Originally penciled to come in to effect on the 14th September 2019, new requirements for authenticating online payments will be introduced in Europe as part of the Second Payment Services Directive (PSD2)
What is Strong Customer Authentication
Under PSD2 payment providers (issuers) will be required to implement Strong Customer Authentication, “SCA”, in practice this means users must be identified by at least 2 of the following elements:
- Something you are (such as a fingerprint/facial recognition)
- Something you have (such as a card/ token generator)
- Something you know (PIN/Password)
In the UK last month, the Financial Services Authority agreed to a phased implementation over 18 months due to technical challenges and the estimated negative impact on eCommerce sector.
”“The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.”
But there are further complications, if you trade with the EEA, each country’s National Financial Regulator has a different timetable for the implementation of SCA. Many of the regulators announced limited enforcement and have yet to officially confirm the length of the delays and any intermediary milestones.
So how should you manage the rollout of SCA?
Many of the payment providers such as Adyen, Stripe and Klarna already have SCA compliant systems in place and are monitoring the national regulators closely so that SCA is implemented in line with local regulations.
This is a perfect time to review your payment options and ensure that you minimise friction to optimise your check out options inline with local purchasing behaviour/payment options. Also, the primary objective of the Directive is to protect the consumer and businesses from fraud, planning your next steps now would be a good strategy.
3D Secure and SCA
3D secure 1 was introduced way back in 2001 and the payment flow is as follows.
Enter card details then a redirect to a cobranded banking page requires an additional password/code to complete the transaction. This provides an extra layer of security with the liability for chargebacks due to fraud passing to the customers bank.
Unfortunately, this extra layer of security can frustrate the customer and abandon the cart. In addition, the banks require the customer to create an remember static passwords that can easily forgotten, again increasing cart abandonment.
3D Secure 2
To deal with the shortcomings and friction of 3D Secure 1 a collaboration of 6 major card issuers set up the organisation, EMVCo, and developed Three-Domain Secure (3DS) a messaging protocol to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases.
3D Secure 2 allows merchants and their payment provider to exchange more data elements on each transaction to the cardholder’s bank. This includes payment-specific data like the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history.
The cardholder’s bank can choose a different checkout flow based on the risk level of a transaction:
- If the data is enough for the bank to decide that the real cardholder is making the purchase, the transaction goes through and the authentication is completed without any additional information from the cardholder.
- If the bank decides there is not enough information and it needs further proof, the customer is sent through the “challenge” flow and asked to provide additional information to complete the payment.
The benefits of 3DS2 are clear, compliance with PSD2, and a much-improved customer journey reducing cart abandonment and fraudulent transactions.
The use of 3D Secure 2 will be contingent on the uptake by individual card issuers and as with PSD2, the widespread implementation will take time and vary by country. Its anticipated that support for both methods will co-exist well into 2020.
For more information please feel free to reach out to our team or review our partners guidance on the regulations:
In short- PSD2 should not be viewed as a huge headache – but as an opportunity for businesses to re-assess their approach to a better customer experience. Investing in solutions implementing 3DS is a way of ensuring PSD2 regulations are met, whilst diversifying your offering and capitalising on the latest payment revolution. Get ready (eCommerce) world, PSD2 is coming.