PSD2 - Understanding SCA

Luiza Filipoi

by Luiza Filipoi

Remember how everybody alarmed when GDPR appeared? Well, PSD2 reminds us of that feeling; no one entirely knows what’s new, but everybody frenzies. Some say that it’s something dedicated to banks, others say it’s something payment services providers have to do, others are talking about eCommerce; they’re all right in their own way. PSD2’s purpose is to increase the security of electronic payments and prevent fraud, no matter who is involved. It encourages the progress of innovative online and mobile payments and provides better consumer protection.

What brings new? 

After years of planning, PSD2 regulation it is now experiencing a gradual rollout in the EU. The EU Payment Services Directive has been in force since January 2018. Still, starting 14 September 2019, the rules were upgraded a bit by introducing a major point of interest for payments: strong customer authentication (SCA). PSD2 requires that SCA is applied to (almost) all electronic payments within the European Economic Area (EEA). 

What is Strong Customer Authentication? 

One-click payments have become a dream for eCommerce through its simplicity, but these new regulations are breaking the game, at least for transactions over 30€. Strong Customer Authentication’s purpose is to reduce fraud and make online payments more secure. 

It is built to add new layers to the checkout process, so there’s a chance it will bring some friction in payments and impact customer experience, at least for those customers that expect less interaction. However, in reality, customers are the biggest beneficiaries but probably don’t know it yet; they will benefit from more reliable authentication, probably more payment options, or financial products.

The terms of SCA across the EU will help decrease the risk of fraud for online transactions and banking while protecting the confidentiality of the user’s financial and personal data. 

To reach strong customer authentication, payment industry players have to implement two-factor authentication (2FA), at least. Meaning that customers’ need to authenticate by using two or more (each of which must be from a different category) of the following factors:

  • Something only the user knows: a password, a PIN code, a security question, etc. 
  • Something only the user possesses: smartphone chip card, etc.
  • Something the user is: a fingerprint, voice or face recognition, etc.

Each transaction is mandatory to have a unique authentication code that is specific to the transaction amount and recipient. 

Where is SCA applicable? 

Strong Customer Authentication (SCA) of the cardholder employs when the acquirer (merchant’s bank) and the issuer (customer’s bank) are located in the European Economic Area. 

If the acquirer is outside EEA, but the customer (and the issuer) is from Europe, we’re applying a different scenario. The issuer has to request SCA to complete the transaction, then the acquirer could accept it benevolently and process the payment or reject the SCA (maybe it doesn’t have 3D secure 2.0 implemented). If the acquirer doesn’t apply SCA, the issuer could choose not to authorize the transaction or to do it but to take responsibility for any potential fraud risk (more likely not to authorize it). 

Exemptions 

With all this new information, it should be said that SCA and 2FA, like many other things, also have exemptions and could not apply to all money transactions. These SCA exemptions are available only to PSPs, not to merchants or unregulated payment gateways (keep it in mind when choosing one). These exemptions allow Payment Services Providers (PSPs) to achieve the right balance between the convenience of payment experience and fraud reduction. 

It’s also a good time to mention that these exemptions could bypass Strong Customer Authentication, but even if the conditions for them are met, the final decision stands in the hands of the issuer, depending on its criteria (technical, risks, agreements with the cardholders, etc.), it may or may not grand the transaction. 

As already specified, the small transfers under 30 Euro are excluded; a customer can’t make more than five successive payments without SCA; also, customers can include a merchant in their white list held at their card issuer or set card on file and recurring payments to avoid the SCA requirement. 

Below you can find more details on what could be exempted from SCA in e-commerce, as Visa mentioned in their PSD2 preparation document:

Exemption

Description

Conditions

Trusted beneficiaries

The payer may add a trusted merchant to a list of trusted beneficiaries held by their Issuer, completing an SCA challenge in the process, to prevent further SCA application on subsequent transactions with the trusted merchant

  • The payer may add or remove the merchant to or from the Issuer managed list, or consent to the Issuer’s suggestion to add a merchant
  • The Issuer may also remove a merchant from a list
  • Enrolment and amendment of the list requires SCA

Recurring transactions

Applies to a series of transactions of the same amount made to the same payee

  • SCA must be applied when the series is setup, or to the first transaction in the series (if the first transaction is initiated by the payer)

Low value transactions

Remote transactions less than €30 do not require SCA so long as velocity limits are met

  • The value of the transaction must not exceed €30;

and

  • The cumulative limit of consecutive transactions without application of SCA must not exceed €100;

or

  • The number of consecutive transactions since the last application of SCA must not exceed five

Secure corporate payments

Payments made through dedicated corporate processes and protocols (e.g. lodge cards, central travel accounts and virtual cards)

  • Payment processes and protocols are only available to corporate payers and not individuals
  • Some competent authorities may need to confirm the dedicated corporate processes and protocols guarantee levels of security inline

 

And as we all know, dessert is served last, and by dessert, I mean merchant-initiated transactions do not require SCA. 

One or a series of payments, of a fixed or variable amount, granted by an agreement between the merchant and the cardholder, allows the merchant to initiate further payments without involving the cardholder. The transactions are made with pre-stored debit or credit card details. SCA is recommended if there is fraud risk, but it’s not mandatory for subsequent payments. 

These days, the most frequent authentication method is 3D Secure, which already enables two-factor authentication, but it seems not to be as performant as needed by the payments and eCommerce dynamic; for example, the canceled transactions are higher in number. 3D Secure 2.0 promises to significantly improve this aspect and also to deliver a better customer experience. Also, 3D Secure2 allows payment providers to send more risk analysis data to the issuer; therefore, they could identify the customer and treat the transaction as an SCA exemption. 

To add a security layer right away while minimizing the chargeback ratio (without limiting conversion) and of course, to be prepared for these new regulations, we encourage merchants to collaborate with Twispay. We’re here to find the best solutions for you and your business! 

Also, if you encounter any difficulties or questions regarding PSD2, SCA, or other online payments related subject, you know the drill; write us a message, and we’ll do our best to help you. 

Luiza Filipoi Luiza Filipoi