PSD2 and Strong Customer Authentication (SCA) Explained

Alexis Damen | October 27, 2020

Beginning in January 2018 some important changes happened in European regulations for electronic payment services. The regulation is called PSD2 and it’s designed to help banking services adapt to new technologies and boost innovation. Read on to learn all about PSD2 — what it does, why it’s important, and how it works.

What is PSD2?

In 2018 the European Commission amended the Payment Service Providers Directive (PSD) by enhancing the objectives of the original legislation. PSD2 strives to boost competition and innovation in the electronic payment sector, reinforce security in the payments market, improve customer protections, and facilitate the development of new methods of payment.

Why PSD2 is Important

This legislation has the power to transform banking and financial services. Banks will be required to share data across parties which forms the foundation for an open banking environment. This allows customers to seamlessly manage and move money around. It allows for new opportunities for companies to create platforms that will allow customers to better manage their money.

What PSD2 Does

PSD2 aligns the current state of the market and technology with payment regulation. It adds security requirements for initiating and processing electronic payments and better protects customers’ financial data. It also regulates third-party providers. It states who can initiate payment services and access or aggregate accounts.

PSD2 does not permit surcharges on payments made by customers in the European Union. The surcharge ban applies to all MasterCard and Visa payments. Surcharges are also banned on standard transfers and direct debits. The one exception to the surcharge ban applies to businesses. Transactions made with business or corporate cards can still receive surcharges. Where surcharges still apply, the surcharge can’t exceed the actual costs. Payment methods that fall under this rule are currently American Express and Klarna.

Customer Benefits

A customer can have a more seamless banking experience by managing all of their money in one place through an open banking platform. Applying for loans will be easier for customers because creditors can view their banking data with their permission. People with insufficient traditional credit histories can benefit from this by getting loans they may not have been approved for previously.

Major Changes to Existing Legislation

There are over 100 articles in PSD2. Some of the most significant changes include the following:

Extend the geographical reach of the legislation - If either party in a transaction, the bank, or the customer, is part of the EU the regulations apply to both parties.
Implement customer authentication - The legislation deals with fraud by mandating account holder authentication tools for all electronic payment operations. Payment service providers and financial institutions must use two-factor authentication, also known as strong customer authentication, or SCA.
Recognize payment services providers - Proven innovators in the digital payment space are empowered to access an official registration system where they can get the operational licenses to directly access bank data with explicit customer consent.

Is PSD2 the same as online banking?

This regulation changes online transactions and banking, making online transactions more secure and creating new business opportunities in the world of online banking. PSD2 allows third-party access to customers’ payment accounts with their permission. Until now, this information has been limited to just financial institutions. This opens up the potential for new business models using this financial data. For example, third parties can better assess consumers’ creditworthiness by analyzing their financial information. PSD2 will change the face of online banking, but the regulation encompasses more than just online banking.

What is SCA?

Strong customer authentication is a strict security requirement for initiating and processing electronic payments. SCA is a requirement of PSD2.

Sometimes when you make a payment online you have to use something to authenticate the payment. Here are some examples of two-factor authentication:

Something you have, like your phone.
Something you know, like a password or a pin.
Physical proof of who you are, like your fingerprint or your face, as many smartphones are equipped to scan fingerprints or your face.

How PSD2 Defines SCA

PSD2 defines SCA as “an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses), and inherence (something the user is). These must be independent of one another, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”

SCA Exemptions

The purpose of PSD2 is to require SCA for all online transactions. However, there are some SCA exemptions that your acquirer can request when appropriate.

These exemptions provide a frictionless customer experience for transactions that are categorized as low risk. The cardholder doesn’t have to pass through two-factor authentication (2FA).

Here we’ve outlined the most relevant exemptions from SCA:

Contactless payments at point of sale (POS) terminals - POS transactions that are €50 or less are exempt from SCA. Consecutive contactless transactions cannot exceed €150. And the number of contactless transactions in are row — that are SCA exempt — cannot be greater than five.

Whitelisted merchants - Customers can add merchants to a whitelist of “Trusted Beneficiaries” that are confirmed by their bank. An SCA challenge must be completed in the process, which enables customers who shop with you regularly to complete future purchases without SCA. Once you’re whitelisted, your business is exempt from 3D Secure.

Recurring transactions - For recurring or subscription transactions SCA is required when the payment is set up. In some cases, this happens during the first transaction of the series that is initiated by the cardholder.

Low value transactions - Online payments less than €30 don’t require SCA. Transactions without SCA cannot exceed €100 and the number of SCA exempt transactions in a row cannot exceed five.

B2B transactions - Transactions made between two corporations are SCA exempt when using a payment method that is strictly dedicated to corporate payments versus individual payments.

Transaction Risk Analysis (TRA) - SCA is exempt when the payment service provider (PSP) has effective risk analysis tools in place. If the PSP can determine that the payment is low risk, the issuer is the deciding factor on whether SCA must be applied.

To apply this SCA exemption, the value of the transaction must be below €500, and the acquirer or issuer must have fraud rates below the following thresholds:

Transactions <€100: 0.13% fraud rate

Transactions €100-€250: 0.06% fraud rate

Transactions €250-€500: 0.01% fraud rate

There's an exhaustive list of SCA exemptions and regulatory interpretation, banks, and schemes impact each scenario.

Our Dynamic 3D Secure services will help you maneuver payment security and automatically use exemptions when possible. Your customers will not need to authorize transactions unless it’s absolutely necessary.

Further reading: Your Guide to Payments Terminology

What are TPPs?

Third-party Payment Providers (TPPs) are defined as part of PSD2. These are the external parties involved in open-banking. PSD2 regulates the expectations for how TPPs should operate. Here are examples of TPPs:

Payment Initiation Service Providers - A PISP authorizes payments on behalf of account holders, integrating with online banking services to initiate and process outgoing transactions.
Account Information Service Providers - An AISP provides online financial services like spending analysis or account aggregation by tapping into customer account information.

Prepare for PSD2 with 3D Secure 2.0

A good way to prepare for PSD2 is by using 3D Secure 2.0. This software is compliant with PSD2 and brings added security benefits to your customers right now. Some of the benefits of using 3D Secure are:

Reduced risk of fraud - Additional layers of security protect customers from online fraud.
More protection for merchants and customers - Customer's card information has additional protection. Merchants have additional protection against chargebacks. It’s a win-win.
Improved customer experience - Happier customers lead to more sales.
More international transactions - Expand your e-commerce business’ reach to new countries with added security for your customers.
Be ahead of the game for PSD2 compliance - The extended deadline for PSD2 compliance is December 31, 2020. Using 3D Secure 2.0 takes care of many of the requirements to be compliant.

PSD2 Implementation and MONEI

The result of PSD2 is a more integrated European payment market, ensuring online payments are safer and more secure, protecting you and your merchants. To ensure that your e-commerce transactions meet SCA requirements, it’s recommended that you support 3D Secure 1 and 3D Secure 2 and we can help you with this.

Alexis Damen

Alexis Damen is the Head of Content at MONEI. She loves breaking down complex topics about payments, e-commerce, and retail to help merchants succeed (with MONEI as their payments partner, of course).

#Payment Security #Online Payments #Fintech