The Payment Services Directive 2 (or PSD2 for short) is a piece of EU legislation that aims to make banking safer, more transparent and more innovative. It was introduced in part to help tackle the rising levels of online fraud and it follows the launch of PSD in 2007, which helped establish an EU single market for payments. A key part of PSD2 is Strong Customer Authentication (SCA), which aims to make buying online more secure. It will mean customers will sometimes need to take extra steps to confirm their identity when shopping online.
For merchants trading in Europe the deadline for compliance was 31 December 2020. For merchants who trade in the UK only the deadline for compliance is 14 March 2022.
Simply put, SCA requires customers to take extra steps to confirm their identity when shopping online. This is also known as two factor authentication.
Since 2012, eCommerce fraud in the UK has doubled. So new legislation is being introduced to make transacting online safer and more secure.
That’s where Strong Customer Authentication (or SCA) comes in. Put simply, SCA will require an individual to use an additional authentication step to verify online payments or to login to their accounts online. It means that online payments and account servicing will be more secure than just using a single element, such as a simple password authentication.
2FA (it stands for two-factor authentication) is the method used to ensure Strong Customer Authentication.
Previously, you only used one method (or factor) when verifying an online transaction, such as logging in with a password.
Moving forward, two of the following methods when authenticating online – to make doubly sure it’s you. When authenticating, the options available are from:
Current authentication practices are based on 3D Secure (3DS), which stands for three-domain secure. 3DS v1 is the password protection that you encounter when completing an online transaction. In response to PSD2 and changes to mobile and app environment, 3DS v2 was introduced and it involves being redirected to a new page where you must input a code. In other words, it is information to authenticate yourself.
A typical eCommerce transaction would be routed through 3DS in the post-SCA world. The issuer would assess the risk, dynamically linking information about the customer, acquirer and merchants to make a risk assessment.
Acquirers have the option to request an exemption on behalf of the merchant and the Issuers have the final say over whether a transaction should be authenticated.
Authentication methods will be Issuer specific and there will be a variety of authentication methods available for Issuers to use to meet their SCA obligations.
No, you can’t. This is because SCA is part of new Europe-wide legislation (the revised Payment Services Directive, or PSD2) that changes how people make payments or service their accounts online. The new regulations will apply to all payments, not just those processed by Barclays and Barclaycard.
In many instances people buying online won’t notice any difference. SCA should only add a few seconds to the checkout time.
In some cases, where SCA is required, the level of drop outs may to increase in the short term immediately after March 2022. As a merchant, you’ll need to understand the potential impact of this on conversions and assess potential changes to their customer journeys, depending on your sensitivity to friction and customer awareness of what they need to do when prompted for authentication.
No. Depending on the risk or transaction value Barclaycard will be able to apply a number of exemptions – based, for example, on the size of the transaction or the potential for fraud. These will be applied automatically, without the cardholder having to do anything.
Whitelisting is expected to be a process where customers have the option to select to register trusted merchants of their choices with their issuers. Personalised whitelisted merchants would be controlled and maintained by the issuers for each customer alone.
TRA exemption is a risk-based approach to recognise low risk transactions do not require 2-factor authentication. Acquirer’s fraud performance determines how high the transaction value can be exempt. Acquirers can also decide which merchants they can provide this exemption to based on a variety of assessments including merchant’s fraud risk and robustness.
TRA exemptions enable you as the merchant to remain in control and risk assess transactions. Where these are deemed low risk, your consumers benefit from a more frictionless checkout without the need for separate authentication. Issuers will have final say but we expect they will largely accept acquirer TRA exemptions. The better your acquirer’s overall fraud performance, the higher value of your transactions can benefit from this exemption.
3DS v1 is the current version of authentication, which is currently widely used. The Schemes have confirmed that they will be decommissioning 3DS v1 in the future, so we strongly recommend implementing 3DS v2. 3DS v2 is the new and improved authentication framework being delivered by EMVCo. This new specification includes improved Mobile-friendly UX (‘user experience’) and up to x10 more data to aid better risk decisioning for the Issuer.
Barclaycard suggests merchants use the latest version of 3DS available. If you currently do not have any 3DS at all, we recommend moving directly onto version 2.
Your payment gateway would be doing most of the heavy lifting. If you use one of our Smartpay gateway products, please check the customer portal for more information.
The framework to process 3D Secure v2 will require changes to systems throughout the payment ecosystem for merchants, gateways and acquirers to ensure interoperability.
Merchants can flag MIT indicator within the scheme frameworks. Visa has the MIT framework leveraging credential on file. Mastercard has a similar but slightly different programme.
Provided conditions are met, Merchant Initiated Transactions (MIT) could apply and SCA is not required, as this is considered out of scope of PSD2. Those conditions are:
• First the transaction must be authenticated
• Customer and merchant have pre-existing contractual agreement
• Customer cannot be expected to be present to perform SCA
According to the latest opinion published by the EBA, scope of SCA is interpreted as per below:
“The EBA’s view, after discussing it with the European Commission, is that SCA applies to all payment transactions initiated by a payer, including to card payment transactions that are initiated through the payee within the EEA.”
Merchant Initiated Transactions can only apply if strict conditions are met:
• First transaction must be authenticated
• Customer and merchant have pre-existing contractual agreement
• Customer cannot be expected to be present to perform SCA
In the case of Customer-Initiated transaction, authentication is recommended at checkout. A separate authentication is not required if the final amount is lower than the one initially authenticated. If the final value is higher, a new authentication would be required for either the new total or the incremental amount.
