The payments industry is no stranger to regulations, and beginning September 14, 2019, the Second Payment Services Directive (PSD2) shall require Strong Customer Authentication (SCA) to be applied to every on-line transaction in the European Economic Area (EEA).
PSD2 is poised to change how the payments market operates in Europe. We spoke with Worldpay’s PSD2 expert, Jonathan Dranko, to get the rundown.
Why has the EU implemented PSD2?
With PSD2, EU wants to see more innovation, more competition and reduced fraud.
The EU has experienced a massive shift from card present to card not present fraud, the latter which now accounts for almost two thirds of all fraud in Europe.
With so much commerce and corresponding fraud moving online, European regulators included specific components around increasing security and reducing fraud when updating the original Payment Services Directive to meet modern payment standards.
What is SCA?
SCA is a method to authenticate transactions and requires that two of three authentication factors are used. The three categories are:
- Something only the user knows, like a PIN, code, or password
- Something only the user possesses, such as a physical payment card or mobile phone
- Something the user is (biometric information), such as a face ID, a finger print, or an iris scan
What are the benefits of SCA?
SCA is aimed at decreasing payment fraud. So if a merchant’s fraud decreases as a result of complying with SCA, issuers will hopefully allow more of their transactions.
This will hopefully lead to increased authorization rates, which ultimately can make merchants more money.
What is the primary component of SCA?
After September 14, 2019, every online transaction that passes through the EEA must have SCA tied to it – unless an exemption applies. SCA is more commonly known as "two factor authentication."
What happens to merchants and issuers that don’t comply with SCA?
Put simply, if a merchant cannot authenticate or exempt a transaction that is in scope of PSD2, after September 14, 2019, there is a significant risk that issuers will just decline the transaction.
What are some examples of transactions that use SCA?
An EMV chip card transaction is compliant when a PIN is required during the POS transaction because the user must have their card and enter their PIN.
An Apple Pay payment is also compliant as it involves the user’s mobile phone and their fingerprint or face scan.
What are examples of traditional transactions that have not used SCA?
Card on file payments today often do not require SCA, but will after September 14, 2019, when the transaction occurs in the European Economic Area.
This means that cardholders will have to enter more information to complete traditional card payments online.
What are the exclusions to SCA?
There are three primary exclusions to SCA – meaning that these transactions fall out of the scope of SCA should not need to be applied:
- “One leg out.” When the issuer and acquirer are both in Europe, then SCA is required. But if the issuer is in the US, and the acquirer is in the EU, then that transaction is excluded from SCA. For example, when a US cardholder makes a purchase in Germany, or conversely, when a French citizen makes a purchase in the US, SCA is not required.
- Merchant initiated transactions (MIT).This refers to situations when merchants are making a payment on behalf of the customer (e.g. subscription payments)
- MOTO transactions. This transaction type is excluded because it’s currently very difficult to use two factor authentication over the phone, via fax and mail.
What are the exemptions to SCA?
Even transactions that are in scope for SCA don’t have to be authenticated every time, if they qualify for certain exemptions.
The four main exemptions include:
- Low risk transactions.Your PSP can do a risk check on your transactions in real time. If the risk score is low, and if your PSP is below certain fraud rates, you can use a low-risk exemption. As long as the issuer agrees the card holder should not see a challenge to authenticate themselves.This exemption can only be used for transactions with a maximum value of €500.
- Low value transactions.Any transaction below €30 can receive a low value exemption and go through without SCA. However, there is a velocity limit of five consecutive transactions, or a cumulative limit of 100 euros. After these limits have been reached SCA is required again.
- Whitelisting. After the first SCA verified purchase, a consumer can whitelist a merchant so that subsequent transactions do not require SCA. Merchants need to implement 3DS2.2 in order to fully turn on whitelisting functionality.
- Corporate payments. Corporate cards that are not in the cardholder’s name and virtual credit cards are exempt from SCA.
What determines whether a merchant can use SCA exemptions?
The most important factor in determining if a merchant can use exemptions will be the merchant’s fraud rate.
If a merchant has high fraud, they may not be able to receive any exemptions and may have to use SCA for every transaction running through the EEA.
In the case of high fraud rates, a merchant’s acquirer will likely request that the merchant take steps to decrease their fraud rate because it affects the acquirer’s own fraud rate.
If an acquirer’s fraud rate is too high, they too could be excluded from exemptions.
What solutions does Worldpay offer to help merchants comply with SCA and PSD2?
Worldpay will offer several solutions to help merchants manage the PSD2 requirements, most notably:
- 3DSFlex helps merchants implement SCA – particularly 3DS2
- Pazien helps merchants access and better understand their fraud rate
- FraudSight helps merchants decrease their fraud rate
- SCA Exemption Engineto help merchants maximize the number of SCA exemptions.
To learn more about SCA and PSD2, or any of the Worldpay solutions, please visit our PSD2 web page or reach out to your Worldpay sales contact.
What to do next?
To learn more about SCA and PSD2, or any of the Worldpay solutions, please visit our PSD2 web page or reach out to your Worldpay sales contact.