The Biggest PSD2 and SCA Concerns. How They Can Impact Your Business - SecurionPay - Payment Platform With Advanced Technology

The Biggest PSD2 and SCA Concerns. How They Can Impact Your Business

PSD2 and SCA

The deadline for meeting PSD2 regulations is fast approaching, but there are still more questions than answers. Here’s what you should know about the upcoming changes to prepare better.

New requirements based on PSD2 were introduced on 14 September 2019. Overall, the directive comes with putting all players under one unified regulatory framework and the banks need to provide access to their customers’ accounts via open APIs.

So, why is this important for your online business?

The most common PSD2 challenges

Before digging into the challenges, let’s start with the objectives of PSD2. There’s no question that the directive was created for standardizing regulations for banks and payment providers, but it’s also about making payments safer (which leads to increasing customer protection), fostering innovation, and competition too.

Speaking of competition, the directive is also the answer to the current monopoly that banks have on payment services and customer accounts.

According to Tink’s report, modernizing IT systems is one of the major banking challenges for 36% of banks when it comes to PSD2. But, one of the major concerns is that online businesses may end up with complexity as every bank can offer different implementation. It’s also about the interface implemented by banks and financial institutions, as there’s a doubt about whether they will be ready at the beginning when PSD2 becomes mandatory.

The first months will verify the new challenges, but chaos is inevitable.

SCA and 3D Secure 2 as a method of payment authentication

Another concern is that the strong customer authentication (SCA) could have a negative impact on customer experience because it will add an extra step to the payment process and force a cardholder to provide additional information to complete payment.

For the record, SCA is a PSD2 requirement for payment service providers to make online payments more secure and prevent financial fraud. So, payments need to go through multifactor authentication. The question is whether the SCA will damage the customer experience.

Today, the most common authentication method is 3D Secure and, based on the recommendation, the main method for authenticating online card payments will be the 3D Secure version 2 that is expected to improve user experience. This is why we advise merchants who work with SecurionPay to enable our non-invasive 3D Secure verification right away to add an extra security layer, minimize the chargeback ratio without hindering conversion, and get ready for version 3DS2.

Note that there can be exemptions from SCA defined for different use cases, for instance, based on the amount, transaction type, level of risk, etc. This is crucial, as one of the most challenging things will be providing smooth experience depending on the transaction type. But still, it’s the cardholder bank’s decision whether to accept an exemption.

For now, we can see that it can get more complex with recurring payments. Imagine how frustrating it would be for customers to authenticate each monthly payment. So, the goal is to keep recurring payments automated, but it’s up to the bank whether the transaction needs to be authenticated or not.

But, without having the authentication built into the checkout flow merchants may face severe consequences. This is why we advise you to choose a payment partner who is ready for the upcoming regulations to stay away from the implementation burden and focus on your core business. One that has proper knowledge in place and provides you with all the required tools, so that you can effectively address SCA and turn new regulations into an opportunity for both you and your clients.

The difference between 3D Secure 2.0 and newer versions

The EMVCo first published 3DS 2.0 specification in 2016 and, as you may guess, the authentication solution as we knew it was improved, so the first version is no longer supported. There are several new functionalities, so you can expect much more than mobile device compatibility and biometric authentication.

What are the main changes?

3D Secure 2.1 for a frictionless flow

In version 2.1 introduced in 2017 the major changes were driven by the need for better user experience and higher security of online payments.

This means that issuers receive much more data on each card transaction than in version 1 to provide a seamless payment flow for cardholders. It shortens transaction times and expands authorization rates which simplifies the customer experience and eliminates redirects.

3D Secure 2.2 – support for exemptions

The newest version 2.2 (released in December 2018) is extended with exemptions for low-value transactions (where no additional interaction with the end user is required) and whitelisting of merchants. 3D Secure 2.2 also includes improved communication between merchants and issuers and additional device compatibility.

Integration with mobile banking authentication and biometrics is much smoother, so there’s a higher number of options to authenticate. As 10-times more data are shared with issuers, they can provide better risk analysis and greater fraud prevention. Moreover, 3DS 2.2 enables 3DS Requestor Initiated (3RI) payments for some use cases (for instance, travel).

You can expect newer versions to focus on enhanced risk assessment and support for more devices.

And what about 3D Secure 1.0? It’s still effective in case something goes wrong with the 3D Secure 2 process, however merchants are obliged to embrace the latest version of 3D Secure (started in March 2020).

What’s the timeline for the new requirements?

According to PSD2 requirements, merchants need to apply authentication on European payments by the end of 2020. Otherwise, they will face a significant risk of payment declines and a sharp drop in conversion. Not to mention the frictions that clients may face during payments. Think about how it will impact your bottom line.

31 December 2018 – the deadline for issuers for supporting EMV 3D Secure 2.0
1 February 2020 – issuers should enforce authentication methods for transactions using risk-based authentication and one-time passwords
1 March 2020 – all issuers need to be ready for 3DS 2.1; merchants need to ensure they use the latest version of 3DS supported by the issuer
14 September 2020 – all issuers need to have 3DS 2.2 in place
16 October 2020 – acquirers need to ensure that all vendors who provide payment processing services to merchants have implemented 3DS 2.2 and are certified for such technology
31 December 2020 – the deadline for PSD2 SCA implementation. All merchants will need to use 3D Secure 2.2, as it will be actively monitored and supervised.

There’s no question that PSD2 will open the market to new players, so payments in Europe will be more competitive. More choices mean better services that, in fact, might lead to faster and cheaper payments and financial services for the end customer.

Also remember that new regulations are for customers, not only for banks and businesses. They also need time to learn new habits and, even more importantly, trust new services.

Exemptions from SCA

Merchants that accept low risk transactions might expect some exemptions from Strong Customer Authentication to reduce friction during online payments. They are:

Transactions lower than €30 – Even though such transactions are exempted from SCA, banks will request authentication after five consecutive transactions of this kind or when the sum of such transactions exceeds €100.
Transaction type, e.g. fixed-amount recurring payments – When it comes to recurring transactions of a fixed amount, only the initial one requires strong customer authentication. However, 3DS will be required for every new amount when the amount changes.
Merchant-initiated transactions – As most subscription-based payments are perceived as merchant initiated, they are out of the scope of SCA, but it’s still up to the bank whether the transaction needs to be authenticated.
Level of risk – Payment providers are allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. But note that this can only be possible when the payment provider or bank’s overall fraud rates for card payments are within the following thresholds:

    • 0.13% to exempt transactions below €100
    • 0.06% to exempt transactions below €250
    • 0.01% to exempt transactions below €500

What about a situation when only the payment provider’s fraud rate is below the threshold, but the cardholder’s bank is above it? In such case the bank should require authentication.

Trusted beneficiaries – After completing a payment authentication a customer may have the option to whitelist a business they trust to avoid future authentications. Such businesses will then be put on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.

Note that even though there are exemptions from the SCA applicable to online transactions, it’s up to the issuing bank to accept an exemption request or require extra authentication of a transaction.

As SecurionPay is a PSD2-ready payment platform, we can assure you that we’ll do the heavy lifting for you, so you can rest assured that your payments are in good hands. If you’d like to know more, don’t hesitate to contact our support team. We’re here to help!

The following two tabs change content below.
Sandra Wróbel-Konior

Sandra Wróbel-Konior

A well-established Content Marketing Specialist with a tech-savvy personality, experience in writing, and a passion for reading. Staying up to date with the latest technology and social media trends, in love with GIFs and craft chocolate.

How to Protect Your Dating Business From Fraud

The Role of Mobile Technology in Retail