The Second Payment Services Directive (PSD2), a set of laws and regulations for payment services in the European Union (EU) and the European Economic Area (EEA), has come with a lot of implications for marketplace business models already, and it will expand further more on all companies in Europe that deal with payments, ranging from how to regulate the emergence of Third Party Providers (TPPs) to the need for strong customer authentication (SCA).
Strong Customer Authentication (SCA) will come into effect on 14 September 2019, so there is little time for merchants to start updating their integration to prepare for it. Transactions that don’t follow the new authentication guidelines may be declined by the banks.
The Strong Customer Authentication (SCA) has to be applied when all of the conditions below are met:
- The business is based in the European Economic Area (EEA);
- The customers are from EEA area;
- The payment is initiated online by the customer.
Apart from these cases there are a few exemptions to SCA, but keep in mind that banks can choose to not honor these exemptions and you need to be prepared to handle a SCA challenge even if the transactions has been submitted under one of the exemptions.
Small amounts less than 30 EUR
For a transaction of less than 30 EUR and up to 100 EUR accumulated or up to 5 transactions since the last SCA. Beyond 100 EUR or beyond 5 unauthenticated transactions, a new SCA is required. Keep in kind that since the information needed to validate these stipulations is only available to the issuing bank, you will still need to confirm if SCA is required on all transactions that might fall into this exemption category.
Recurring transactions / Subscriptions of the same amount for the same beneficiary
SCA authentication is required only for the first transaction of a subscription or recurring billing service. The following transactions having the same amount with the same online seller don’t require a new SCA. By using Smart2Pay recurring transactions API you can apply this exemption as well.
Payment to a trusted beneficiary
Customers can add their preferred online sellers to a list of trusted beneficiaries held by the issuing bank, so that they don’t required to authenticate for each new payment. Please instruct your customers if possible to add your business to the white-list at their bank.
TRA – Transactional Risk Analysis
SCA can be deactivated for online payments between €30 and €500, depending on the payment providers fraud rates (see table below). There are no low-risk exemptions for transactions over €500. Merchants have to rely on a payment service provider (e.g. an acquirer) to act upon their request. In addition, the test to trigger the exemption rests with whether the PSP satisfies the prescribed conditions, not the merchants themselves. Smart2Pay keeps a very low fraud rate by using state of the art anti-fraud solutions such as RedShield, Machine Learning algorithms and by working with low risk acquiring banks which have very good fraud scores.
Regulatory Technical Standards (RTS), that payment providers need to take into account through real-time risk analysis, covers the following:
- abnormal spending or behavioural pattern of the payer;
- unusual information about the payer’s device/software access;
- malware infection in any session of the authentication procedure;
- known fraud scenario in the provision of payment services;
- abnormal location of the payer;
- high-risk location of the payee.
The fraud rate limits for payment providers are being applied as follows:
|Fraud rate and amount limits|
|Fraud transaction rate||Amount limits|
|Up to 0.01%||Up to €500|
|Up to 0.06%||Up to €250|
|Up to 0.13%||Up to €100|
Merchant Initiated Transaction (MIT)
MITs are payment transactions that are not initiated by the payer but by the payee only and are not subject to strong customer authentication (SCA) to the extent that these transactions are initiated without any interaction or involvement of the payer. MIT transactions are subjected to SCA except when a mandate is signed by the client. For example, SEPA Direct Debits are initiated by the merchant but have a direct debit mandate signed by the end customer. Thus, SCA is not applicable in this case and there are no restrictions to the frequency or the amount.
SCA requires merchants to integrate into the checkout flow a two-factor authentication that is based on the use of two or more elements categorised as:
- knowledge (something only the user knows, i.e password);
- possession (something only the user possesses: i.e.,phone, token, certificate tec.);
- inherence (something the user is: i.e. fingerprint, Face ID).
For an authentication to meet the criteria of the PSD2, it must combine at least 2 of these 3 factors. To strongly authenticate an online payment, for example, consumers will be required to use their phone (something you own) and authenticate via fingerprint (something you are).
As of September 14, the credit card number alone will no longer be considered as a valid authentication method and additional factors that meet the requirements of PSD2, such as biometric data, need to be added in the authentication process.
The 3D Secure version 1.0 authentication method used for credit card payments is being updated to version 2.0, which is the best measure to meet the above compliance criteria.
Please check out our page again soon where we will keep you posted on any updates regarding 3D Secure version 2.0.