaction does not exceed maximum transaction amount specified by the schemes (Mastercard and Visa). For transactions with an amount exceeding the maximum amount allowed, Strong Customer Authentication of the cardholder will always be requested.What are the exemptions from Strong Customer Authentication (SCA) for remote payments?
The RTS stipulates 5 exemption options for remote payments (e-commerce):
- Trusted Beneficiaries of White-Listing (not applicable to the merchant)
White-Listing is the option for a cardholder to name, to the issuer of his card, in general his bank, a merchant whom he trusts and for whom he does not wish to make a Strong Customer Authentication while executing remote transaction, provided the latter meets the security criteria set by the bank.
- Recurring transactions
An exemption from Strong Customer Authentication is applied for a series of remote transactions for the same amount to a single beneficiary. However, Strong Customer Authentication is required for the first transaction (the contract) or for each modification of the series conditions.
- Low value transactions
An exemption from Strong Customer Authentication for a low value remote payment can be invoked:
➔ If the amount of the transaction does not exceed €30.
➔ If, since the last transaction with Strong Customer Authentication of the holder, the maximum amount of low value remote transactions, regardless of the merchant, or the number of low value remote transactions does not exceed a ceiling (velocity criteria) defined by the RTS-SCA (max €100 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).
- Secure Corporate payments (not applicable to the merchant)
Exemptions are also valid for payments initiated by businesses with a debit from the business account (for example, central settlement cards, centralized accounts and virtual cards). In contrast, corporate cards (with debit from the employee’s bank account under special conditions) are similar to B2C transactions and are not covered by this special exemption.
- Transactional Risk Analysis
The exemption from Strong Customer Authentication for a remote transaction referred to as ‘risk analysis’ can be invoked by the acquirer (on behalf of the merchant) and by the issuer if the following two conditions are met:
➔ That the transaction is declared safe (for example, no infection of the user’s workstation by a malware, no abnormal disbursements by the payer, location of the payer, transactions history, etc.).
➔ That the fraud rate (for remote transactions) for the payment establishment (for Bank acquirer and for Bank issuer but and not for the merchant or his PSP) is below preset ceilings:
➩ 0,13% if the amount of the transaction is less than €100.
➩ 0,06% if the amount of the transaction is less than €250.
➩ 0,01% if the amount of the transaction is less than €500.
➩ Exemption not applicable for transactions of over €500.What happens if an exemption fails?
The exemptions are not routine and even if the conditions for exemption are met, the final decision rests with the issuer (the cardholder’s bank) which may or may not grant it. The Issuer will send a soft decline for the payment leading to a resubmission of the payment requesting Strong Customer Authentication from the cardholder.When will 3-D Secure 2 be implemented?
The 3-D Secure 2 implementation, which requires changes throughout the electronic payment chain, will be carried out gradually depending on the various payment stakeholders (payment module, merchant banks, networks, issuer banks). We advise you to contact your PSP gateway provider as soon as possible to know if it is already able to support you in implementing 3-D Secure 2.When will 3-D Secure 1 come to an end?
The end of 3-D Secure 1 is announced for December 2020 for Visa and Mastercard.What will happen for subsequent recurring transactions in case the first transaction has been performed without SCA before December 31st?
Worldline as acquirer will not block subsequent transactions of an initial transaction that occurred before December 31st? whose initial in a first step and will continue to accept the subsequent transactions. For recurring payments conducted after December 31st?, Worldline recommend to perform SCA for the first one and reference this one in subsequent transaction in order to keep the same approval rate.The national regulator in my country has approved a transition phase for SCA. What does it mean for my business?
The national regulators supervise the local acquirers and issuers activities. The most important for the merchant is however the location of his acquirer because this will determine whether a transition phase could be applied. Furthermore merchants with international business should have a look to the regulations of countries where there are doing business. Indeed some issuers in Europe will be obliged to support SCA by September 14th. That means that those issuers will probably decline card transactions processed without 3-D Secure.