Last modified: March 28, 2019
On 14 September 2019, the Strong Customer Authentication (SCA) portion of the Revised Payment Services Directive (PSD2) goes into effect. Simply put, PSD2 allows bank customers to give third-party providers access to retrieve their account data from their banks and use it to initiate payments directly from their bank accounts. Created as a way to unify payment systems within the European Economic Area (EEA) and increase banking choices for consumers, this Directive is expected to be a game changer for banking systems at large.
While this Directive has great implications for banks and other payment providers, and the nature of consumers’ relationships with these businesses, this document focuses specifically on aspects of the Directive that impact ecommerce.
As your ecommerce and payment partner, Digital River is closely monitoring PSD2 and any implications it will have on ecommerce. We are actively preparing for the Directive and working to take full advantage of systems to ensure compliance while minimizing the impact to clients and cardholders. We will continue to keep you informed of our progress over the upcoming months.
Strong Customer Authentication
Developed to improve the security of transactions for both merchants and consumers, SCA is a mandatory component of PSD2 that will have a direct impact on businesses selling online. SCA requires businesses to provide card issuers with two-factor authentication during the time of a transaction. It requires payments to be authenticated using at least two of the following three elements:
- Something the customer knows, such as a password, PIN number or security question.
- Something the customer has, such as a phone, hardware token or other device in the customer’s possession.
- Something the customer is, such as fingerprint, facial recognition or iris scan.
The primary way ecommerce businesses will meet these authentication requirements is through 3D Secure 2.0 (3DS 2.0). Digital River is putting processes in place to support 3DS 2.0 and will keep you informed of our progress and how this could impact your business.
When Does SCA Apply?
SCA is required when both the acquirer and issuer are located within the EEA (all EU member countries plus Norway, Iceland and Liechtenstein).
However, it’s important to note that a vast majority of transactions likely won’t be challenged since banks and card issuers already have systems in place to automatically recognize legitimate transactions, and 3DS 2.0 will provide banks with additional data points to improve decisioning.
Additionally, there are some notable exemptions to what transactions require SCA.
(Please note: this is not an exhaustive list of exemptions, and the Regulatory Technical Specifications continues to make updates to the regulation. It is important that you refer to the European Banking Authority to stay current on all aspects of SCA and PSD2.)
- Trusted beneficiaries – Consumers can add businesses they trust to a list of trusted beneficiaries held by an issuing bank. It is up to each bank if it wants to offer this exemption option, and it is still unclear if and how banks will choose to offer the ability to add a beneficiary.
- Low-value transactions – Low-value transactions are those that total less than €30 each, but no more than five transactions in a row on a single payment instrument can waive SCA using this exemption.
- Recurring transactions – Merchants offering a subscription must apply SCA to the first transaction but can take advantage of this exemption as long as the payment amount and recipient are the same. If the subscription is a varying payment amount, SCA could be required unless another exemption can be applied.
Given consumers’ desire for an easy, seamless buying process, it is understandable that many merchants are concerned this added authentication step will cause too great a disruption to the buying process, leading to an increase of cart abandonment. We anticipate that the reduction of fraud will actually increase consumer confidence for shopping online, so will benefit the growth of ecommerce in the long-term. Further, Digital River is actively working with our partners to identify transactions that either fall outside the scope of the Directive or are exempt from the Directive so we can help lessen the impact to your business.
That being said, brands should create the least disruptive buying process, while maintaining PSD2 compliance. Some tips to strike this balance include:
- Offer eWallet payment methods. eWallet payment methods such as Apple Pay, Google Pay, PayPal and more, that have two-factor authentication already built into the process will become an even more essential component of a brand’s overall ecommerce payment mix.
- Find partners with extensive banking relationships. To comply with the sheer volume of transactions, banks will prioritize low-risk transactions for exemption. Having been in the payment processing business for 25 years, Digital River has well-established relationships with banks and acquirers around the world. Our clients automatically get full advantage of this expertise to ensure maximum authorizations and conversions.
- Use monitoring to optimize the most efficient payment processers. Digital River’s sophisticated payment monitoring and analytics tools means we can monitor authorization rates and look for inconsistencies or outliers. We automatically route traffic to higher performing methods and push partners for higher authorization rates.
- Build out mobile capabilities. Unlike 3DS 1.0, 3DS 2.0 was designed specifically for mobile and tablet capabilities. Through offering a mobile buying experience, brands can give consumers a way to seamlessly authenticate their purchase.
Please note that this is a high-level summary of potential PSD2 impacts to ecommerce and does not cover all of its complexities and nuances. As such, if you have any follow-up questions please reach out to your Client Success Team or Digital River’s Compliance Team at firstname.lastname@example.org.
Disclaimer: This document is intended for informational purposes only and not for the purposes of providing legal advice as Digital River is not engaged in rendering legal or other professional advice. As such, this fact sheet is not a substitute for the advice of an attorney or other expert. If you require legal or other expert advice, you should contact an attorney or other expert to obtain advice with respect to any issue. Also, the information is current as of March 2019 and this information could change based on additional interpretation and guidance received. Finally, given the complexity of PSD2, this document is meant to be a general overview of the situation rather than outlining all its complex considerations.