On 14 September 2019, the obligations regarding strong authentication derived from the PSD2 (Payment Services Directive 2), which significantly affects payment services, came into effect . Following the enactment of this directive, most payment transactions will require strong customer authentication (SCA). This authentication will provide greater security, lower levels of fraud, and an improved shopping experience for consumers and retail businesses.
Although we know that regulatory changes are not straightforward, we are by your side to help you adapt to the new regulations. Here is a brief summary of the main impacts:
¿What is SCA?
SCA or strong customer authentication is a combination of two out of three authentication factors:
- Something that you know (PIN or password)
- Something you have (a telephone, card, token...)
- Something that you are (fingerprint, voice, etc.)
When a customer makes an e-commerce purchase, they will have to use 2 of the previous three factors to complete the operation, and it will no longer be possible to operate in a non-secure mode.
In physical stores, SCA is already in place, since a card (possession) and PIN (knowledge) are identified in a payment transaction.
¿Are there any exceptions to streamline the shopping experience for my customers?
The legislation proposes certain exemptions and operations not subject to double authentication. Here's what they are:
- Exemptions. It is possible not to apply "SCA" in the following cases:
- Transactions for ≤ 50€ in physical stores. In Spain, contactless payments can be made without the need for your PIN for amounts of less than 20 euros or up to 5 unauthenticated transactions, up to a maximum of 150 euros.
- Transactions for ≤ 30€ in e-commerce. The card issuer will accept the operation without authenticating the customer if the operation is equal to or less than 30 euros or if, since the last authentication process, the amount accumulated in previous purchases is ≤ 100€ or the number of exempt transactions is ≤ 5.
- Exemption in unattended transport or parking terminals. Operations carried out in unattended terminals in car parks, parking lots, or transport systems.
- Recurrent payments: operations with the same amount, frequency and beneficiary. Authentication is required for the first transaction. Subscriptions initiated before SCA enters into effect will not have to be authenticated again.
- Exception on account of TRA (Transaction Risk Analysis). In remote operations, payment service providers are not required to apply SCA when risk analysis determines that the risk level is low.
- White list of beneficiaries. Cardholders may designate shops as trusted beneficiaries, provided that the retailer has a prior agreement with their financial institution. SCA will be required prior to this designation.
- Exclusions. Some operations fall outside the scope of this new Directive and, therefore, will remain unchanged.
- "One leg transactions": when one of the two parties is outside the European Economic Area.
- MOTO operations: in which payment was initiated by telephone, mail or email. Most Key Entry operations are included.
- Payments made with anonymous prepaid cards, loyalty cards...
- MIT (Merchant Initiated Transactions): Payment operations initiated by the retailer, without the buyer being present, as long as there is a pre-existing agreement between retailer and buyer. SCA is required for the first purchase. Repeat payments for varying amounts can be classed as MIT (bills). Also for digital subscriptions without a fixed amount, online advertising campaigns, or extra charges in car rentals or hotel bookings ...
In order to meet all PSD2 requirements and take advantage of the benefits it offers, you will need to adapt to the new 3DS 2.X. Although the deadline for setting up this enhanced authentication process was late 2020, according to the industry plan defined among the Bank of Spain-approved retail and banking associations, SCA in e-commerce had to be operational as of June 2020.
¿Do I have to implement it?
- If you have a virtual PoS Terminal with non-secure e-commerce, remember that you must switch over to secure e-commerce and, therefore, your PoS terminal must be adapted in line with the 3DS protocol.
- If you have a virtual PoS Terminal and are already a secure merchant, you can now authenticate customers using SCA. However, to be able to comply with all aspects of 3DS you will need to adapt to the new version of the 2.x authentication protocol.
In particular, thanks to this modification, your Virtual POS will allow you to do the following:
- only with the new 3DS 2.X protocol can you apply for exemptions to strong authentication. For example, it enables you to apply risk-based exemptions, using significantly more transaction and customer data elements to securely authenticate most transactions without requiring strong customer authentication. This is known as frictionless authentication.
- Compatibility with new mobile application environments that enable mobile authentication for a smoother user experience, even when SCA is required.
- Better integration with the customer's payment experience, to continue making purchases more convenient.