On September 14, 2019, the next requirement of the new payment directive PSD2 - SCA entered into force in Europe
The new PSD2 (SCA) standard came into force on September 14.
The Strong Customer Authentication (SCA) standard introduces new rules for authenticating users wishing to make an online payment. According to them, online merchants should add additional customer verification to the payment (checkout) process. In other words, if previously there were enough card data and a one-time password, now you need to use at least two security elements that confirm that there is an honest buyer on the other side of the monitor, and not a fraudster.
For authentication, you can combine the following parameters: PIN codes or passwords, device identifier from which the payment is made, biometric data of the buyer. It is enough to use two indicators from these groups.
Under the new legislation, banks will have to reject transactions that do not meet SCA requirements. This will affect all card payments in EU online stores, which are initiated by a European buyer. At the same time, recurring direct debit payments and settlements in traditional stores are not subject to the new requirements.
It was originally designed to make identification easier. In the process of verifying the transaction, different parameters of the device from which the payment is made had to be used: browser settings, IP address, e-mail, etc. The idea was that the customer would not even notice that they were being identified.
However, with the entry into force of the SCA, this data will not be enough. The client will additionally be asked for a password or biometric token. A simplified identification option will be used for the exceptions, which will be discussed below.
These payments include:
World is still only discussing the implementation of the PSD2 directive and all of its components, including more stringent identification procedures. Banks and businesses need to be prepared for these changes.
The new PSD2 (SCA) standard came into force on September 14.
The Strong Customer Authentication (SCA) standard introduces new rules for authenticating users wishing to make an online payment. According to them, online merchants should add additional customer verification to the payment (checkout) process. In other words, if previously there were enough card data and a one-time password, now you need to use at least two security elements that confirm that there is an honest buyer on the other side of the monitor, and not a fraudster.
For authentication, you can combine the following parameters: PIN codes or passwords, device identifier from which the payment is made, biometric data of the buyer. It is enough to use two indicators from these groups.
Under the new legislation, banks will have to reject transactions that do not meet SCA requirements. This will affect all card payments in EU online stores, which are initiated by a European buyer. At the same time, recurring direct debit payments and settlements in traditional stores are not subject to the new requirements.
How to comply with SCA requirements: the new 3D Secure 2.0 standard
As part of SCA, it is necessary to use a new transaction verification protocol - 3D Secure 2.0.It was originally designed to make identification easier. In the process of verifying the transaction, different parameters of the device from which the payment is made had to be used: browser settings, IP address, e-mail, etc. The idea was that the customer would not even notice that they were being identified.
However, with the entry into force of the SCA, this data will not be enough. The client will additionally be asked for a password or biometric token. A simplified identification option will be used for the exceptions, which will be discussed below.
How to optimize checks: exceptions to the rule
Certain low-risk payment types may be exempt from Strong Customer Authentication (SCA). Payment processors that serve online stores must request these benefits when processing a payment. And the cardholder's bank is to assess the level of risk of the transaction and decide whether to apply an additional payment verification parameter.These payments include:
- Low risk payments. The payment provider that maintains the online store can recognize the payment as safe by relying on their risk monitoring system. The bank will confirm or deny his assumption.
- Shopping up to 30 euros. Banks may not require additional identification of such transactions, unless a series of such purchases are made from the card at once.
- Subscription payments. If the buyer monthly transfers to the seller a fixed amount for a certain service, the identification procedure will need to be completed only for the first time.
- Payments that merchants initiate. If a shopper has saved his card on a service like Uber, he won't have to confirm every transaction.
- Payments to a trusted business. The buyer can select the stores he trusts and make payments there without confirmation. However, not all banks support this option yet.
- Telephone, mail, and corporate card sales can also lead to simplified payment verification.
Negative feedback from market participants
On the one hand, the new requirements will make payments more secure. On the other hand, they will add hassle to market participants who have repeatedly asked to postpone the date of entry into force of the new legislation. For example, the European Trade Association proposed to move the deadline to 18 months for standard programs, and for more complex cases - to 36 months. Linking this to the fact that online businesses could suffer significant losses due to SCA. After all, an additional level of verification is an extra step in the checkout process, which can reduce conversion. In addition, many financial institutions are simply not technically ready for the standard. Thus, 40% of European banks will not be SCA compliant by September 14th.World is still only discussing the implementation of the PSD2 directive and all of its components, including more stringent identification procedures. Banks and businesses need to be prepared for these changes.
