-

A guide to Strong Customer Authentication (SCA) under PDS2

This article gives an overview of the new SCA regulation, what it means for online retailers, and how Barclaycard is preparing for the SCA deadline on 14 September 2019.

Speak to our payments team*

Call 0808 301 9409

Resource dumped by HtmlRendererServlet

Resource path: /content/barclaycard-co-uk/en/business/news-and-insights/guide-to-strong-customer-authentication1/jcr:content/page_par/column_603610309/column-1/text

Resource metadata: {sling.modificationTime=-1, sling.characterEncoding=null, sling.parameterMap={}, sling.contentType=null, sling.creationTime=-1, sling.contentLength=-1, sling.resolutionPath=/content/barclaycard-co-uk/en/business/news-and-insights/guide-to-strong-customer-authentication1/jcr:content/page_par/column_603610309/column-1/text}

Resource type: nt:unstructured

Resource super type: -

Resource properties

jcr:primaryType: nt:unstructured

Resource dumped by HtmlRendererServlet

Resource path: /content/barclaycard-co-uk/en/business/news-and-insights/guide-to-strong-customer-authentication1/jcr:content/page_par/column_603610309/column-1/text_1890819786

Resource metadata: {sling.modificationTime=-1, sling.characterEncoding=null, sling.parameterMap={}, sling.contentType=null, sling.creationTime=-1, sling.contentLength=-1, sling.resolutionPath=/content/barclaycard-co-uk/en/business/news-and-insights/guide-to-strong-customer-authentication1/jcr:content/page_par/column_603610309/column-1/text_1890819786}

Resource type: nt:unstructured

Resource super type: -

Resource properties

jcr:primaryType: nt:unstructured

The new EU Payments Services Directive (PSD2) took effect in January 2018, bringing in new laws aimed at enhancing consumer rights and reducing online fraud.

A key element of PSD2 is the introduction of additional security authentications for online transactions over €30, known as strong customer authentication (SCA). It means customers will no longer be able to checkout online using just their credit or debit card details, they will also need to provide an additional form of identification.

Why is SCA needed?

Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. The European Commission has intervened by placing SCA requirements on participants to reduce fraud as one of the core components of PSD2. From the 14 September 2019, the expectation is for all ecommerce transactions to be processed via secured industry protocol such as 3D Secure. Online transactions will need additional authentication (with some exemptions).

What is the SCA requirement?

PSD2 requires the use of two independent sources of validation by selecting a combination of two out of the three categories1 (commonly known as the ‘two-factor authentication’):

• Something you know (e.g. PIN)

• Something you have (e.g. card/phone)

• Something you are (e.g. fingerprint)

This is applicable to transactions in the European Economic Area (EEA) only, where both payer and payee are in the region. However, there are a number of exemptions to two-factor authentication, which are described below.

It’s worth noting that the issuers will be required to put in place the measures of authentication of their choice. It won’t be the merchants’ responsibility to incorporate this.

What is changing?

The payment journey may look a little different. Today an authentication is required on an exception basis, i.e. where the risk of the transaction is regarded as ‘high’, additional authentication may be triggered via 3D Secure as the current protocol. This is commonly known as a ‘step-up’. After September 2019, additional authentication will become the new default. All qualifying transactions will be required to be ‘stepped up’ unless an exemption applies.

In a ‘card present’ scenario, the convenience of contactless at point-of-sale would remain for low value transactions (less than €50). Chip and PIN will also remain as the common practice in the EEA for values above €30. However, for remote electronic payments (i.e. when someone is shopping online) and credit transfers, additional authentications will be required.

“After September 2019, it’s anticipated that 95% of transactions will require a step-up.“

The application of 3D Secure (3DS) today is optional (3DS version 1). Merchants have the discretion to route a transaction through 3DS enabling a shift in liability where loss occurs. After September 2019, it is anticipated that a higher ratio (95%+) of transactions will require a step-up. VISA and MasterCard will be mandating that the new version of 3D Secure (version 2.0) should be in place for issuers and merchants by April 2019 in preparation for the mass adoption in September 2019.

Card Schemes are making changes to 3DS and driving adoption to meet the new SCA requirements. 3DS version 2.0 specifications have been released by EMVCo. Payment service providers (PSPs), namely issuers and acquirers, and their clients will be required to meet scheme mandates for 3DS 2.0 to be enabled.

In addition, we understand that card schemes are providing further enhancements in order to flow through exemption requests from the acquirer to the issuer. Please note that the exemptions are only applicable to PSPs and cannot be applied at merchant level.

Please see below for the latest EBA guidance (but be aware that this might change):

Table 2. Summary table on who may apply an exemption

Understanding PSD2 and GDPR

*The payer’s PSP always makes the ultimate decision on whether or not to accept or apply an exemption; the payer’s PSP may wish to revert to applying SCA to execute the transaction if technically feasible or decline the initiation of the transaction.

What is the timeline for these changes?

Exemptions

Not all transactions will require additional authentication. PSD2 provides a number of exemptions to SCA, which could result in minimising friction and attrition in the customer payment journey. These are:

Low value exemption

Recurring payment exemption

Whitelisting (or trusted beneficiary) exemption

Secured corporate payment exemption

Low risk transaction exemption (or Transaction Risk Assessment - TRA)

Low value exemption
Card transactions below €30 are considered low value and are generally exempt from authentication. However, if the customer initiates more than five consecutive low value payments or if the total payments value exceed €100, SCA will be required.

Recurring payment exemption – e.g. subscription
Series of payments of the same value to the same merchant (such as subscriptions and membership fees) are exempt after the initial set up. The initial set up of the recurring payment will still require authentication, but all following transactions will be exempt.

Payments that are made periodically to the same payee, but where the value changes each time (e.g. a utility bill), will not benefit from the exemption.

Whitelisting (or trusted beneficiary)
Customers will have the option to ‘whitelist’ a merchant they trust. They can request to have the trusted merchant added to his/ her record with the issuers after the first authentication is completed. Subsequent transactions with the whitelisted merchants are likely to be exempt from future authentication.

However, it is worth noting that issuers can still reject this request if the customer is thought to be a high fraud risk. They will be able to ignore the whitelist (maintained by the issuer on the behalf of the customer) to challenge and request an authentication.

Secured corporate payment exemption
When the transaction is initiated by a legal person (e.g. a business) rather than a consumer, and it is processed through a secured dedicated payment protocol, the Commission is satisfied that it does not require separate authentication, provided alternative controls are sufficiently secure. This should include ‘secure virtual payments’, such as virtual cards or B2B cards.

 

Low risk transaction exemption (aka. TRA exemption)
This exemption has arguably the widest reach and usage. If a transaction, through a real-time risk assessment, is deemed to be low risk, an exemption could apply. However, it comes with the most complex set of conditions. To make this work, merchants have to rely on a payment service provider (e.g. an acquirer) to act upon their request. In addition, the test to trigger the exemption rests with whether the PSP satisfies the prescribed conditions, not the merchants themselves.

This means that, to an extent, a merchant’s ability to design and influence the payment experience is removed. While exemptions are acquirer performance based, the issuer retains the final authorisation decision as they do today.

What is Barclaycard doing about SCA?

From the announcement of PSD2 SCA in 2017, we have been actively involved with industry discussions and have been influencing the direction of travel as the debate has developed. As the practical implications become clearer, we have taken the necessary steps to first ensure the 3DS 2.0 mandate is met, as well as exploring options to achieve the right balance between managing fraud risks and minimising disruption in the payment journey.

3DS 2.0 was one of our key deliveries in 2018 to ensure we delivered the solution in accordance with scheme rules, with 3DS 2.2 also being worked on to give merchants the option to request exemptions via their acquirer.
There are a number of challenges still yet to be resolved, such as when the final value of the purchase is not available for authentication when the transaction is initiated. We are assessing options and use cases, while working with regulators and other key market players to continue to seek clarification around the remaining unresolved industry challenges.

What should merchants consider today?

While the debate on the reality of implementation is still ongoing across the industry, there are actions merchants can take to pave the way for September 2019. We recommend that merchants consider how these SCA changes could impact their customer journeys and sales models. Depending on the design of the payment experience and operating model, SCA may have different implications to a merchant’s business.

Barclaycard can offer insight on the support merchants may need. We can partner with merchants on the roll out of new industry protocols, as well as continuing to help with demystifying PSD2 and SCA. This is only the beginning of a new journey. September 2019 will not be the end.

As definitions and scope evolves, the regulators and the payment ecosystem will continue to develop and find a balance between fraud prevention and a smooth customer journey. Barclaycard will be continuously supporting this process.

Corporate payment solutions

Businesses need a future-proof corporate payment strategy to stay ahead of the game. Find out how our Redefine advantage content series can help, or speak to our experts today.

*0808 273 4173
Monday-Friday, 9am-5pm

What is PSD2?

We take a closer look at the new PSD2 regulations coming in with the aim of improving consumer rights and what impact it could have on the way merchants take payments.