What is PSD2?
PSD2 is the second Payment Services Directive. It is a European directive that will directly impact how online businesses in the UK conduct their commercial activity. The intent of the changes is to increase trust and transparency for the consumer.
The directive permits customers to approve third-party providers to manage their finances, analyse spending and make Peer-to-Peer (P2P) transfers, all through their existing bank account. This means lots of new players in the FinTech software space.
Who does it impact?
PSD2 will impact any organisation who have a Payment Services Provider or acquirer process their payments within the European Union (EU) or European Economic Area (EEA). It’s imperative for companies within the UK and EEA to be conscious of how their customers will be affected.
The original cut-off for PSD2, to ensure that all merchants have the correct level of security for end-consumers, was determined by the European Bank Authority (EBA) and regional EU financial authorities (NCAs) to be too soon, and that more time is necessary to avoid large-scale disruption for the European payments landscape.
A phased approach, planned over a 15-month period, has been implemented to ensure a smooth transition and allow all parties enough time to prepare. The PSD2 mandate went into effect on the 14th of September 2019 and issuers may already be enforcing Strong Customer Authentication (SCA). TRU//ST advise all merchants to implement 3DS 2.0 sooner rather than later to avoid an increase in declines.
- 1st February 2020 – issuers are expected to begin enforcing authentication methods for transactions using risk-based authentication and one-time passwords (OTP)
- 31st December 2020 – the 3DSecure 2.2 mandate will need to be implemented
- 31st December 2020 – active supervision and monitoring will begin
All merchants should ensure that software is updated in accordance with the financial authorities of the EU markets that your business targets by 31st December 2020. For full actions required by issuers and acquirers please see the EBA Opinion.
European Banking Authority’s position:
“We are currently in consultation with Visa, Mastercard and our relevant CA regarding how they are interpreting the latest EBA opinion on PSD2 Strong Customer Authentication (SCA) and how this impacts the 14th September deadline for us an acquirer, and you as our client.
Whilst the EBA reiterates in its opinion that all PSPs (both acquirers and card issuers) should comply with the PSD2 SCA mandate by 14th September 2019, they have acknowledged the challenges the market is facing in implementing the necessary changes by the deadline and have set out some guidelines for how the CA’s in each country can grant an extension to PSPs (acquirers and card issuers), on an exceptional basis, with some specific conditions that need to be followed. These conditions focus on the PSP (acquirer or card issuer) having an agreed migration plan with their CA and obligation to execute the plan in an expedited manner.
Our current focus in on understanding the framework and parameters upon which an extension will be granted. In terms of the transaction flow we had some initial guidance from Visa / Mastercard that transactions would need to flow through with exemption flagging, if an extension was granted.
As soon as we have clarity from Visa, Mastercard and our CA we can discuss whether it is something you want us to progress for your business.”
An important part of the PSD2 directive is SCA. So what is SCA?
Strong Customer Authentication is a set of checks by which card-not-present transactions are authorised for some online electronic card payments. It is scheduled to come into force by September 14th 2019 (unless an organization is granted an extension).
There will be new steps for consumers to securely identify themselves. They will be authorised by multi-factor authentication.
What are the new types of information required through multi-factor authentication?
- Something you have (payment card, mobile phone or security code generator)
- Something you know (password or PIN)
- Something you are (biometric, e.g. a fingerprint)
SCA will improve security dramatically, however the changes may disrupt customers used to making a fast and convenient purchases online. Most customers have already experienced some form of multi-factor authentication, so will not face much disruption.
Which transactions will be impacted?
There are some exemptions to SCA, so you may not be affected at all. These include:
- Low-value transactions
Transactions less than €30 will not require SCA.
- Mail order / telephone order (MOTO) transactions
If your customers pay over the phone and you don’t ask them to read out their card details, it will not require SCA. However, if your agent is using your customer-facing online payment screen to complete a payment, SCA will be required. You should consider an Agent Assisted Payments service.
- Trusted organisations
Customers can whitelist their organisation with their banks, ideal for those making repeated purchases and regular payments.
- Low-risk transactions
Transactions deemed low-risk when ran through a real-time risk assessment by your acquirer or PSP (also known as a Transaction Risk Analysis or TRA).
- Recurring payments or merchant Initiated transactions (MIT)
For customers who have signed up to make repeat or recurring payments, SCA is only required on the first transaction. Essentially a customer is giving permission for an organisation or merchant to take future payments of a set amount on a set date.
3 ways that EMV 3D Secure will benefit merchants
On September 14th new EU legislation will be passed to tighten regulations on how customers’ payments and card data are handled. To make sure that merchants are compliant with the new requirements, EMV 3D Secure, a new specification of authentication procedure, will be widely integrated into payment providers’ payment systems. New legislation around authentication usually causes big headaches for merchants, but with EMV 3D Secure, merchants stand to benefit in three key ways:
// Stronger authentication
EMV 3DS gives merchants another essential tool in the fight against fraud. By authenticating legitimate transactions using more data touchpoints and biometrics, merchants will deny more fraudulent transactions. Additionally, companies that do business in Europe need to comply with PSD2 Strong Customer Authentication requirements. Enabling EMV 3DS ensures that these standards are met.
// Improved customer experience
EMV 3D Secure looks to remove the friction that often causes consumers to abandon their purchase. The new version of 3DS makes use of biometric authentication where possible, thereby eliminating reliance on static passwords that often take two or three attempts to remember. By making use of authentication data such as fingerprints, facial recognition and iris scanning, the process is much less clunky than the password entry required for the original 3D Secure. Overall, transaction security will be much higher with EMV 3DS, and the rate of false declines will be lower.
// Multi-device support
The original 3D Secure was devised in a pre-smartphone era, and was designed for browser-based transactions. EMV 3DS will allow seamless authentication for both app-based and mobile wallet purchases — a long overdue amendment given the rise of mobile commerce since the conception of the original 3D Secure.
Trust Payments have partnered with CardinalCommerce to provide enhanced EMV 3D Secure technology to all of its merchants. This will drive an increase in valid sales for Secure Trading’s merchants by reducing false declines at checkout and increasing buyer confidence. Most importantly, by using the latest fraud prevention methods, Secure Trading’s merchants can ensure their customers that transactions are safe in the digital space.
Cardinal’s technology-leading solution works on behalf of both card issuers and merchants to streamline the authentication process, making authentication fast and secure (with limited friction) across all devices.
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.
Need more information?
Click below to visit our FAQs or sign up for a joint webinar with CardinalCommerce and Trust Payments