SCA, 3DS 2.0 & You: Everything Businesses Need to Know About Taking Payments

What You’ll Learn:

Everything you need to know about PSD2, SCA, 3DS 2.0 and what MPP Global is doing to enable you to be fully compliant when taking payments.

By now, you’re probably already aware that the European Payments Services Directive 2 (PSD2) became law in January 2018, aiming to improve innovation, consumer protection, security and reduce costs across the payments industry. Since PSD2 came into effect, the European Commission have drafted and introduced Regulatory Technical Standards (RTS), kickstarting a grace period for banks and businesses to be compliant with a series of technical payment standards. The major change impacting MPP Global’s clients surrounds the idea of Strong Customer Authentication (SCA) which is required by September 14th, 2019. 

MPP Global is already working closely with its best-of-breed partners within the payments chain and is set to deliver a suite of tools necessary for its clients to ensure that they are ready for the SCA deadline, but for now here’s everything you need to know about compliance. 

What is PSD2?

The original Payment Services Directive was adopted by the EU in 2007, establishing a single market for payments and encouraging the creation of more secure payment services. In November 2015, PSD2 was adopted and it aims to:  

• Make it easier and safer to use internet payment services 
• Better protect consumers against fraud, abuse, and payment problems 
• Promote innovative mobile and internet payment services 
• Strengthen consumer rights 
• Strengthen the role of the European Banking Authority (EBA) to coordinate supervisory authorities and draft technical standards 

What Does it Mean to Your Business?

The key change within PSD2 likely to impact our clients is enhanced security measures through the Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA). The best way to address the needs of SCA for card payments online is to adopt the new version of 3D Secure – 3DS 2.0 – as part of the checkout, so here’s more information about what that means for you:  

Strong Customer Authentication (SCA)

3D Secure 1.0 (3DS 1.0) didn’t exactly go to plan, with impacts to user experience, issues with currencies and legislation inconsistencies per country. Furthermore, forcing the end-consumer to be redirected to a basic looking page to authenticate was always going to be a barrier to conversion as was the requirement to register beforehand (which is not the case with 3DS 2.0). It was an optional feature, with only a handful of merchants making it a requirement.  

3D Secure 2.0 (3DS 2.0) seeks to address the issues with 3DS 1.0 and enhance the experience & revenue opportunities, becoming a mandatory basis for processing card payments online. However, this is where 3DS 2.0 enables merchants to strive towards true frictionless payments, opposed to challenged.  

Frictionless Payments

PSD2 opened a world of banking data that can be passed between merchant and issuer to accelerate and provide the issuer with enough confidence to authenticate the transaction without having to ‘challenge’ the consumer. Being able to capture more data during the checkout process, increases the chances of the payment flow being frictionless and unchallenged, but there is a requirement that the data must be captured upfront for this to work. This can include data such as billing address, email address, phone number or even IP address, all of which helps the issuer validate the consumer a little more. 

Challenged Payments (SCA)

However, should the merchant only capture the bare minimum of data upfront, Secure Customer Authentication validates the identity of the consumer in a slightly new way. Consumers will have to validate their identity in 2 forms during a typical checkout process, with the consumer being presented 3 options to do so. The 3 options are as follows: 

• Knowledge – something only the consumer would know, for example: a password, a pin-code or ID 
• Possession – something the consumer would own, for example: a bank card or a registered mobile phone 
• Inherence – something the consumer is, for example, a fingerprint or an iris scan 

One of the key issues with 3DS 1.0 was the user experience for the consumer. 3DS 2.0 aims to remove the redirect to authenticate, by enabling businesses to use certified SDKs and APIs to authenticate as part of the checkout journey, making it a more seamless process both to integrate, and to convert, whether that be in a web page or mobile app. 

What Does SCA Cover?

As with any new regulation, there are always exemptions and areas that aren’t currently covered, examples of which are: 

• Mail Order/Telephone Order Transactions: MOTO transactions are not considered to be online payments, so are out of the scope of the regulation 
• Low Value Transactions: Transactions under 30 EUR can be exempt from SCA. However, the issuing bank will keep track of the amount of online payments made, and SCA will need to be applied if either: 
  • The total amount attempted without SCA being applied per 24 hours is higher than 100 EUR across all cardholder transactions 
  • The total number of attempted transactions without SCA being applied reaches 5 consecutive transactions, again across all cardholder transactions 
• Low Risk Transactions:  The ability for a payment to be considered low risk is based on the average fraud levels of the card issuer and acquirer processing the transaction and that they do not exceed the Exemption Threshold Value. Issuers are required to make a risk-based decision on whether SCA is required for an online payment 
• Fixed Amount Recurring Transactions: Subscription or recurring transactions with a fixed amount will be exempt from the second transaction onwards. Only the initial transaction will require SCA  
• Merchant Initiated Transactions: Subscription or recurring transactions as well as ad–hoc account top-up style payments could be identified as ‘merchant-initiated transactions’ which are exempt from SCA requirements. To classify as a ‘merchant-initiated transaction’ requires consumer consent when initially storing the card details as well as additional transaction flags sent within requests 
• Trusted Beneficiaries: Consumers can assign merchants to a whitelist, which are maintained by their bank. Whitelisted merchants will be exempt from 3D Secure. This allows consumers who have regular transactions with a given merchant to never need SCA from that point forward. This will take time for adoption, but in the long term should bring increased authorization rates 
• One Leg Out Transactions: Whilst it is expected that merchants would apply “best-efforts” to apply 3DS to one leg out transactions, if the issuer or the acquirer of the card are not based in the EEA it is understood this may not always be possible. Merchants should look to utilize 3DS 2.0 as much as possible, and if an issuer or acquirer cannot support then the transaction fraud liability stays with the issuer/acquirer and not the merchant  

SCA Opportunities

Regulation changes like this inevitably create work and added complications for businesses as they adapt to them, but we believe SCA will bring several benefits to the table, including:  

• Increased authorization rates with stricter authentication  
• Consumers will be more confident when buying online with stronger security measures  
• Reduced merchant fraud liability and fraudulent transaction attempts  
• A cleaner, more seamless checkout experience to reduce drop-off rates  

Next Steps

Over the previous year, preparatory work has been done by Gateways, Acquirers and Issuers to develop the necessary features for PSD2 & SCA, which have become available to PSPs from April 2019. 

MPP Global is currently working closely with its partners within the payments space to define and develop a technical solution which not only meets but exceeds the requirements for SCA.  

Here’s what we are doing:  

• Integrate with 3DS 2.0 functionality required for our EEA clients, gateways and acquirers 
• Update eSuite SDK to handle the minimum mandatory information required to pass into 3DS 2.0 as well as additional optional data points for clients to aim for frictionless payment flows 
• Update eSuite SDK to handle the presentation of the challenged payment flow 
• New REST APIs to support the 3DS 2.0 validation and authentication for minimum mandatory information as well as additional optional data points for clients to aim for frictionless payment flows 
• New REST APIs to support the presentation of challenged payment flow as well as responses to authorisation. 

MPP Global will circulate updates to our clients throughout this process over the forthcoming months, enabling clients to make any necessary changes as they become available.  

What Actions Can You Take Now?

Here are some steps you can take to get ready for SCA:  

• As well as watching out for updates from us, you can start to familiarise yourself with the legislation outlined on the EU Law website 
• Contact your Acquirers to make sure that MIDs will handle 3DS 2.0 by 14th September 2019  
• Consider how the data you currently capture from consumers allows you to aim for a frictionless payment flow, or if additional data could be collected in future 

Disclaimer 

Nothing on this blog constitutes legal advice. 

The contents of this blog are for general information purposes only. Whilst we endeavour to ensure that the information in this blog is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. 

We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of this blog or any material contained in it, or from any action or decision taken as a result of using or inability to use this blog or any such material.