Strong Customer Authentication
Your Questions Answered
We’ve put together some commonly asked questions to provide additional guidance on the new Strong Customer Authentication regulation and what it will mean for your business. If you can’t find what you’re looking for contact us, our customer support team are on hand to help 24-7.
1. What is the Payment Services Directive (PSD2)?
PSD2 was introduced as a follow up to the original Payment Services Directive (PSD) by the European Commission, it took effect in January 2018. The aim is to bring in new laws to increase customer protection, foster innovation and inspire pan-European competition.
A key element of PSD2 is the introduction of the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) which applies to card-based ecommerce transactions in the European Economic Area (EEA).
2. When does SCA come into force?
Strong Customer Authentication was due to come into force on 14 September 2019. However, in August 2019, the Financial Conduct Authority (FCA) announced an 18-month extension to the proposed 14 September deadline giving UK businesses, banks and online account providers more time to implement the necessary tools and processes. Businesses now have until March 2021 to become compliant.
While we expect a gradual transition to SCA enforcement by banks and issuers across the EU, in time for the deadline, there are steps you should start to take now to prepare your business.
At Sage Pay we’ve been working to minimise the impact for you and your business by upgrading our systems to support 3D Secure. The first step to achieving SCA compliance, is to ensure your ecommerce payments have version one enabled. You can find out how to do this on page 8 of our MySagePay User Guide.
3DSv2 functionality is now available to Sage Pay customers in our test environment giving merchants an early opportunity to test how best to incorporate SCA compliance together with an improved user experience at checkout. We will continue to work closely with acquirers and issuers across the industry to confirm 3DSv2 enforcement timelines applicable to Sage Pay customers and will communicate further when 3DSv2 is available in live.
3. What is SCA and how does it affect my business?
Strong Customer Authentication makes payments more secure for both your business and the customer by adding an extra layer of protection known as two-factor authentication (2FA). When SCA comes into effect, customers will be required to provide at least two of the following forms of identification when making a payment:
Something the customer knows e.g. a pin or password
Something the customer possesses e.g.
Something the customer is
The expectation is for all ecommerce transactions to be processed via secured industry protocol such as 3D Secure by March 2021 (with some exemptions detailed below).
4. What is the purpose of SCA?
Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. Merchants increasingly face a delicate balance between ensuring customer security and convenience, while minimising fraud and friction.
Strong Customer Authentication has been introduced to help combat fraud by improving customer security while reducing the liability held against businesses for unauthorised transactions.
5. How will SCA affect the customer payment journey?
Today, payments are typically authenticated using 3DSv1 (sometimes known as Verified by Visa, or Mastercard SecureCode or Amex SafeKey) where your customer is asked to confirm their password. Under 3DSv1, the customer will always face an authentication challenge.
When your customer is ready to make a payment, they’ll be redirected to their debit or credit card provider’s 3D secure page. If the cardholder’s bank deems the transaction risk to be ‘high’, the cardholder is asked to prove their identity.
From 1 Feb 2020, UK card issuers and/or acquirers will begin to gradually step up payments, requesting for 3D Secure to be performed with two-factor authentication (2FA). When 3DSv2 is used around 90% to 95% of authentication requests will result in a frictionless authentication, where the customer doesn’t even realise that authentication has taken place.
Contactless card machine transactions (also ‘online payment’) will be subject to new rules. Card issuers are required to prompt the Cardholder to perform a Chip and Pin transaction each time their cumulative contactless spend reaches €150 since their last Chip and Pin transaction.
6. What are the benefits of 3D Secure version 2?
During a 3D Secure authentication, how the authentication is performed is up to the card issuer. It’s possible to achieve SCA with 3DSv1, however 3DSv2 makes this much easier. Sage Pay’s upgrade to 3DSv2 introduces a better user experience to help minimise additional friction including:
Responsive payment pages that work well on any device i.e. mobile, desktops, tablets
Support for low friction challenges such as biometric authentication (fingerprint / face id)
Frictionless authentication where your customer doesn’t even realise that authentication has taken place
Rich cardholder information integrated into the checkout experience
When 3DSv2 is enabled, it is estimated that only 5% to 10% of authentications will result in the cardholder having to be re-directed to their banks 3D Secure page to enter 2FA. Most authentication requests will result in a frictionless authentication with an authorisation rate of up to 90%. What’s more, liability for unauthorised transactions passes to the card issuer, saving you time and money on potential disputes.
7. When do I need to activate 3D Secure version 2?
The current 3D Secure implementation will continue to be supported until the end of 2020 (at which time 3DSv2 becomes mandatory worldwide). From March 2021, European banks will decline online transactions that have no authentication in place.
3DSv2 functionality is now available to Sage Pay customers in our test environment giving merchants an early opportunity to test how best to incorporate SCA compliance together with an improved user experience at checkout.
We will continue to work closely with acquirers and issuers across the industry to confirm 3DSv2 enforcement timelines applicable to Sage Pay customers and will communicate further when 3DSv2 is available in live. Please check our support pages for regular updates.
8. How can I activate 3D Secure?
The first step to achieving SCA compliance, is to ensure your ecommerce payments have 3DSv1 enabled. You can find out how to do this on page 8 of our MySagePay User Guide.
Your integration type determines if you need to make any further changes to support 3DSv2:
Form – No change. Fully supports 3DSv1 and 3DSv2
Server – No change. Fully supports 3DSv1 and 3DSv2
Direct – Fully supports 3DSv1. Extra 9 fields need to be submitted for 3DSv2.
Pi - Fully supports 3DSv1. Extra 8 fields need to be submitted for 3DSv2
Click here to understand the steps your business needs to take to activate 3D Secure.
If you are using the Direct integration method, protocol 4.00 will not be available until 3DSv2 is live.
9. How do I know what integration I am on?
If you don’t know which integration your website uses, you can find this in MySagePay by clicking on any successful payment, then choose Additional Details from the left menu. You will see the integration in the System Used field.
10. How do I test?
If you are using the Direct integration method please look at chapter 6.0 of the draft protocol 4.00 guide entitled ‘Testing’ found here.
For Form and Server integrations, there is no change with the payment flow or with request and responses that you will submit to and receive from Sage Pay. You can, if you choose to, try some of the magic values that are shown in chapter 6.0 of the above guide to see the difference between the frictionless and challenge flows.
For the Pi integration method, the technical documentation can be found here. For a high level overview please see Additional Integrations > Using 3-D Secure. For more detailed technical information see API Reference > Transactions and API Reference > 3-D - Secure.
11. What exemptions apply?
There are several exemptions to SCA that may be requested to improve the payment experience.
You first need to speak with your acquirer to get their approval of any exemptions you choose to use. Once your acquirer has advised of suitable exemptions for your business model, you can request an exemption on a per transaction basis when submitting your transaction request to Sage Pay. If you choose to use an exemption, any chargeback liability is passed to you for the transaction.
The card issuer may not always agree with your exemption. In this instance, they may return a ‘soft decline’ and request that 2FA is performed.
- Trusted beneficiaries
Card issuers will allow your customer to add you as a trusted beneficiary, either during 2FA, or when they log into their card account. Once they have added you as a trusted beneficiary, you can apply for this exemption so that this applies every time they shop with you.
- Recurring transactions or subscriptions
After initial set up, a subscription or membership fee consisting of repeat payments of the same amount to the same payee i.e. direct debit, will be exempt from authentication. Since your customer is off session when a recurring transaction is performed, they cannot be expected to perform an authentication. However, 2FA must be performed for the first transaction of a recurring series, where your customer is in-session.
- Trusted Risk Analysis (TRA)
This exemption can be used if you have a low chargeback rate. Typically, between 1 and 13 chargebacks per 10,000 transactions. It varies depending on the transaction amount value up to and including €500. You cannot use this exemption for transaction values over €500. Overall fraud rates for card payments must not exceed the following thresholds:
0.13% to exempt transactions below €100
0.06% to exempt transactions below €250
0.01% to exempt transactions below €500
- Low-value transactions (LVT)
A Low Value Transaction (LVT) is one that is 30 EUR or less. This exemption is permitted for a maximum of five LVT per card account, per day, where the cumulative value does not reach more than €100 a day.
If the cardholder uses their card to make 5 consecutive low value payments, or a total that exceeds €100, SCA will be required.
This is not a straightforward exemption; your customer could already have consumed their permitted allowance elsewhere before purchasing an item from your website. If this is the case, the card issuer may “soft-decline” the transaction and request that your customer performs 2FA.
- Delegated Authentication
You can only use this exemption if you have participated in a delegated authentication program with the card schemes, where the card scheme approves delegation of the authentication process to you.
- Secure Corporate payment
If your customer is using a corporate card, that is a lodged corporate card (typically used to book travel for all employees of a company), then this exemption can be used. It cannot be used for personal corporate cards.
12. Does this affect Mail Order Telephone Orders (MOTO) payments?
13. Does the Payment Services Directive (PSD2) apply to transactions outside of Europe?
Strong Customer Authentication applies to card-based ecommerce transactions (including digital wallets backed by cards) where both the card issuer (i.e. financial institution with whom cardholder has relationship) and the acquirer (i.e. financial institution with whom the merchant has a relationship) both reside within the European Economic Area (EEA).
As an example, if your customer is making a purchase with a card issued outside of the EEA, then SCA does not apply. If your customer is making a purchase with a card issued inside the EEA, but your acquirer is registered outside of the EEA, then SCA does not apply.
14. I’m still confused where can I find more information?
For more information please visit our support pages. We're here to help 24/7, 365 days a year. Existing customers can contact our dedicated UK-based support team on 0191 479 5922 or email us and we'll aim to get back to you within 24 hours.