Strong Customer Authentication
Statement
From 14 September 2019, new rules were introduced that would affect the way banks or other payment services providers verify that the person requesting access to their account or trying to make a payment is the person permitted to make a payment and validate specific payment instructions. Due to the industry concerns, the deadline for these rules have been postponed to 31 December 2020 in EU and 14 March 2021 in Denmark, France and the UK, with the phased rollout planned prior.
The new rules, referred to as Strong Customer Authentication (SCA) is a European regulatory requirement intended to reduce on-line fraud and make online payments more secure.
These rules are set in the Second Payment Services Directive 2015/2366/EU (or PSD2), which applies to payment services in the EU. In the UK, PSD2 has been transposed into the legislation in the Payment Services Regulations 2017 (PSRs 2017). In Ireland PSD2 became law on 13 January 2018 with the signing of the European Union (Payment Services) Regulations 2018.
The original deadline for compliance with the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the PSD2 Directive was 14 September 2019. Due to industry concerns, European Banking Authority (EBA) agreed to postpone the deadline until 31 December 2020. Prior to EBA’s decision, regulatory authorities of Denmark, France and the UK had already established 18-month extensions until 14 March 2021.
Q&A
WHAT IS STRONG CUSTOMER AUTHENTICATION?
Strong Customer Authentication (SCA) ensures that all remote electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. SCA requirements apply to Point of Sale and e-Commerce transactions.
SCA requires cardholder data from at least two of the following categories to be provided during the authentication process:
Something you know
Something only the customer knows:
Something you own
Something only the customer owns:
- Mobile phone
- Wearable device
- Token
Something you are
Something only the customer is:
- Fingerprint
- Facial feature
- Voice pattern
CAN I DECIDE WHETHER TO APPLY SCA AS I DO WITH 3DS?
No, you – the merchant, must apply SCA for all e-Commerce transactions unless they are out of scope. The card issuer will decide whether to challenge the cardholder for SCA. Even if a merchant flags a transaction as exempt, the issuer will have the final say and may require the transaction to be authenticated. This is called a challenge flow and requires additional cardholder data to be provided.
IS SCA MANDATORY FOR ALL TRANSACTIONS?
SCA is mandatory for all e-commerce transactions with a number of exclusions – out of scope transactions.
WHAT ARE THE BENEFITS OF 3DS2?
3DS2 allows businesses and their payment provider to submit additional data in each transaction to the cardholder’s bank - the issuer. Frictionless processing through use of exemptions is also allowed, however SCA may still be required by the issuer.
Regardless of the payment device type and payment channel, 3DS2 enables a better customer experience. It is also expected the 3DS2 will:
- Increase consumer confidence in an e-Commerce environment, resulting in a greater number of consumers buying on-line
- Reduce fraud and chargebacks, with fraud-related liability protection for merchants, when SCA is applied to a transaction
- Reduce abandonment rates due to a better user experience as the enhanced data flows will allow better decision making on a transaction and therefore potentially less challenge
WHICH TRANSACTIONS ARE EXEMPT FROM SCA?
- Low value transactions < €30. However, issuers will monitor these transactions and SCA will be required once the total value exceeds €100 and/or for every 5 transactions
- Low risk transactions – this is determined by the average fraud levels of the issuer and acquirer processing the transaction.
- Recurring transactions with a fixed amount will be exempt although the first transaction requires SCA (see also Merchant Initiated Transactions below which are out of scope)
- Trusted beneficiaries (white listed merchants) – Issuers may provide cardholders with the option to assign businesses to a "whitelist" so that customers who shop with these businesses on a regular basis do not need SCA
- Secure Corporate Payments B2B payments (between two businesses) using dedicated payment instruments designed for this purpose
For all exemptions, it is the issuer who makes the final decision. Therefore, if the acquirer/ merchant requests an exemption, the final decision is in the issuer’s hands.
WHICH TRANSACTIONS ARE OUT OF SCOPE OF SCA (EXCLUSIONS)?
- "One Leg out" (OLO) transactions
Transactions where the Payment Service Provider (PSP) of either the payer (i.e. the issuer) or of the payee (i.e. the acquirer) are located outside of the EEA.
- Mail Order/Telephone Order (MOTO) including Virtual Terminal (VT)
MOTO transactions are not considered to be electronic payments, and therefore are out of scope of the regulation.
- Merchant Initiated Transactions (MITs)
A series of payments with a fixed or variable amount that the merchants performs without direct involvement of the cardholder e.g. subscriptions.
- Anonymous Cards
E.g. Anonymous prepaid card
Details of exclusions / out of scope transactions:
1. Anonymous prepaid cards
Payments made through the use of an anonymous payment instruments, such as anonymous prepaid (such as, gift) cards, are not subject to the obligation of strong customer authentication.
The Issuer is the only one able to identify this type of card. The Acquirer will not be able to identify from the primary account number that the product is an anonymous product.
Action required
No action needed as this is managed by the cardholders issuing bank.
2. Mail Order/Telephone Order – MOTO
Payments transacted by email or telephone are out of scope for SCA since they are not considered to be electronic payments.
Action required
Ensure correct coding of your MOTO transactions for all cardholder purchase and payment scenarios.
3. "One-leg" transaction
SCA regulations apply only to transactions made entirely within the EEA. If issuer or acquirer is domiciled outside the EEA (“One-leg out”), no SCA mandates apply.
Action required
Managed by Payment Service Providers so no action needed from the merchant. Issuers and acquirers may require SCA to be applied to "one-leg" transactions.
4. Merchant initiated transactions – MIT
SCA is required for the customer’s first payment, at which point the cardholder agrees to the terms and conditions of later subsequent charges. These subsequent charges will be excluded from SCA, provided that the cardholder is not present in the check-out flow (also referred to as off-session) at the time when the charge occurs. This category also includes subsequent recurring payments.
Action required
None from the merchant.
The transactions will be flagged by eComm as a Recurring or MIT according to card schemes specifications/ MIT framework in order to be approved by the Issuer's as not requiring SCA.
Note: The initial transaction must be authenticated with a challenge (SCA) for the following recurring / MIT transactions to be processed successfully.
WHAT IS THE DIFFERENCE BETWEEN SCA EXEMPTIONS AND EXCLUSIONS (OUT OF SCOPE TRANSACTIONS)?
An SCA exemption means that the acquirer / merchant requests an exemption (aiming to achieve a frictionless transaction without SCA) and the issuer then makes the decision whether SCA is required. If it is required, the issuer will trigger the authentication (challenge request) flow to authenticate the cardholder. An exclusion (“out of scope” transaction) does not require any authentication obligation and decision / flow, on a condition that it is flagged correctly.
DOES SCA APPLY TO TRANSACTIONS TAKEN OVER THE TELEPHONE?
No. Mail order and telephone order (MOTO) / Virtual Terminal (VT) transactions are not considered to be electronic payments, and so they are out of scope for SCA. Merchants should continue to process these as usual.
WHAT IMPACT DOES SCA HAVE ON LIABILITY FOR E-COMMERCE FRAUD-RELATED DISPUTES?
When SCA is applied to a transaction, merchants/acquirers' avail of protection in the event that a fraud-related dispute occurs. When SCA is not applied and the transaction results in a fraud related dispute, it is the merchant/acquirer who is liable for the fraudulent transaction.
NB: 3DS protects against fraud related disputes. It does not protect against all chargeback disputes i.e. non-fraud related disputes such as goods / service not being as described or non-delivery related disputes.
The following diagram shows the merchant and issuer options and merchant-issuer liability for each option:
WHAT EXEMPTIONS ARE AVAILABLE AT ECOMM MERCHANT SOLUTIONS?
eCOMM will support all acquirer exemptions subject to relevant risk policies and assessments e.g. for the local market, specific business types, individual merchant risk as applicable. eComm will be implementing a TRA exemption in 2021 and will advise you when this becomes available.
DOES THE FRAUD RATE FOR THE TRA EXEMPTIONS APPLY TO ME AS A MERCHANT?
No, it applies to the acquirer and issuer – depending on who wants to request the exemption. eComm is planning to use the TRA exemption and will confirm when this becomes available.
HOW DO I GO LIVE WITH 3DS2?
Direct API / HPP merchants may require the support of your web developer to make these changes. eCOMM is not responsible to provide you with the necessary changes for the upgrade to 3DS v2.x.
Should you fail to make the necessary changes, you will most likely see the transactions getting declined.
To provide the data that is required for 3DS2, merchants will need to make the necessary code changes to your gateway integration To help you with this we will soon provide a list of the fields required to be sent for authentication. The changes required will vary depending on your integration type and the business scenarios that you support.
For the majority of merchants, the number of mandatory and recommended changes for standard payments are minimal. eCOMM will communicate the details of the use cases and changes that will need to be made.
DO I HAVE TO INCLUDE ALL THE EXTRA DATA IN THE 3DS2 REQUEST?
All available data should be provided wherever possible to ensure an optimal cardholder and merchant experience and to reduce transaction friction (challenge rate). The more information you include, the greater the chance that the issuer will not challenge the cardholder with SCA, as it leads to a more informed decision-making process.
WILL SCA AFFECT CONVERSION RATES OF MY CARD TRANSACTIONS?
Whilst the benefit of SCA will be to reduce online card payment fraud levels, it is expected that the changes may also affect conversion rates of people using their card online.
If you do not implement the changes needed to support 3DS2 you will see an increase in declined transactions.
It is possible that it will take time for cardholders to become comfortable and familiar with the process. In the short term SCA may lead to an increased number of abandoned transactions with the number of transactions requiring authentication expected to decline. Ultimately 3DS2 is expected to increase consumer confidence in buying on-line by reducing fraud and abandonment rates due to enhanced data flows.
If you have any queries, please contact our customer support team by emailing csr@ecomm365.com.