17 Jun Strong customer authentication (SCA) and the implications for your business

The EU adopted the Payment Services Directive 2 (PSD2) last year, but not all of its elements were brought in to force at the same time.  One of the most impactful provisions of PSD2 concerns Strong Customer Authentication (SCA), a part of the law relating primarily to eCommerce transactions which will be implemented from the 14th of September 2019.

What is strong customer authentication (SCA)?

In order to combat increasing levels of on-line fraud SCA requires the payments industry to introduce additional security measures for online card transactions. From that date, when a shopper in the European Economic Area (the EEA) uses a card issued from an EEA bank to make a payment extra levels of authentication will be required. While some exemptions may be available for certain transactions it will generally be impossible to pay for something online by using only card details.  In the past, customers could simply enter their card number and CVC code, but, going forward the card number will be only one of the elements that can be used to “authenticate” a transaction. Under a concept known as “two factor authentication” an online purchaser will have to provide two out of the three acceptable means of proving their identity.  Those types of authentication are:

Knowledge: Something you know (Password, PIN, Secret fact etc)

Possession: Something you own (Mobile phone, token, smart card)

Inherence: Something you are (Iris recognition, fingerprint, voice recognition)

What will SCA mean for my business?

The biggest change will involve the type of security software used to process online transactions.  From the 14 September 2019 all ecommerce transactions should be processed via secured industry protocol such as 3D Secure or they will most likely be declined by the card issuing bank (issuer).

For this reason we are urging merchants to implement at least the most basic of the 3DS solutions (v1.0). You should contact your payment gateway provider or our customer support team as soon as possible to ensure that your eCommerce payments are ready to be authenticated using 3D Secure.

With SCA and the enhanced versions of 3DS more dynamic data points will be used to verify users’ identities. While the number of required authentication data points is increasing, more customer choice could mean better authentication experiences and less drop-offs, it should be a win-win. For consumers there will be less passwords to remember. For online businesses, it will mean higher security with lower cart abandonment.

One of the most important benefits of SCA for merchants is that it can shift the liability for fraud away from your business. When a transaction avoids SCA your business would be liable if the transaction did turn out to be fraudulent (even in the case of certain exemptions). If you use SCA liability shifts to the issuer. The rule on exemptions generally is – if the transaction is exempted by action of the merchant – they remain liable, if by the issuer – liability lies with them.

SCA exemptions

While the intention of PSD2 is to make SCA a requirement for all online transactions, there are some exemptions. These exemptions will ensure that shoppers still enjoy easy shopping experiences with additional security levied only on their larger and less frequent payments.

1. Low value and low risk transactions

Transactions under £30 will be exempt from SCA. However, the issuing bank will keep track of the amount of payments made. When a cardholder initiates more than five consecutive low value payments with any merchant, or if the total value of those transactions are greater than £100 in 24 hours, (£150 for contactless), the exemption falls away and SCA is required.

2. Recurring transactions

Subscription or recurring transactions with a fixed amount and frequency will be exempt from the second transaction onwards. Only the initial transaction will require SCA. If the amount or frequency change, 3D Secure will be required for every new amount / frequency.

This poses a challenge to ‘variable amount’ recurring businesses in which the value changes over time. However in the case where products have a variable cost per period based on usage, these will be considered ‘merchant initiated transactions’ and are exempt from SCA after the first transaction provided the merchant and customer have an agreement allowing such variable charges.

3. Whitelisted merchants

Cardholders can assign businesses to a whitelist of “Trusted Beneficiaries,” which are maintained by their bank. Whitelisted merchants will be exempt from 3D Secure. This allows customers who regularly shop with a given business to avoid SCA requirements with that merchant. Whether a cardholder’s request is granted is up to their issuer, who can turn down the proposed exemption or withdraw it at any time. Currently, it is not believed that issuers will be ready to support whitelisting by mid-September. CARDPAY UK is monitoring this exemption and will update you as it develops. However, if you have a regular relationship with large numbers of customers you may wish to consider how best to motivate them to put you on this whitelist.

4. MOTO transactions

Mail Order and Telephone Orders (MOTO) will be exempt from SCA in all cases. MOTO transactions are not considered to be ‘electronic payments’ and so are out of the scope of PSD2.

5. B2B transactions

Payments made between two businesses are free from SCA when the payment method is a one which is dedicated to make such B2B payments.

6. TRA (Transaction risk analysis exemption)

A developing exemption involves the use of existing risk data to support transactions outside of SCA.  In the future CARDPAY UK may use TRA to exempt some transactions from SCA. This would involve CARDPAY UK analysing the transaction to determine whether it would be of low enough risk for fraud to exempt it from SCA requirements. CARDPAY UK could then make a request to the issuer to allow the transaction to proceed.  The issuer ultimately decides whether to allow this to take place.  The details concerning this exemption are still being worked out, and CARDPAY UK’s ultimate ability to use this transaction will always be limited by the issuer, however we will continue to monitor this area and will keep you informed of how best to avail of this possible exemption.

What is CARDPAY UK doing about SCA?

Since the announcement of PSD2 and SCA in 2017 we have been actively involved in industry discussions. As the practical implications have become clearer we have taken the necessary steps to ensure, at a minimum, the 3DS 1.0 mandate is met, while at the same time exploring options to achieve the right balance between managing fraud risks and minimising disruption to the consumer while conducting a payment.

What should I do now?

We recommend that merchants consider how these SCA changes could impact their customer journeys and sales models. Depending on the design of the payment experience and operating model, SCA may have different implications to your business.

You need to ensure that your eCommerce payments are ready to be authenticated using at least 3D Secure V1, and, if possible you should use a later version of 3DS. If you haven’t implemented 3DS please contact us or your payment gateway provider ASAP. You should also talk to your website developer. DON’T RELY ON TRANSACTIONS BEING EXEMPT OR OUT OF SCOPE, not all of those exemptions will be available as of 14 September and issuers have said that they will be declining large numbers of transactions if they are deemed to be within scope of SCA.

What about contactless transactions?

Most of this update deals with eCommerce business but new rules are also coming into force on 14 September 2019 for contactless transactions. These are similar to the low value rules but there are important differences. When the levels below are exceeded a normal chip and PIN authorisation will be required:

• the cumulative amount of consecutive contactless transactions exceed £150;
• the number of consecutive contactless transactions since the last chip and PIN transaction exceeds five.

Unattended terminals for transport fares and parking fees are exempt from this requirement.

Key Dates

• 14th September 2019. PSD2’s SCA requirements go live in Europe.
• 2020 and onward. 3DS 2.0 launches worldwide. Most Banks will accept 2.0 by end of 2020.

Conclusion

We urge you to review your eCommerce infrastructure to ensure you have at a minimum 3DS v1.0 enabled. If you are not currently 3DS enabled on your web site you need to engage with your payment gateway provider and website developer now. CARDPAY UK will work with all gateways that use our platform to make this process as smooth as possible. If you are using a physical card terminal we will be upgrading your terminal software in the coming months to ensure it is compliant with the new rules around contactless transactions. We have already made many of the necessary changes to be compliant with SCA requirements and will continue to update you regarding these developments prior to September.  Please check our web site for updates.