What is Secure Customer Authentication?

Everything treasurers need to know about PSD2 and its security requirements and implications, by Naresh Aggarwal

The payments landscape is undergoing a number of transformations across the globe and the ACT is heavily involved in engaging with policymakers, regulators and members to ensure that the voice of the treasury profession is heard. Secure Customer Authentication (SCA) will need to be adopted by 14 September 2019. Failure to prepare may result in lost sales in the short term and affect reputation in the longer term. In a recent survey by MasterCard of small merchants, only 42% feel they will be ready by the deadline. This article provides some background to the introduction of SCA and some actions to be taken.

The Payments Service Directive 2

The Payments Service Directive 2 (PSD2) was introduced in January 2016 and required national legislation to be passed by 13 January 2018, with banks required to comply with the relevant technical standards for Strong Customer Authentication by 14 September 2019. PSD2 aims to bolster innovation and competition in the payments space. It has four key objectives: ”Key Consumers are the first to see the benefits of these developments with account aggregation tools from banks and fintechs such as Yolt, budget and saving tools, and spending analytics. Businesses stand to benefit from projects such as enhanced payment data, which will improve the efficiency of the account reconciliation processes and Request to Pay, which will improve customer engagement and improve payment data. A key component of security is SCA.

What is SCA?

PSD2 requires the use of two independent sources of validation by selecting a combination of two out of the three categories (commonly known as the ‘two-factor authentication’): SCA It is the issuer that will be required to put in place the measures of authentication of their choice. This opens up the risk that a merchant could have different approaches applied to its customers. Merchants will be responsible for incorporating this into back-end e-commerce solutions. It is applicable to transactions in the European economic area (EEA) only, where both payer and payee are in the region. However, there are a number of exemptions to two-factor authentication, which are described below.

What’s changing?

Currently, an authentication is required on an exception basis, ie where the risk of the transaction is regarded as ‘high’. In this situation, additional authentication may be triggered via 3D Secure (3DS) – commonly known as a ‘step-up’. After September 2019, additional authentication will become the new default and all qualifying transactions will be required to be ‘stepped up’ unless an exemption applies. In a ‘card present’ scenario, the convenience of contactless at point-of-sale would remain for low-value transactions (less than €50 and the UK limit is £30). Chip and PIN will also remain as the common practice in the EEA for values above €30. However, for remote electronic payments (ie when someone is shopping online) and credit transfers, additional authentications will be required (subject to exemption/issuer risk, as noted below). The application of 3DS today is optional. Merchants have the discretion to route a transaction through 3DS, enabling a shift in liability where loss occurs. After September 2019, it is anticipated that 95%+ of transactions will require a step-up. MasterCard has mandated that the new version of 3D Secure (version 2.2 – the version fully compliant with all exemption abilities) should be in place for issuers and merchants by April 2019 in preparation for the mass adoption in September 2019. Card schemes are making changes to 3DS and driving adoption to meet the new SCA requirements. 3D Secure 2.2 specifications have been released by EMVCo. Payment service providers (PSPs), namely issuers and acquirers, and their clients will be required to meet scheme mandates for 3D Secure 2.2 to be enabled.

What exemptions will apply?

Exemptions In addition, we understand that card schemes are providing further enhancements in order to flow through exemption requests from the acquirer to the issuer. (Exemptions are only applicable to PSPs and cannot be applied at merchant level.)

What areas are out of scope?

  • One-leg transactions (where the payer and the payee card processors are not both based in the EU, for example, the payer’s card processor is located in the EU and the payee’s card processor is outside the EU).
  • Merchant-initiated transactions that have a ‘variable amount’ of recurring business in which the value changes over time. For example, some products have a variable cost per period based on usage.
  • Card details collected over the phone do not require authentication. This type of payment is sometimes referred to as ‘mail order and telephone order’ (MOTO). Marking a payment as being a MOTO transaction will be similar to requesting other exemptions, with the cardholder’s bank making the final decision to accept or reject the transaction.

Definitions

Definitions

When does it come into force?

The new requirements will apply from September 14, 2019 in all member states of the EU.

What do I need to do?

  • Engage with all of your merchants;
  • Understand what their level of readiness is;
  • Ensure your front-end and back-end systems are ready;
  • Ensure you’ve communicated the changes to customers; and
  • Have a communications and technology strategy in place for any payment journeys that fail or are delayed.

Further reading

Strong Customer Authentication and PSD2 PSD2: Understanding Strong Customer Authentication European Banking Authority Implementing Strong Customer Authentication under PSD2 Understanding the Final Regulatory Technical Standards

About the author

Naresh Aggarwal is director – policy and technical at the Association of Corporate Treasurers

 

Scroll to top