Payment Services Directive
The new EU Payment Services Directive (PSD2) took effect in January 2018 and is set to make significant changes to the payment industry in 2019.
PSD2 was introduced as a follow up to the original Payment Services Directive (PSD). A key element of PSD2 is the introduction of additional security authentications for online transactions over £26 (€30), known as Strong Customer Authentication (SCA).
The aim was to bring in new laws to increase customer rights, foster innovation and inspire pan-European competition.
Sage Pay are here to help guide you through the changes that will come into effect in September 2019 and ensure you have the tools to benefit from and remain compliant with the new regulations.
Why is Strong Customer Authentication needed?
Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. The European Commission has intervened by placing strong customer authentication (SCA) requirements on participants to reduce fraud as one of the core components of PSD2.
From the 14th September 2019, the expectation is for all ecommerce transactions to be processed via secured industry protocol such as 3D Secure. Online transactions will need additional authentication (with some exemptions).
Strong Customer Authentication requirements?
SCA requires at least two independent factors in the authentication process. The three available factors for authentication are listed below.
Something your customer knows [knowledge]: e.g. a PIN
Something your customer has [possession]: e.g. card, smartphone
Something your customer is [inherence]: e.g. fingerprint
Each electronic payment (except for some exemptions) must be authenticated with at least two of these factors. This is known as multi-factor authentication (MFA) or two-factor authentication (2FA).
So what will be different?
The customers' payment journey may look a little different. Today an authentication is required on an exception basis where the risk of the transaction is regarded as ‘high’, additional authentication may be triggered via 3D Secure as the current protocol. This is commonly known as a “step-up”. After September 2019, additional authentication will become the new default. All qualifying transactions will be required to be “stepped up” unless an exemption applies.
Contactless card machine transactions (also ‘online’) will be subject to new rules. After 14th September, card issuers are required to prompt the Cardholder to perform a Chip and Pin transaction each time their cumulative contactless spend reaches €150 since their last Chip and Pin transaction
Regulatory Technical Standard
One of the many things included in the PSD2 legislation was a directive that the EBA/ECB prepared, Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA). [Article 98 of PSD2]
In November 2017, the RTS on SCA was signed and this new EU regulation comes into force on 14th September 2019.
When does the regulation apply?
This regulation applies to any electronic payment that takes place within the European Economic Area (EEA). For E-commerce card-based transactions (including digital wallets backed by cards), it applies to transactions where both the card issuer (i.e. financial institution with whom cardholder has relationship) and the acquirer (i.e. financial institution with whom merchant has relationship) both reside within the EEA.
Authentication Vs Authorisation?
Authentication is the act of validating that the customer is who they claim to be. This is distinct to authorisation which is the act of validating that the account has sufficient funds for the transaction and the account (or card) is not blocked for some reason. For e-commerce transactions today, we use 3DSecure (sometimes known as Verified by Visa, or Mastercard Securecode or Amex Safekey) to authenticate the customer.
3D Secure v2
A new version of the authentication protocol for ecommerce transactions, 3D Secure, has been published. It contains many improvements to make it easier to achieve SCA on e-commerce transactions. The main improvements are:
Responsive payment pages to work well on any device
Support for biometric authentication (fingerprint / face id)
Possibility of frictionless authentication flow – where customer doesn’t even realise that authentication has taken place.
During a 3DSecure authentication, how the authentication is performed is up to the card issuer. It’s possible to achieve SCA with 3DSv1, however 3DSv2 makes achieving SCA much easier.
What are Sage Pay doing?
We are in the process of upgrading our gateway to support 3D Secure v2 and to make the necessary changes for contactless card machine transactions. We will be certifying our updated gateway with the card schemes and acquirers in the coming months. We aim to deliver these changes in a way that minimises the changes our customers need to make.
What will happen after 14th September 2019?
European issuers are likely to start declining electronic payment transactions that have no authentication in place. The current 3D Secure implementation [3DSv1] will continue to be supported until end of 2020 (at which time 3DSecure v2 becomes mandatory worldwide).
What do customers need to do?
The first thing is to ensure your ecommerce payments have 3DSecure enabled prior to September (if not already enabled). You can find out how to do this on page 8 of our MySagePay User Guide
Depending on which payment integration your site uses with Sage Pay you may have to make some changes to the integration, so it is important to flag with your developer/IT that you may need to make some development changes in June / July / August to ensure they will be ready to act for you. Specific details will be available in May.
If you have a Sage Pay card machine ensure that is regularly performs a TMS so you are receiving the latest updates as soon as they are available.
More information on this will follow over the next few weeks so please keep watching and/or speak to your Sage Pay account manager for more details.