What are the Core Components of PSD2?
There are three core components of PSD2:
· Consumer protection rights
· Strong customer authentication (SCA)
· Open banking – third party access
Consumer Protection Rights:
Under the new payment services directive consumers will benefit from even greater protection than before. Since 1999 we have had 3DS1 – a secure system that allows the cardholder’s bank to prove that the shopper attempting a purchase is the legitimate user of the credit or debit card, but with the rise of new technology and devices it has become clunky and time consuming, often requiring the user to remember passcodes on the spot. This has led to a lot of drop offs in the purchasing process.
3DS2 is a new authentication protocol under PSD2, designed to create frictionless payments that work more seamlessly on the different technologies that shoppers use. 3DS2 optimises the user experience by including more data elements between the merchant and issuer meaning less interruptions for the consumer. If the consumer is challenged, the issuer can customise authentication methods to the consumer’s preference. No data is exchanged without the user’s authorisation.
Strong Customer Authentication (SCA):
Where the card issuer and the acquirer are based in the European Economic Area (EEA), merchants are required to add Strong Consumer Authentication (SCA) to their payments.
Where card payments are involved the most common way to achieve SCA is through the adoption of 3DS2.
SCA works a bit like two-factor authentication, where the user must confirm their identity in two different ways. With SCA it could be two from the following list:
1. Knowledge – something only user knows
2. Possession – something the user possesses
3. Inherence – something the user is
There are few exemptions to this where SCA is not required. These include:
· Low value transactions of under £30
· Recurring payments of the same value each time (SCA would only apply in the first instance)
· Transactions via unattended terminals (ticket machines etc)
· Contactless payments (under £30)
· Merchant initiated transactions
From 14th March 2021 banks will decline any non-3DS transactions so the pressure is on for merchants to adapt.