The Payment Services Directive 2 (or PSD2 for short), the first directive came out in 2007, is a piece of European Union (EU) legislation that was scheduled to comes into force from 14 September 2019. However, the deadline for SCA compliance has been delayed by 18 months. Following the European Banking Authority (EBA) announcement on 21 June 2019, the Financial Conduct Authority (FCA) has now agreed to a phased roll-out plan to move the UK to full compliance by 14 March 2021.
PSD2 aims to make banking safer, more transparent and more innovative. This new legislation is being introduced to protect individuals and businesses when they transact online. It also satisfies the need consumers now have for a better, more frictionless online payment journey.
For more information please view our PSD2 and SCA whitepaper:
One of the new safeguards is called Strong Customer Authentication (or SCA for short). This provides extra protection against fraud when transacting online. Simply put, it asks for two checks when you make purchases over the internet or when you need to service your account online.
Since 2012, eCommerce fraud in the UK has doubled. So new legislation is being introduced to make transacting online safer and more secure.
That’s where Strong Customer Authentication (or SCA) comes in. Put simply, SCA will require an individual to use an additional authentication step to verify online payments or to login to their accounts online. This new step is an addition to the current single authentication layer in place today. It means that online payments and account servicing will be more secure than just using a single element, such as a simple password authentication.
For more information please view our PSD2 and SCA whitepaper
Current authentication practices are based on 3D Secure (3DS), which stands for three-domain secure. 3DS v1 is the password protection that you encounter when completing an online transaction. In response to PSD2 and changes to mobile and app environment, 3DS v2 was introduced and it involves being redirected to a new page where you must input a code. In other words, it is information to authenticate yourself.
A typical eCommerce transaction would be routed through 3DS in the post-SCA world. The issuer would assess the risk, dynamically linking information about the customer, acquirer and merchants to make a risk assessment.
Acquirers have the option to request an exemption on behalf of the merchant and the Issuers have the final say over whether a transaction should be authenticated.
Authentication methods will be Issuer specific and there will be a variety of authentication methods available for Issuers to use to meet their SCA obligations.
No, you can’t. This is because SCA is part of new Europe-wide legislation (the revised Payment Services Directive, or PSD2) that changes how people make payments or service their accounts online. The new regulations will apply to all payments, not just those processed by Barclays and Barclaycard.
In many instances people buying online won’t notice any difference. SCA should only add a few seconds to the checkout time.
In some cases, where SCA is required, the level of drop outs may to increase in the short term immediately after September. As a merchant, you’ll need to understand the potential impact of this on conversions and assess potential changes to their customer journeys, depending on your sensitivity to friction and customer awareness of what they need to do when prompted for authentication.
For more information please refer to the "Exemptions" section of this page or view our PSD2 and SCA whitepaper
No. Depending on the risk or transaction value Barclaycard will be able to apply a number of exemptions – based, for example, on the size of the transaction or the potential for fraud. These will be applied automatically, without the cardholder having to do anything.
Whitelisting is expected to be a process where customers have the option to select to register trusted merchants of their choices with their issuers. Personalised whitelisted merchants would be controlled and maintained by the issuers for each customer alone.
TRA exemption is a risk-based approach to recognise low risk transactions do not require 2-factor authentication. Acquirer’s fraud performance determines how high the transaction value can be exempt. Acquirers can also decide which merchants they can provide this exemption to based on a variety of assessments including merchant’s fraud risk and robustness.
TRA exemptions enable you as the merchant to remain in control and risk assess transactions. Where these are deemed low risk, your consumers benefit from a more frictionless checkout without the need for separate authentication. Issuers will have final say but we expect they will largely accept acquirer TRA exemptions. The better your acquirer’s overall fraud performance, the higher value of your transactions can benefit from this exemption.
Visa and Mastercard mandates 3DS v2 in 2019 – October and April respectively. 3DS v2.2 (enhanced version to allow exemption flags) is currently considered optional. Mastercard will begin to monitor compliance.
3DS v1 is the current version of authentication widely used today. Several merchants utilise it today and this has been confirmed to be compliant for PSD2 by 14th of September. The Schemes have announced they intend to close this version of 3DS at some point in the future but no date has been suggested yet. 3DS v2 is the new and improved authentication framework being delivered by EMVCo. This new specification includes improved Mobile-friendly UX (‘user experience’) and up to x10 more data to aid better risk decisioning for the Issuer.
Barclaycard suggests merchants use the latest version of 3DS available. If you currently do not have any 3DS at all, we recommend moving directly onto version 2.
According to the latest opinion published by the EBA, scope of SCA is interpreted as per below:
“The EBA’s view, after discussing it with the European Commission, is that SCA applies to all payment transactions initiated by a payer, including to card payment transactions that are initiated through the payee within the EEA.”
Merchant Initiated Transactions can only apply if strict conditions are met:
• First transaction must be authenticated
• Customer and merchant have pre-existing contractual agreement
• Customer cannot be expected to be present to perform SCA
In the case of Customer-Initiated transaction, authentication is recommended at checkout. A separate authentication is not required if the final amount is lower than the one initially authenticated. If the final value is higher, a new authentication would be required for either the new total or the incremental amount.