What is PSD2 and SCA regulation?
PSD2 stands for Payment Service Directive version 2, which came into effect in January 2019. It’s applicable to transactions where both the issuing bank and/or the merchant card issuing bank are within the European Economic Area. There are two reasons for this new EU regulation;
– Improve security and reduce fraud when it comes to electronic payments (this is where the SCA part comes in) meaning Strong Consumer Authentication which comes into force on 14th September 2019.
– The idea behind part of this regulation is to encourage innovation and competition amongst payment companies, which is quite exciting as it means that it won’t just be the banks who can offer payment services. The impact of which will hopefully lower processing costs.
What is 3D Secure?
The most common way for companies to comply with the PSD2 regulation and SCA is known as 3D secure processes – which your merchant account provider should have told you about. 3D Secure should be seen as an additional safety net shoppers will have to use to prevent fraud and chargebacks. It works by shoppers using two out of the three security elements below;
– Identifying who they are. I.e. using your fingerprint or biometrics
– Using a pre-registered device or token system
– Using a password or PIN
Customers are used to using at least one of the above, especially with the increased use of mobile payments such as iPhones, however 3d secure will now provide much needed additional authentication for online purchases.
How does 3D Secure work for the customer?
Issuing banks will carry out a Risk Authentication score prior to full authorisation of transactions, this will include;
– Value of transaction
– If the customer is a new or returning customer
– Transaction history
– Device information
– Behavioural history
The ‘level of risk’ following this assessment will then determine one of the following security routes;
– No additional checks needed, ie they have happy with the low risk outcomes of above
– Additional information needed to authenticate the customer, using one of the three methods mentioned in the SCA process above.
Exemptions to SCA regulations
Although SCA should no doubt be at the centre of any online purchase, there are some exclusions;
– Transactions under €30
– Low risk transactions up to €500 (the merchant must have a low chargeback and fraud rate for this to be applicable)
– Business to business transactions
– MOTO payments – mail order and telephone order, example IVR
– Repeat or recurring payments such as subscriptions, also known as MIT (Merchant Initiated Transactions)
– Payments where the acquiring bank are outside of the EEA
– Trusted listings – where the customer can ask for the merchant to be a part of their trusted payments list
Am I responsible for ensuring SCA?
It falls to the banks or issuers to provide adequate authentication in line with PSD2, however that’s not to say that some of the obligations lie with you the merchant. For example some banks will not process transactions from merchants if they do not meet expected standards of SCA. If you have been served notice by your existing provider, speak to our brokers today for assistance.CALL US TODAY
How do I meet SCA requirements set by my merchant bank?
Your existing merchant banks will contact you with the procedures which you must follow to ensure you can continue to accept transactions following 14th September 2019. Ordinarily this will include a step up process which ensures the customer journey is SCA centric and allows merchants to set their exemptions where required.
Consequences for not being PSD2 complaint
The FCA have recently announced that they will not be taking immediate action against those not PSD2 compliant by the deadline, however the pending regulations are not to be ignored.
How do I reduce checkout bounce rates following PSD2 regulations?
Understandably merchants are concerned about how the new SCA regulations will influence the customer journey and more specifically bounce rate at checkout. Although the new regulations are not to be ignored offering customers more choice when it comes to payments could limit failed transactions while also providing Strong Customer Authentication in alternative ways. An example of this is using IVR solutions to allow customers to call and automatically pay over the phone which currently doesn’t fall under PSD2.
Questions about PSD2?
Our brokers are happy to assist with questions you may have surrounding the new PSD2 regulation. Call and speak with us today