Strong Customer Authentication required by September 2019

The European Payment Services Directive (PSD2) requires payment users to be securely authenticated in order to enhance protection of individuals and reduce the amount of fraud occurring. These requirements are spelt out in the PSD2 Regulatory Technical Standards (RTS) issued by the European Banking Authority and require compliance with this new law by the 14th September 2019. Awareness levels of these regulations remain very low and time is rapidly running out to make the necessary changes.

Secure Customer Authentication (SCA) requires the capture of at least two forms of information from separate categories consisting of something you have (possession), know (knowledge) or are (inherence). The authentication is dynamically linked to each individual transaction. Authentication is a new process that must take place before the traditional funds authorisation and settlement processes.

SCA has wide applicability

SCA applies to a very broad range of electronic payments including bank and card based payments. It does not just apply to eCommerce transactions and is applicable irrespective of sales channel. If a card is issued within a European country (EEA) and used at a merchant acquired by a European acquirer then this new legislation applies. In a face-to-face environment Chip & PIN will largely satisfy SCA requirements however changes may be required for contactless transactions. One Time Passwords (OTPs) will be used by many issuers as a means of customer authentication, but this is not the only method that will be used.

Do exemptions exist?

The legislation recognises that some forms of payment are deemed to be out of scope for SCA these cover non-electronic payments including direct debits and MOTO transactions. Some forms of Merchant Initiated Transactions where only one party is involved in the transaction have also been deemed to be out of scope. A variety of exemptions are being allowed by the European Commission and national Competent Authorities (the FCA in the UK) these include mass transit and parking transactions and low value and contactless transactions subject to cumulative transaction limits or transaction counts. One of the most significant changes is that Transaction Risk Analysis (TRA) will be performed by acquirers and issuers for all transactions. If a transaction is deemed to be low risk then a SCA exemption can be requested. The concept of a payer white-listing merchants as trusted beneficiaries is available although solutions may not be ready by September. Even if an exemption is requested the card issuer makes the ultimate decision on whether SCA has to be performed before authorising a transaction.

What is different?

Merchants cannot ignore SCA. This compliance programme is required by Level 1 national law and therefore differs from traditional card scheme mandates and deadlines where waivers and extensions could be requested. It is already in the UK statute books and so applies whatever happens regarding the UK’s Brexit decision.

Card issuers will ultimately decide whether to approve or decline transactions. The number of soft declines, where a form of step-up authentication is required, is expected to dramatically increase from today’s 2% to around 40% of eCommerce transactions. The main risk for merchants is that card issuers will decline transactions, leading to unhappy customers and loss of revenue.

Some established business practices will need to change in order to be compliant with this new law. Customer confirmation terms and conditions will need to be updated. Frictionless transactions that rely on card on file will be impacted by these new SCA requirements. More friction should be expected.

Growth of mobile payments

The introduction of SCA is expected to accelerate the use of Apple Pay, Google Pay and other forms of digital wallets both in-store and for eCommerce transactions. This is because these mobile payment options already use two valid forms of authentication and the card issuer has delegated authentication responsibility.

Face-to-Face implications

Payment systems need to include additional fields in transaction authorisation messages to include successful SCA data, out of scope fields or exemption requests to be sent through to the issuer. New POS terminal messages are also required to prompt for PIN authentication if a contactless account has exceeded its cumulative or transaction count limit. Contactless only payment acceptance systems and wearable payment options are also impacted by SCA and may need to be redesigned.

3DS 2.0 to be introduced

For merchants selling online one of the simplest way to satisfy SCA requirements is to support 3DS 2.0. This new version of payer authentication created by EMVCo addresses the poor user experience and basket abandonment issues experienced with 3DS 1.0. Static passwords have been replaced by dynamic information and biometrics. Screens now scale correctly to the device being used, merchant branding is maintained and no slow page redirection occurs. Additionally cardholder enrolment is never requested during a sale transaction. 3DS 2.0 captures up to 135 data elements, 10 times more than previously, allowing card issuers to be more confident in authorising transactions. The most recent 3DS 2.2 specifications support the SCA exemptions.

The STS viewpoint

Here at STS we are supportive of the objectives of PSD2 and SCA and have engaged with schemes and acquirers to understand the implications for our products. As a F2F payments acceptance specialist we are less impacted than eCommerce payment providers. We are currently waiting for final clarifications on any changes we may need to make. Please do get in touch to discuss this topic in more detail. 

Thursday, March 7, 2019