Your quick guide to PSD2 and SCA

You may have already heard about the Payment Services Directive. This was adopted by the EU in 2007 to help establish an EU single market for payments and encourage the creation of safer, more innovative payment services.  

As online fraud has grown, PSD has now been upgraded. PSD2 has a focus on three key areas:

1.    Enhancing security through Strong Customer Authentication (SCA)
2.    Increasing consumer rights including complaints, surcharging and currency conversion
3.    Enabling third-party access to account information to help with new payment and account services

The regulation initially required all banks and businesses to be compliant by 14 September 2019, however the deadline for SCA compliance is 14 March 2022. Following the European Banking Authority (EBA) announcement on 21 June 2019, the Financial Conduct Authority (FCA) has now agreed to a phased roll-out plan to move the UK to full compliance by 14 March 2022.

Brexit doesn't change anything. SCA will still be introduced on that date no matter what relationship the UK has with the EU at that point. The process and safeguards it uses are essential for the future of the banking system.

To help protect individuals and businesses against online fraud, PSD2 is introducing SCA. This will mean an additional check in some instances to make doubly-sure it’s you when you’re paying or servicing your account online. 

The safeguards within SCA aim to give more reassurance to both businesses and consumers. You can find out more about this below.

Yes, they are. It’s an industry-wide directive that all banks and businesses need to follow. So whoever you bank with, these changes will apply. We’ve been preparing for PSD2 well in advance to make sure our business and you, our customers, are ready for 14 March 2022.

In readiness for PSD2 changes, we suggest you check we have the most up to date contact details of any cardholders within your business. Mobile phone numbers, especially, are an important part of authenticating with PSD2.   

Simply log into Barclaycard Business Online Servicing (BBOS) if you’re a small business customer, and if you’re a corporate customer, call us on 0800 151 2581 or speak to your Relationship Manager to check or let us know if anything has changed.

If you’re not registered yet for BBOS, it’s simple. Go to www.barclaycard.co.uk/business/mobile-register

Strong Customer Authentication (SCA) is a brand new safeguard that will provide you with extra protection against fraud when you’re making payments or servicing your account online. 

Before SCA was introduced, authentication for your online payments is required on an exception basis. In other words, if your transaction is considered ‘high risk’, you’ll be taken to a 3D Secure page and asked to enter random digits from your security password. 

Now, an extra check will be applied in some instances to make doubly-sure it’s actually you, the cardholder, making the payment or processing the transaction. This is called ‘two-factor authentication’ and means at times you’ll need to provide an additional form of identification, such as a password or mobile generated code, when online. However, there are some exemptions that we’ll be able to apply automatically without the cardholder needing to do anything. For example, exemptions could be based on the size of the transaction or the potential for fraud.

You’ll go through two-factor authentication in some instances to verify your payments and when servicing your account online. You’ll be asked to provide an additional form of identification, from the following options:

• Something you know, like a password or PIN
• Something you have, like a mobile generated code

It’s so we can be doubly-sure that it’s you making the payment or transaction online. Your additional cardholders will need to follow the same process too.  

Yes, there are. Here are some examples of when you won’t need to use two forms of identification to pay online:

Low risk transactions – your payment will go through a real-time risk assessment before it’s verified. If it’s considered low risk, an exemption may apply. However, this comes with a complex set of conditions.

Recurring payments – if you make payments to the same company over and over again, these payments will be exempt after the initial set up. This will apply if you’re paying a supplier a regular amount online. If the amount you pay changes, you’ll need to use SCA. 

Secured corporate payment – as a business, your online payments to other businesses may be exempt as long as they’re processed through a secured, dedicated payment protocol.

Physical payments in store will mostly remain unchanged – you can continue using contactless for low value transactions, and Chip and PIN for higher amounts. However in some instances you will be asked to enter your PIN more frequently. This is an additional security measure to help better protect against fraudulent payments.