The Second Payment Services Directive – or PSD2 – is a directive created by the EU countries to regulate payment services and providers in the European Economic Area (EEA). PSD2 has already been passed into law in most EU countries, including the United Kingdom.

The regulation impacts every part of the industry, including improving the security of online transactions and creating more competition by making banks open up access to customer data (with the customer’s permission, of course).

For merchants, the most important aspect of PSD2 is that online transactions will be subject to Strong Customer Authentication requirements from 14 September 2019.

What is Strong Customer Authentication?

Strong Customer Authentication – or SCA – is a set of authentication requirements that will apply to ecommerce transactions in which both the acquiring and issuing bank are within the European Economic Area.

For transactions that qualify, Strong Customer Authentication requires customers making a purchase online to verify they are the true cardholder through two-factor authentication. Customers will have to provide two of the following three:

  • Something the customer knows – for example, a PIN number or password.
  • Something the customer has – for example, a mobile device or one-time password (OTP) sent by text message.
  • Something the customer is – for example, biometric data such as a fingerprint or facial recognition.

Note: Transactions in which one of those entities operates outside of the EEA, known as ‘One Leg Out’ transactions, do not fall under the remit of PSD2 and Strong Customer Authentication will not apply. For example, if you have a Chinese customer with an issuing bank operating out of China, Strong Customer Authentication requirements will not be needed.

How can merchants implement Strong Customer Authentication?

In the early 2000s, Visa developed Version 1.0 of the 3D Secure security protocol to protect card transactions. Competitor card schemes like Mastercard and AMEX soon joined with Visa to form EMVCo., a global body that sets the technical specifications for the 3D Secure protocol.

In the past few years, EMVCo has developed the latest version of the security protocol – Version 2.0 – which was mandated in Europe on 13 April 2019.

3D Secure Version 2.0 – or 3DS 2.0 as it is often known – is the main mechanism through which merchants can comply with Strong Customer Authentication requirements.

What is the difference between 3DS 1.0 and 3DS 2.0?

When 3DS 1.0 was introduced, it added another layer of payment authentication for card transactions, for example, through a code sent via SMS or a static password.

However, 3DS 1.0 was not without problems. Customers were frustrated by the need to register and remember new passwords. Often SMS passwords would not be delivered. The windows that took customers to 3DS portals were sometimes blocked by pop-up blockers and were not optimised for mobile browsers either. This led to some customers abandoning their carts and conversion rates for merchants suffered.

Version 2 of the 3D Secure protocol – 3DS 2.0 – was designed to address these issues. The main difference is that it asks merchants and their payment service providers to share more data around a transaction with the issuing bank to improve the accuracy of authentication decisions.

With this data, customer transactions can qualify for a ‘frictionless’ flow – in which the issuer decides enough data has been provided to confirm the cardholder is the one making the payment, no authentication is required and the customer experience is not interrupted. Or the issuer decides more data is needed, the transaction follows a ‘challenge’ flow, and the customer must provide more information.

3DS 2.0 allows for these customer flows to be embedded within the merchant website or mobile app without requiring full page redirects. Ultimately, it should facilitate a greater number of approvals while delivering a seamless customer experience that avoids drop offs.

A note on exemptions

Under PSD2, certain types of transactions will not require additional authentication. These include low value transactions, recurring payments and transactions with a ‘whitelisted’ entity, among others.

3DS 2.0 will allow payment providers to request exemptions to Strong Customer Authentication on behalf of merchants. However, it is worth noting that payment providers will be the entities deciding whether to accept or apply an exemption.

We will discuss the various types of transactions exempt from SCA in a future blog post.

What’s next for merchants?

Strong Customer Authentication requirements come into effect on 14 September 2019.

From this date, an ecommerce transaction in the EEA without 3DS 1.0 or 2.0 authentication is only allowed if an acquirer exemption has been applied or the transaction is out of scope. If an exemption cannot be applied by the acquirer, then the card issuers will almost certainly decline the transaction without 3D Secure.

Thus, it is down to merchants to ensure they have a 3D Secure solution in place by the deadline. It should be immediately added to your organisation’s roadmap.

PXP Financial’s ANYpay solution suite will allow merchants to integrate directly into both 3DS 1.0 and 3DS 2.0. It offers an entire range of sub products that will ensure merchants are fully complaint with Strong Customer Authentication requirements under PSD2.

Furthermore, the ANYpay platform offers these capabilities with easy integration and a high level of support from PXP Financial’s experienced team.

Learn more about Strong Customer Authentication requirements.