Later this year, new European Union (EU) legislation will come into force. The revised Payment Services Directive (or PSD2 for short) has a simple aim – to make banking safer and more transparent. As part of this, Strong Customer Authentication (SCA) will be introduced to give your business extra protection against fraud when you make transactions or service your account online.
There’s quite a bit to get through, so we’ve split this article into two parts – first we’ll look at PSD2 then SCA, explaining the changes PSD2 will bring to card transactions and what this will mean for your business.
You may have already heard about the Payment Services Directive. This was adopted by the EU in 2007 to help establish an EU single market for payments and encourage the creation of safer, more innovative payment services.
As online fraud has grown, PSD has now been upgraded. PSD2 has a focus on three key areas:
1. Enhancing security through Strong Customer Authentication (SCA)
2. Increasing consumer rights including complaints, surcharging and currency conversion
3. Enabling third-party access to account information to help with new payment and account services
The regulation initially required all banks and businesses to be compliant by 14 September 2019, however the deadline for SCA compliance has been delayed by 18 months. Following the European Banking Authority (EBA) announcement on 21 June 2019, the Financial Conduct Authority (FCA) has now agreed to a phased roll-out plan to move the UK to full compliance by 14 March 2021.
Brexit won’t change anything. SCA will still be introduced on that date no matter what relationship the UK has with the EU at that point. The process and safeguards it uses are essential for the future of the banking system.
To help protect individuals and businesses against online fraud, PSD2 is introducing SCA. This will mean an additional check in some instances to make doubly-sure it’s you when you’re paying or servicing your account online.
The safeguards within SCA aim to give more reassurance to both businesses and consumers. You can find out more about this below.
Yes, they are. It’s an industry-wide directive that all banks and businesses need to follow. So whoever you bank with, these changes will apply. We’ve been preparing for PSD2 well in advance to make sure our business and you, our customers, are ready for 14 September 2019.
In readiness for PSD2 changes, we suggest you check we have the most up to date contact details of any cardholders within your business. Mobile phone numbers, especially, are an important part of authenticating with PSD2.
Simply log into Barclaycard Business Online Servicing (BBOS) if you’re a small business customer, and if you’re a corporate customer, call us on 0800 151 2581 or speak to your Relationship Manager to check or let us know if anything has changed.
If you’re not registered yet for BBOS, it’s simple. Go to www.barclaycard.co.uk/business/mobile-register
Strong Customer Authentication (SCA) is a brand new safeguard that will provide you with extra protection against fraud when you’re making payments or servicing your account online.
At the moment, authentication for your online payments is required on an exception basis. In other words, if your transaction is considered ‘high risk’, you’ll be taken to a 3D Secure page and asked to enter random digits from your security password.
With the introduction of SCA, an extra check will be applied in some instances to make doubly-sure it’s actually you, the cardholder, making the payment or processing the transaction. This is called ‘two-factor authentication’ and means at times you’ll need to provide an additional form of identification, such as a password or mobile generated code, when online. However, there are some exemptions that we’ll be able to apply automatically without the cardholder needing to do anything. For example, exemptions could be based on the size of the transaction or the potential for fraud.
You’ll go through two-factor authentication in some instances to verify your payments and when servicing your account online. You’ll be asked to provide an additional form of identification, from the following options:
It’s so we can be doubly-sure that it’s you making the payment or transaction online. Your additional cardholders will need to follow the same process too.
Yes, there are. Here are some examples of when you won’t need to use two forms of identification to pay online:
Low risk transactions – your payment will go through a real-time risk assessment before it’s verified. If it’s considered low risk, an exemption may apply. However, this comes with a complex set of conditions.
Recurring payments – if you make payments to the same company over and over again, these payments will be exempt after the initial set up. This will apply if you’re paying a supplier a regular amount online. If the amount you pay changes, you’ll need to use SCA.
Secured corporate payment – as a business, your online payments to other businesses may be exempt as long as they’re processed through a secured, dedicated payment protocol.
Physical payments in store will mostly remain unchanged – you can continue using contactless for low value transactions, and Chip and PIN for higher amounts. However in some instances you will be asked to enter your PIN more frequently. This is an additional security measure to help better protect against fraudulent payments.
We’ve got a host of FAQs on PSD2, which we’ll be adding to as we move toward 14 September 2019. Is your business taking payments online? Check out the ways PSD2 affects your business on our PSD2 page.
If you need help or assistance