The second payment directive (PSD2) is a directive regulating payment services across EU countries. It is not only designed to improve the security of transactions, but also, in many cases, to provide a greater convenience for customers and increased conversions for merchants. Although some aspects of PSD2 were enforced over 2 years ago, its provisions for merchants and banks regarding SCA started being applied from early 2021.

In our guide, we’ll take a closer look at PSD2 and the new requirements called Strong Customer Authentication (SCA), including 3DS. We’ll also explore the matter from the merchant’s point of view, including the consequences of non-compliance, fraud rates and we’ll check the status of PSD2 implementation on the market in 2021.

From this blog post you’ll learn:

  • What is a PSD2?
  • What is in scope of PSD2?
  • How can one comply with PSD2 requirements? (Strong Customer Authentication – SCA)
  • SCA / 3DS flow
  • Exemptions & out of scope transactions
  • Easy PSD2 integration with Straal

Let’s start with: what exactly is PSD2?

It’s the second payment directive that was created by the EU, a couple of years ago, and has a range of implications for banks, PSPs, third party providers and (last but not least) consumers

PSD2 introduces two main changes 1) Requires banks to open bank data to third parties. Two new types of third party providers (TPPs) were introduced – Payment Initiation Service Providers and Account Information Service Providers 2) Introduces an increased security requirement on electronic payments – Strong Customer Authentication (SCA).

In scope of the regulations, the main goal of PSD2 is to increase the general security of the payment landscape within the EU (on both sides of the payment process: the merchant and the customer) and to make the payments market more efficient and integrated.

What is in scope of SCA & when is it required?

New Year means SCA (but not for everyone yet)

Even though Strong Customer Authentication requirement was introduced (officially) back in 2019 and became fully enforced from the 1st of Jan 2021 – some of the european countries decided on their own enforcement dates (see the table below – last updated Jan 12th). Anyway, from January 2021 onward, full SCA is expected to increase across the EU.

Long story short, in order to continue accepting online payments efficiently, the newest requirement for merchants in the e-com industry is the implementation of the SCA (Strong Customer Authentication).

Implementation date of PSD2 SCA in individual european countries

See full PSD2 and global payment regulation map here

SCA also has a geographical scope to where it’s actually applying. To assess that you should look at the two ends of the transaction – where the issuer is located and where the acquirer is located. If both are part of the EEA, then you’re in scope of PSD2 and it applies to you. If only one of the two “legs” of the transaction is within the EEA, then this type of transaction is called ’one leg out’ and it means you’re out of scope (more on that in the part about the exceptions and exemptions) and SCA is not required

An example: a business based in the US with a US bank would not be required to enforce Strong Customer Authentication even if the cardholder comes from the EEA

How can you comply with PSD2/SCA requirements? 

So, we already know that (theoretically) from Jan 1st, PSD2 introduces a mandate to perform Strong Customer Authentication for payments. Now, let’s move on how to be compliant with the requirements.

To meet SCA requirements, you need to build additional authentication into your payment flow. SCA requires authentication via two of the following three factors:

  • Something the customer knows (example: a PIN or a password)
  • Something the customer has (example: a phone)
  • Something the customer is (example: a fingerprint, a face recognition)

The question is: if you actually own two factors out of three how can you collect those? 

For card payments you should use 3DS2 – other payment methods such as Apple Pay, GPay or Amazon Pay or local APMs should have the authentication flow already embedded in them.

If you want to accept payments within the EU, you must comply with the regulations and apply SCA. Now, let’s move on to the 3D Secure 2 protocol and try to explain it.

3D Secure 2 flow

Below is a simple explanation of the 3DS Secure 2 flow divided into three parts: frictionless flow, challenge flow and authorization flow

In comparison with3D Secure 1, 3DS2 is more user-friendly (especially when it comes to mobile payments). Besides the design, the new protocol is fully compatible with mobile wallet apps and in-app transactions.

3D Secure 2 Authentication - visualisation of the process

They say, there is an exception to every rule

Like it was mentioned in the previous part of the guide, in the context of PSD2, there are several cases where SCA doesn’t apply (out of scope) and where a transaction may be exempt

What are these out of scope and exempt transactions? 

  1. MITs (Merchant Initiated Transactions) – if a transaction is initiated by a merchant and a mandate was granted to him by the client. Example: collection of subscription payments for gym membership
  2. MOTO (Mail Order, Telephone Order) – transactions made via mail/phone where a client is not present
  3. “One leg out” transactions – if one of the issuer/ACQ is located outside the EEA
  4. Anonymous transactions – when a customer paid for the transaction using an anonymous payment method (for example: a gift card)

Exemption rules

There is a simple rule: if no exemption applies, SCA is required and if exemption(s) apply you can chose to omit SCA, but the final decision to grant it is on the issuer

  1. TRA (Transaction Risk Analysis) – transactions marked as low risk (based on TRA assessment – more on this below)
  2. Low value transactions – an online payment below €30 and contactless payments of below €50 (in case of several payments, a cumulative limit is €150).
  3. Corporate payments – transactions initiated from secure corporate cards 
  4. Fraud rate limits – payment providers need to deliver the evidence of the transaction fraud rates to the regulatory authorities every 90 days.
  5. Whitelisted recipients – a customer can choose a number of merchants and assign them to a list of „Trusted Beneficiaries” with their card issuing bank. Then, they won’t have to carry out the additional step (SCA) while paying to that recipient.
Fraud transaction rate must be belowTo apply for exemptions on payments up to
0.13%€100
0.06%€250
0.01%€500

So a payment provider with a fraud rate of:

● 0.06% – 0.13% can exempt all low-risk payments under €100

● 0.01% – 0.06% can exempt all low-risk payments under €250

● <0.01% can exempt all low-risk payments under €500 (this will be very rare)

With 3DS, it’s also equally important that all parties involved: not only merchants, but also PSPs and issuers are aware of their respective responsibilities and cooperate. It’s crucial that merchants and ACQ are capable of identifying and clearly marking transactions that meet the out of scope or exemption categories. Issuers shouldn’t request authentication for out of scope transactions – a customer might not be able to do it. Finally, issuers are recommended to consider granting exemptions in order to increase authorisation rates on the market.

SCA exemptions: the responsibility and the frauds

Now that we’ve listed the exemptions, let’s stop for a minute and analyze, who exactly accepts / declines exemptions requests and what happens when the fraud is involved? 

The decision to allow exemptions is made by the issuer. It means that if you’re a merchant you simply cannot decide if it should be applied or not. When the end customer’s bank will receive the request, then will assess the risk level of the transaction and then decide whether (or not) to accept an exemption. In the latter case, the transaction will trigger a decline code and will have to be resubmitted to the customer and authorised via SCA protocols.

Using an exemption shifts the liability for fraud back to the merchant, and its profitability. Moreover, if the fraud occurs, merchants may be charged for the cost of it and the additional friction from too many SCA transactions may cause cart abandonment or weaken relationships with the customers.

That’s why it’s extremely important to invest in fraud protection. Straal is equipped with one of the most advanced fraud detection solutions available on the market based on AI and advanced user profiling

How will it impact me as a merchant?

According to Netcetera, 'If the right technologies are used and processes are optimised, the requirements of PDS2 and Strong Customer Authentication can be met without jeopardising conversion and without having to fear revenue loss’.

A study run by Mastercard shows that customers are generally quite positive about the idea behind strong authentication. Three-fourths of respondents considered them necessary. Moreover, 28% of the respondents added that after the introduction of new authentication standards, they will be more likely to shop online with a card.

What are the main consequences of non-compliance?

  • Issuer
    a) fines/penalties – if the issuer approves non-compliant transactions it violates the law
  • Merchant
    a) the risk of losing transaction volume
    b) decline rates going up (as a result of rejection of non-authenticated payments)
  • Acquirer
    a) decline rates going up (as a result of rejection of non-authenticated payments)
    b) potential business disruption: the loss of merchants who are not satisfied by the service of the acquirer

Easy PSD2 integration with Straal

As a new authentication protocol for card payments, 3D-Secure v2, is mandatory, Straal worked hard over the last year in order to prepare the implementation of 3D-Secure v2 in its API. Depending on the type of integration, it might have been necessary to slightly adapt the integration for merchants in order to comply with the regulatory changes. We made sure to get in touch with the affected merchants and provide them with support (including a tech guide) to make that transition as smooth and seamless as possible and enter the New Year fully prepared.

2021: first thoughts & concerns: to be continued

Read more:

As always, we’re here for you. If you have any questions, feel free to contact us!

Podobne wpisy

KYC: What Does it Mean in Online Payments?

KYC: What Does it Mean in Online Payments?

Once you have gone through dozens of websites explaining how to open an e-store, terms such as KYC or merchant onboarding may ring a bell with you. You will deal with them before jump-starting your online business, so understanding what they mean in advance is going to save you much time. What is KYC in the context of online payments and how does it relate to the merchant onboarding procedure?

3 Tips to Grow Your Online Business

3 Tips to Grow Your Online Business

Simplicity of User Experience, efficient billing model and a well-thought risk management strategy. These are the keys to unlock your business potential on the ever more competitive market of digital services, as uncovered by e-commerce professionals at the very first edition of Warsaw Ecommerce Tech Sessions (WETS) – a new series of meetups powered by Straal and Business Link.

Customer Transaction Costs and How to Reduce Them

Customer Transaction Costs and How to Reduce Them

Selling is all about addressing your customers’ needs. Offline or online, you seek to get to know your clients and offer them what they’re looking for. However, it’s a human thing that we like when things go quickly and effortlessly. On the internet, we can shop the way we like: saving our time and effort. But is it enough to let your customers buy online? Can you still make their shopping experience less absorbing?

What is Prepaid and Postpaid? Models Comparison

What is Prepaid and Postpaid? Models Comparison

Prepaid or postpaid: that is the question. Which payment model should you choose for your business to simplify user experience and boost the company’s revenue? Should your customers add money to an e-wallet and be limited by the amount paid upfront or be charged after every single use of your service? In this blog entry, I compare both approaches using the Mobility-as-a-Service industry as an example.