The second Payment Services Directive (PSD2) came into force at the start of 2018, with the aim of promoting open banking by better enabling third-party businesses to access customer bank data to support their services.
However, an additional element of PSD2 – Strong Customer Authentication (SCA) – is due to come into force on 14 September this year, and will require online retailers to add new functionality to their payment processes.
SCA is aimed at reducing fraud and making online payments more secure. Once it comes into force, online retailers will be required to ensure ‘customer-initiated’ online payments of more than €30 are subject to improved authentication.
This will apply to payments within Europe, even if only the customer or payment recipient are located there. Companies based in the US but with customers located in the European Economic Area (EEA) will need to follow these rules, as will any EU retailer with customers from outside the economic area. And it is likely to be enforced whatever the outcome of Brexit.
As mentioned, ‘low value’ transactions below €30 will be exempt from SCA. However, additional authentication will be needed if the exemption has been used five times since the cardholder’s last successful authentication, or if the sum of previously exempted payments exceeds €100.
‘Low-risk’ transactions will also be exempt, which will depend on the payment provider performing real-time risk analysis on whether to apply SCA to the transaction. This will depend on a payment provider’s overall fraud rates for card payments and whether it’s for a recurring payment for the same amount to the same business – for a subscription, for example.
Anyone making an online purchase that falls into the SCA remit will be required to identify themselves through two-factor authentication, or 2FA. Once it comes into force, banks will decline payments that require SCA but which don’t meet these criteria.
In order to comply, retailers will need to build additional authentication into their checkout flow. This means the convenience of ‘one-click’ payment will only be possible for low cost items.
After clicking a payment button – such as the one provided by the ePayments merchant service – customers will also need to provide additional authentication. In addition, the amount and recipient must be made clear to the payer at the point of authentication.
The authentication information must include two of the following three elements: Something the customer knows (e.g. a password or PIN), something the customer has (e.g. a phone or hardware token) or something that authenticates the customer (biometrics).
While boosting security, this will also add a layer of complexity to the customer experience. The challenge for online retailers will therefore be minimising the negative impact on customers, and on resulting sales.
There are a range of 2FA methods, whether it’s the traditional SMS approach, time-based one-time passcodes sent to dedicated devices (often used by banks), or the more sophisticated app-based push authentication (which only requires a single touch from the user to approve/deny a transaction and can be done within an existing application).
One option to minimise the friction experienced by customers is the 3D Secure 2 authentication protocol which will be rolled out this year. It’s a new version of 3D Secure, which will meet the requirements of SCA but make the payment experience more seamless.
It’s worth noting that some common payment methods such as Apple Pay and Google Pay already support payment flows with a built-in layer of authentication (password or biometrics).
Online retailers will need to ensure they are prepared for SCA to avoid taking a hit if payments are declined. Those using virtual banking in particular should find implementing the additional authentication relatively straightforward due the existing online integration of their banking services.
SCA could even drive innovation in the digital payment industry by encouraging the development of more seamless customer experience that meets the requirements of SCA. If you could like further information on SCA, the requirements can be found here.