Secure Customer Authentacation (SCA) – 3DS 2.0

SCA

What’s this all about?

It came about because of PSD2.

From September 2019, all electronic payment transactions will need to be authenticated by at least two of the three below methods:

  • Knowledge: something only the user knows, such as a password
  • Possession: something only the user possesses, such as a token or mobile phone
  • Inherence: something the user is, such as a biometric (e.g. fingerprint recognition)

Why introduce SCA?

SCA (or two-factor authentication) aims to drive down fraud; however, the challenge is implementing SCA without scaring away customers or reducing acceptance rates. Today’s consumers are familiar with the seamless engagement and frictionless transactions so things may change a little BUT…

Show me the Exemptions!

But, there are certain exemptions to SCA that will help maintain a frictionless payment experience:

    1. Trusted beneficiaries
      Consumers can whitelist merchants they deem trustworthy with their bank so SCA is not required.
    1. Recurring transactions
      When a consumer makes a regular payment of the same amount to the same business, SCA is only required for the first transaction.
    1. Low-value transactions
      Transactions below €30 will not require SCA.

    2. Low-risk transactions
      Lower risk transactions that have undergone real-time assessment may be processed without SCA.

How will SCA impact the customer journey?

The first thing to be aware of is that this move towards SCA across almost all European eCommerce traffic will certainly see a large decrease in online payment fraud. This is the driving force behind the SCA requirements and for both merchants and consumers, this can only be seen as a good thing, right?

The second thing to remember is that these changes will impact all online merchants, regardless of their vertical or industry. Working with your payment provider to ensure you’re utilising all of the exemptions you can and keeping your customer journey as frictionless as possible will be a key way that you can stay ahead of your competitors.

3DS 2.0?

A new version of the 3D Secure protocol – 3D Secure 2 – is in development by the Card Scheme group EMVCo (made of six member organisations – American Express, Discover, JCB, Mastercard, UnionPay, and Visa).

This new version tackles many of the perceived shortcomings of the original 3D Secure solution such as improved support for mobile and other devices, larger range of authentication methods such as biometrics, and authentication of non-payment activities to support integration with digital wallets. Additionally, it is actively being tweaked to address the needs of the European market to meet the regulatory requirements of SCA including support for exemption flagging and whitelisting. HURRAY!

Are you READY for SCA?

SCA (or two-factor authentication) aims to drive down fraud #SCA Click To Tweet

Payment Services Directive – PSD2

PSD2

What is PSD2?

In 2009, the European Union’s (EU’s) first Payment Services Directive (PSD) was designed to regulate payment services and providers throughout the EU and European Economic Area (EEA). The aim was to increase pan-European competition, open up the payments industry to non-banks, and create a level playing field by harmonising consumer protection and the rights and obligations of payment providers and users. New behavioural changes have called for an update on PSD, called PSD2. This will have significant impact on the payment market for all Payment Service Providers (PSPs)and Merchants.

PSD2 implies 2 major changes for merchants:

  1. Increased innovation through Access to Accounts (XS2A).
  2. Enhanced security and reduced fraud through Strong Customer Authentication (SCA).

1. Access to Accounts (XS2A)

This is potentially one of the most transformative elements of PSD2. Previously, access to bank accounts was restricted to either the account issuer or unregulated providers using ‘screen scraping’ and consumer security credentials. Under PSD2, any regulated third party can now access a consumer’s bank account with the consumer’s consent. This gives merchants the opportunity to access data and the ability to initiate payments – banks are mandated to provide interfaces to support this access.

This change (also known as Open Banking in the UK) will lead to greater innovation in the payment industry, with new consumer experiences based on Account Information Service Provider (AISP) and Payment Initiation Service Provider (PISP) services. For example, consumers could see all their accounts in one place, or make online payments by bank transfer. Online payments by bank transfer are already very popular in the Netherlands with over 56% of payments made using this method compared with just 20% via card schemes1.

XS2A provides two opportunities for merchants; first, access to bank data will enable the development of data insight tools, allowing merchants to offer more personalised offers. And second, merchants will be able to offer new payment methods using PISP services with lower costs and chargeback risks.

2. Strong Customer Authentication (SCA)

From September 2019, all electronic payment transactions will need to be authenticated by at least two of three possible methods:

  • Knowledge: something only the user knows, such as a password
  • Possession: something only the user possesses, such as a token or mobile phone
  • Inherence: something the user is, such as a biometric (e.g. fingerprint recognition)

Read more about SCA here

PSD2 implies 2 major changes for merchants #psd2 Click To Tweet