The second payment directive (PSD2) is a directive regulating payment services across EU countries. It is not only designed to improve the security of transactions, but also, in many cases, to provide a greater convenience for customers and increased conversions for merchants. Although some aspects of PSD2 were enforced over 2 years ago, its provisions for merchants and banks regarding SCA started being applied from early 2021.
In our guide, we’ll take a closer look at PSD2 and the new requirements called Strong Customer Authentication (SCA), including 3DS. We’ll also explore the matter from the merchant’s point of view, including the consequences of non-compliance, fraud rates and we’ll check the status of PSD2 implementation on the market in 2021.
From this blog post you’ll learn:
- What is a PSD2?
- What is in scope of PSD2?
- How can one comply with PSD2 requirements? (Strong Customer Authentication – SCA)
- SCA / 3DS flow
- Exemptions & out of scope transactions
- Easy PSD2 integration with Straal
Let’s start with: what exactly is PSD2?
It’s the second payment directive that was created by the EU, a couple of years ago, and has a range of implications for banks, PSPs, third party providers and (last but not least) consumers.
PSD2 introduces two main changes 1) Requires banks to open bank data to third parties. Two new types of third party providers (TPPs) were introduced – Payment Initiation Service Providers and Account Information Service Providers 2) Introduces an increased security requirement on electronic payments – Strong Customer Authentication (SCA).
In scope of the regulations, the main goal of PSD2 is to increase the general security of the payment landscape within the EU (on both sides of the payment process: the merchant and the customer) and to make the payments market more efficient and integrated.
What is in scope of SCA & when is it required?
New Year means SCA (but not for everyone yet)
Even though Strong Customer Authentication requirement was introduced (officially) back in 2019 and became fully enforced from the 1st of Jan 2021 – some of the european countries decided on their own enforcement dates (see the table below – last updated Jan 12th). Anyway, from January 2021 onward, full SCA is expected to increase across the EU.
Long story short, in order to continue accepting online payments efficiently, the newest requirement for merchants in the e-com industry is the implementation of the SCA (Strong Customer Authentication).
SCA also has a geographical scope to where it’s actually applying. To assess that you should look at the two ends of the transaction – where the issuer is located and where the acquirer is located. If both are part of the EEA, then you’re in scope of PSD2 and it applies to you. If only one of the two “legs” of the transaction is within the EEA, then this type of transaction is called ‘one leg out’ and it means you’re out of scope (more on that in the part about the exceptions and exemptions) and SCA is not required.
An example: a business based in the US with a US bank would not be required to enforce Strong Customer Authentication even if the cardholder comes from the EEA
How can you comply with PSD2/SCA requirements?
So, we already know that (theoretically) from Jan 1st, PSD2 introduces a mandate to perform Strong Customer Authentication for payments. Now, let’s move on how to be compliant with the requirements.
To meet SCA requirements, you need to build additional authentication into your payment flow. SCA requires authentication via two of the following three factors:
- Something the customer knows (example: a PIN or a password)
- Something the customer has (example: a phone)
- Something the customer is (example: a fingerprint, a face recognition)
The question is: if you actually own two factors out of three how can you collect those?
For card payments you should use 3DS2 – other payment methods such as Apple Pay, GPay or Amazon Pay or local APMs should have the authentication flow already embedded in them.
If you want to accept payments within the EU, you must comply with the regulations and apply SCA. Now, let’s move on to the 3D Secure 2 protocol and try to explain it.
Below is a simple explanation of the 3DS Secure 2 flow divided into three parts: frictionless flow, challenge flow and authorization flow.
In comparison with3D Secure 1, 3DS2 is more user-friendly (especially when it comes to mobile payments). Besides the design, the new protocol is fully compatible with mobile wallet apps and in-app transactions.
They say, there is an exception to every rule
Like it was mentioned in the previous part of the guide, in the context of PSD2, there are several cases where SCA doesn’t apply (out of scope) and where a transaction may be exempt.
What are these out of scope and exempt transactions?
- MITs (Merchant Initiated Transactions) – if a transaction is initiated by a merchant and a mandate was granted to him by the client. Example: collection of subscription payments for gym membership
- MOTO (Mail Order, Telephone Order) – transactions made via mail/phone where a client is not present
- “One leg out” transactions – if one of the issuer/ACQ is located outside the EEA
- Anonymous transactions – when a customer paid for the transaction using an anonymous payment method (for example: a gift card)
There is a simple rule: if no exemption applies, SCA is required and if exemption(s) apply you can chose to omit SCA, but the final decision to grant it is on the issuer
- TRA (Transaction Risk Analysis) – transactions marked as low risk (based on TRA assessment – more on this below)
- Low value transactions – an online payment below €30 and contactless payments of below €50 (in case of several payments, a cumulative limit is €150).
- Corporate payments – transactions initiated from secure corporate cards
- Fraud rate limits – payment providers need to deliver the evidence of the transaction fraud rates to the regulatory authorities every 90 days.
- Whitelisted recipients – a customer can choose a number of merchants and assign them to a list of „Trusted Beneficiaries” with their card issuing bank. Then, they won’t have to carry out the additional step (SCA) while paying to that recipient.
|Fraud transaction rate must be below||To apply for exemptions on payments up to|
● 0.06% – 0.13% can exempt all low-risk payments under €100
● 0.01% – 0.06% can exempt all low-risk payments under €250
● <0.01% can exempt all low-risk payments under €500 (this will be very rare)
With 3DS, it’s also equally important that all parties involved: not only merchants, but also PSPs and issuers are aware of their respective responsibilities and cooperate. It’s crucial that merchants and ACQ are capable of identifying and clearly marking transactions that meet the out of scope or exemption categories. Issuers shouldn’t request authentication for out of scope transactions – a customer might not be able to do it. Finally, issuers are recommended to consider granting exemptions in order to increase authorisation rates on the market.
SCA exemptions: the responsibility and the frauds
Now that we’ve listed the exemptions, let’s stop for a minute and analyze, who exactly accepts / declines exemptions requests and what happens when the fraud is involved?
The decision to allow exemptions is made by the issuer. It means that if you’re a merchant you simply cannot decide if it should be applied or not. When the end customer’s bank will receive the request, then will assess the risk level of the transaction and then decide whether (or not) to accept an exemption. In the latter case, the transaction will trigger a decline code and will have to be resubmitted to the customer and authorised via SCA protocols.
Using an exemption shifts the liability for fraud back to the merchant, and its profitability. Moreover, if the fraud occurs, merchants may be charged for the cost of it and the additional friction from too many SCA transactions may cause cart abandonment or weaken relationships with the customers.
That’s why it’s extremely important to invest in fraud protection. Straal is equipped with one of the most advanced fraud detection solutions available on the market based on AI and advanced user profiling.
How will it impact me as a merchant?
According to Netcetera, ‘If the right technologies are used and processes are optimised, the requirements of PDS2 and Strong Customer Authentication can be met without jeopardising conversion and without having to fear revenue loss‘.
A study run by Mastercard shows that customers are generally quite positive about the idea behind strong authentication. Three-fourths of respondents considered them necessary. Moreover, 28% of the respondents added that after the introduction of new authentication standards, they will be more likely to shop online with a card.
What are the main consequences of non-compliance?
a) fines/penalties – if the issuer approves non-compliant transactions it violates the law
a) the risk of losing transaction volume
b) decline rates going up (as a result of rejection of non-authenticated payments)
a) decline rates going up (as a result of rejection of non-authenticated payments)
b) potential business disruption: the loss of merchants who are not satisfied by the service of the acquirer
Easy PSD2 integration with Straal
As a new authentication protocol for card payments, 3D-Secure v2, is mandatory, Straal worked hard over the last year in order to prepare the implementation of 3D-Secure v2 in its API. Depending on the type of integration, it might have been necessary to slightly adapt the integration for merchants in order to comply with the regulatory changes. We made sure to get in touch with the affected merchants and provide them with support (including a tech guide) to make that transition as smooth and seamless as possible and enter the New Year fully prepared.
2021: first thoughts & concerns: to be continued
- PSD2: single rulebook Q&A
- How to prepare your website for online payments?
- Filling the Missing Link to the Open Banking