Payment Services Directive
The new EU Payment Services Directive (PSD2) took effect in January 2018 and is set to make significant changes to the payment industry in 2019.
PSD2 was introduced as a follow up to the original Payment Services Directive (PSD). A key element of PSD2 is the introduction of additional security authentications for ecommerce transactions.
The aim is to bring in new laws to increase customer rights, foster innovation and inspire pan-European competition.
Sage Pay are here to help guide you through the changes that will come into effect over the next 18 months and ensure you have the tools to benefit from and remain compliant with the new regulations.
Why is Strong Customer Authentication needed?
Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. The European Commission has intervened by placing strong customer authentication (SCA) requirements on participants to reduce fraud as one of the core components of PSD2.
From March 2021, the expectation is for all ecommerce transactions to be processed via secured industry protocol such as 3D Secure. Ecommerce transactions will need additional authentication (with some exemptions).
Strong Customer Authentication requirements?
SCA requires at least two independent factors in the authentication process. The three available factors for authentication are listed below.
Something your customer knows [knowledge]: e.g. a PIN
Something your customer has [possession]: e.g. card, smartphone
Something your customer is [inherence]: e.g. fingerprint
Each electronic payment (except for some exemptions) must be authenticated with at least two of these factors. This is known as multi-factor authentication (MFA) or two-factor authentication (2FA).
So what will be different?
The customers' payment journey may look a little different. Today if 3D Secure is enabled, an authentication is performed, and the cardholder will always be re-directed to their banks 3D Secure page. If the cardholders bank deems the transaction risk to be ‘high’, the cardholder will be required to prove their identity. This is commonly known as a “step-up”.
When SCA comes into force, authentication will become the new default and cannot be bypassed (unless an exemption applies). Although authentication will be performed, it is expected that only 5% to 10% of authentications will result in the cardholder having to be re-directed to their banks 3D Secure page to enter 2FA (challenge authentication). The majority of the authentication requests will result in a frictionless authentication, where the cardholder is not re-directed to their banks 3D Secure page to enter 2FA.
Contactless card machine transactions (also ‘ecommerce’) will be subject to new rules. When SCA comes into force, card issuers will be required to prompt the Cardholder to perform a Chip and Pin transaction each time their cumulative contactless spend reaches €150 since their last Chip and Pin transaction.
Regulatory Technical Standard
One of the many things included in the PSD2 legislation was a directive that the EBA/ECB prepared, Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA). [Article 98 of PSD2]. In November 2017, the RTS on SCA was signed.
When does the regulation apply?
Strong Customer Authentication was due to come into force on 14 September 2019. However, in August 2019, the Financial Conduct Authority (FCA) announced an 18-month extension to the proposed 14 September deadline giving UK businesses, banks and online account providers more time to implement the necessary tools and processes. Businesses now have until March 2021 to become compliant.
While we expect a gradual transition to SCA enforcement by banks and issuers across the EU, in time for the deadline, there are steps you should start to take now to prepare your business. At Sage Pay we’ve been working to minimise the impact for you and your business by upgrading our systems to support 3D Secure. The first step to achieving SCA compliance, is to ensure your ecommerce payments have version one enabled. You can find out how to do this on page 8 of our MySagePay User Guide.
Authentication Vs Authorisation?
Authentication is the act of validating that the customer is who they claim to be. This is distinct to authorisation which is the act of validating that the account has sufficient funds for the transaction and the account (or card) is not blocked for some reason. For ecommerce transactions today, we use 3D Secure(sometimes known as Verified by Visa, or Mastercard Securecode or Amex Safekey) to authenticate the customer.
3D Secure v2
A new version of the authentication protocol for ecommerce transactions, 3D Secure, has been published. It contains many improvements to make it easier to achieve SCA on ecommerce transactions. The main improvements are:
Responsive payment pages to work well on any device
Support for biometric authentication (fingerprint / face id)
Possibility of frictionless authentication flow – where customer doesn’t even realise that authentication has taken place.
During a 3D Secure authentication, how the authentication is performed is up to the card issuer. It’s possible to achieve SCA with 3DSv1, however 3DSv2 makes achieving SCA much easier.
What are Sage Pay doing?
We are in the process of upgrading our gateway to support 3DSv2 and to make the necessary changes for contactless card machine transactions. We will be certifying our updated gateway with the card schemes and acquirers in the coming months. We aim to deliver these changes in a way that minimises the changes our customers need to make.
What will happen when SCA comes into force?
European issuers are likely to start declining electronic payment transactions that have no authentication in place. The current 3D Secure implementation [3DSv1] will continue to be supported until end of 2020 (at which time 3DSv2 becomes mandatory worldwide).
To find out what customers need to do now and in the future, click here