Secure Customer Authentacation (SCA) – 3DS 2.0


What’s this all about?

It came about because of PSD2.

From September 2019, all electronic payment transactions will need to be authenticated by at least two of the three below methods:

  • Knowledge: something only the user knows, such as a password
  • Possession: something only the user possesses, such as a token or mobile phone
  • Inherence: something the user is, such as a biometric (e.g. fingerprint recognition)

Why introduce SCA?

SCA (or two-factor authentication) aims to drive down fraud; however, the challenge is implementing SCA without scaring away customers or reducing acceptance rates. Today’s consumers are familiar with the seamless engagement and frictionless transactions so things may change a little BUT…

Show me the Exemptions!

But, there are certain exemptions to SCA that will help maintain a frictionless payment experience:

    1. Trusted beneficiaries
      Consumers can whitelist merchants they deem trustworthy with their bank so SCA is not required.
    1. Recurring transactions
      When a consumer makes a regular payment of the same amount to the same business, SCA is only required for the first transaction.
    1. Low-value transactions
      Transactions below €30 will not require SCA.

    2. Low-risk transactions
      Lower risk transactions that have undergone real-time assessment may be processed without SCA.

How will SCA impact the customer journey?

The first thing to be aware of is that this move towards SCA across almost all European eCommerce traffic will certainly see a large decrease in online payment fraud. This is the driving force behind the SCA requirements and for both merchants and consumers, this can only be seen as a good thing, right?

The second thing to remember is that these changes will impact all online merchants, regardless of their vertical or industry. Working with your payment provider to ensure you’re utilising all of the exemptions you can and keeping your customer journey as frictionless as possible will be a key way that you can stay ahead of your competitors.

3DS 2.0?

A new version of the 3D Secure protocol – 3D Secure 2 – is in development by the Card Scheme group EMVCo (made of six member organisations – American Express, Discover, JCB, Mastercard, UnionPay, and Visa).

This new version tackles many of the perceived shortcomings of the original 3D Secure solution such as improved support for mobile and other devices, larger range of authentication methods such as biometrics, and authentication of non-payment activities to support integration with digital wallets. Additionally, it is actively being tweaked to address the needs of the European market to meet the regulatory requirements of SCA including support for exemption flagging and whitelisting. HURRAY!

Are you READY for SCA?

SCA (or two-factor authentication) aims to drive down fraud #SCA Click To Tweet

Payment Services Directive – PSD2


What is PSD2?

In 2009, the European Union’s (EU’s) first Payment Services Directive (PSD) was designed to regulate payment services and providers throughout the EU and European Economic Area (EEA). The aim was to increase pan-European competition, open up the payments industry to non-banks, and create a level playing field by harmonising consumer protection and the rights and obligations of payment providers and users. New behavioural changes have called for an update on PSD, called PSD2. This will have significant impact on the payment market for all Payment Service Providers (PSPs)and Merchants.

PSD2 implies 2 major changes for merchants:

  1. Increased innovation through Access to Accounts (XS2A).
  2. Enhanced security and reduced fraud through Strong Customer Authentication (SCA).

1. Access to Accounts (XS2A)

This is potentially one of the most transformative elements of PSD2. Previously, access to bank accounts was restricted to either the account issuer or unregulated providers using ‘screen scraping’ and consumer security credentials. Under PSD2, any regulated third party can now access a consumer’s bank account with the consumer’s consent. This gives merchants the opportunity to access data and the ability to initiate payments – banks are mandated to provide interfaces to support this access.

This change (also known as Open Banking in the UK) will lead to greater innovation in the payment industry, with new consumer experiences based on Account Information Service Provider (AISP) and Payment Initiation Service Provider (PISP) services. For example, consumers could see all their accounts in one place, or make online payments by bank transfer. Online payments by bank transfer are already very popular in the Netherlands with over 56% of payments made using this method compared with just 20% via card schemes1.

XS2A provides two opportunities for merchants; first, access to bank data will enable the development of data insight tools, allowing merchants to offer more personalised offers. And second, merchants will be able to offer new payment methods using PISP services with lower costs and chargeback risks.

2. Strong Customer Authentication (SCA)

From September 2019, all electronic payment transactions will need to be authenticated by at least two of three possible methods:

  • Knowledge: something only the user knows, such as a password
  • Possession: something only the user possesses, such as a token or mobile phone
  • Inherence: something the user is, such as a biometric (e.g. fingerprint recognition)

Read more about SCA here

PSD2 implies 2 major changes for merchants #psd2 Click To Tweet

General Data Protection Regulation – GDPR


The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). Want to read the official paper, here you go.

What is GDPR?

A new European Union-wide framework known as the General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018.

An accompanying Directive establishes data protection standards in the area of criminal offences and penalties. This is known as the law enforcement Directive.

The GDPR and the law enforcement Directive provide for significant reforms to current data protection rules. They provide for higher standards of data protection for individuals and impose increased obligations on organisations that process personal data. They also increase the range of possible sanctions for infringements of these rules.

There are two main types of data under the GDPR: personal data and special category personal data.

Personal data

Under the GDPR, personal data is data that relates to or can identify a living person, either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details and medical history.

data subject is an individual to whom the personal data relates.

Organisations that collect or use personal data are known as data controllers and data processors.

Special category personal data

Special category personal data means personal data relating to any of the following:

  • The data subject’s racial or ethnic origin, their political opinions or their religious or philosophical beliefs
  • Whether the data subject is a member of a trade union
  • The data subject’s physical or mental health or condition or sexual life
  • Whether the data subject has committed or allegedly committed any offence
  • Any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings

The processing of special category data is prohibited unless the data subject has given their explicit consent before processing begins or the processing is authorised by law, for example, to protect the interests of a data subject, to comply with employment legislation or for reasons of public interest.

Personal data relating to criminal convictions and offences may only be processed under the control of an official authority.

Obligations to you

The obligation to design appropriate processing systems

The GDPR has introduced the concept of privacy by design. This means the inclusion of data protection measures from the outset of designing a processing system. The controller must implement appropriate technical and organisational measures in order to meet the requirements of the Regulation and protect the rights of data subjects.

For example, controllers should design their processes so that they collect only the data absolutely necessary for their purposes, and access to personal data should be limited to only those necessary for processing. Controllers may also temporarily anonymise personal data.

Controllers will be able to apply for certification from a supervisory authority, which will demonstrate that their processes are designed to comply with the Regulation. In Ireland, this supervisory authority is the Data Protection Commission.

The obligation to use processors that meet the requirements of the legislation

Where processing is to be carried out by a processor and not the controller, the controller must use only those processors who guarantee that their systems of processing meet the requirements of the Regulation.

Examples of processors of his nature include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else. Cloud providers are also generally data processors.

The controller must have a contract with the processor setting out the scope of the processing required by the controller and the processor’s obligations under the Regulation. A processor cannot outsource this processing to another processor without the controller’s consent and a similar contract agreed with that second processor.

Processors should follow any relevant code of conduct that may be prepared by the Data Protection Commission. Processors may also receive certification demonstrating their compliance with the Regulation.

The obligation to keep records

Under the GDPR, any controller that has more than 250 employees, or that processes sensitive information, must keep a record of the processing activities under its responsibility.

That record will consist of:

  • The name and contact details of the controller
  • The purposes of the processing
  • A description of the categories of data subjects and personal data
  • Categories of recipients of the data
  • Any transfers of data to third countries and that country’s data safeguards
  • Time limits for erasure of data
  • A description of the data security measures in place

Processors must keep similar records. These records can be inspected by the Data Protection Commission on request.

The obligation to keep data secure

Controllers and processors have an obligation to keep personal data secure. Under the GDPR, controllers and processors must consider implementing modern security measures appropriate for the risks involved in their activities. For example, risks may come from accidental or unlawful destruction of stored data or unauthorised disclosure, access or alteration.

The security measures may include anonymisation or encryption of data and restoring or backing up stored data. Controllers and processors will need to review and evaluate their security measures to comply with any code of conduct that may be published in the future.

The obligation to report data breaches

Under the GDPR, a controller must notify the Data Protection Commission of a personal data breach without delay where that breach is a likely to result in a risk to the rights and freedoms of the data subject. Notification should be made within 72 hours of the controller becoming aware of the breach. Data processors must notify the respective controllers if the processor becomes aware of a breach. The controller should also notify the data subject without delay.

The obligation to carry out data protection impact assessments

Under the GDPR, when a controller intends to carry out high-risk processing they must first carry out a data protection impact assessment (DPIA). The Data Protection Commission will prescribe a list of the kind of processing operations that may be high risk. These processes may include processing using new technology, profiling and automated decision-making processing, processing large amounts of sensitive personal data or systematically monitoring a publicly accessible area.

The data protection impact assessment should include:

  • A description of the processing and the purpose
  • An assessment of the necessity of the processing
  • An assessment of the risks to the rights and freedoms of the data subjects
  • The measures to be used to address the risks

The controller should carry out a review after the processing has begun to ensure it is being performed in line with the data impact assessment that was carried out.

The controller should also seek the advice of its data protection officer.

The obligation to appoint data protection officers (DPOs)

Under the GDPR, data protection officers must be appointed by controllers and processors whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale or of special categories of personal data or data relating to criminal convictions and offences.

Data protection officers:

  • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
  • May be a staff member or an external service provider
  • Must provide contact details to the Data Protection Commission
  • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
  • Must report directly to the highest level of management in their organisation
  • Must not carry out any other tasks that could result in a conflict of interest

DPOs must be involved in all issues of data protection and must be given the resources to carry out their tasks.

You can contact the DPO of an organisation about any issues relating to your personal data held by that organisation.

The tasks of the DPO are to:

  • Inform and advise their organisation about its data protection obligations
  • Monitor their organisation’s compliance with the GDPR and any national data protection legislation
  • Advise on data protection impact assessments and monitoring performance
  • Liaise with the supervisory authority

The Data Protection Commission has issued published detailed guidance on appropriate qualifications for a DPO.

The obligation to comply with codes of conduct and certification

Associations and other bodies representing controllers and processors may prepare codes of practice that will specify how the GDPR should be specifically applied. These bodies must submit their draft codes of conduct to the Data Protection Commission for approval.

In order to enhance transparency and compliance with this Regulation, the GDPR will introduce certification mechanisms and data protection marks, allowing data subjects to quickly assess the level of data protection of relevant products and services. A list of certified organisations will be publicly available.

Codes of conduct and approved certification mechanisms will also assist controllers, in identifying the risks related to their type of processing and in adhering to best practice.

For processors seeking to process information on behalf of controllers, the adherence of a processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

The obligations relating to transferring data outside the EU

Any transfer of personal data outside the EU or to an international organisation will be strictly regulated under the GDPR. The Regulation also applies to any onward transfer of personal data from one non-EU member state to another.

Such a transfer of personal data may only take place where the European Commission has decided that the non-EU member state or business sector within that country has an adequate level of data protection in place. In deciding if there is adequate protection, the Commission will look at that country’s laws, respect for human rights, the existence of any data protection authority and the international commitments that country has made relating to personal data. After deciding if a country or sector has adequate data protection, the Commission will continue to monitor that country in terms of its data protection practices.

If a controller or processor wants to transfer data to an unapproved country, sector or international organisation, that controller or processor must provide the appropriate safeguards and ensure that any data subjects will still be able to exercise their rights.