Site icon Merchant Fraud Journal

PSD2 SCA Requirements

Chickenonline / Pixabay

On September 14, 2019 the Revised Payment Services Directive (PSD2) will require Strong Customer Authentication (SCA). The goal of SCA is to protect consumers against eCommerce fraud.

Below is a breakdown of what merchants need to know.

Strong Customer Authentication (SCA) Requirements

Strong Customer Authentication requirements will force merchants to take specific steps to safeguard the information of online shoppers. In the past, merchants only needed a CVC code to verify a cardholder’s legitimacy. Now, more information is required. Merchants will need to implement 3D Secure 2.0.

For many merchants, the words “3D Secure” are scary. The technology is notorious for creating customer friction. The 1.0 version required a customer to remember a randomly assigned code or password. Many customers that couldn’t remember the information simply abandoned their cart. In many cases, the revenue lost from cart abandonment almost certainly exceeded what merchants would have lost to fraud.

Therefore, SCA takes a different approach. Instead of a random code, SCA requires merchants to use two factor authentication (2FA). This requires them to ask online shoppers to verify their identity using two out of three categories of information:

SCA Exemptions

The new requirements apply to all “customer-initiated” online payments. However, they only affect Europeans. The requirements come into effect for transaction where both the merchant and the cardholder’s bank are in Europe. More specifically, the merchant and bank must be located in the European Economic Area (EEA).

In addition, some exemptions exist for transactions in the EEA:

PSD2 Implementation Delays

Merchants received notification of the new SCA requirements well in advance of the September 14th implementation deadline. However, many eCommerce stores remain unprepared. Due to the fear that market non-compliance would cause disruptions to online selling ecosystems, the European Banking Authority (EBA) agreed to provide an SCA extension.

“The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time,” the EBA said in a press release.

Although some eCommerce merchants will benefit from this extension, it is contingent on them taking steps towards compliance.

“This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA,” the press release said.

Eventually, these general exceptions will lapse. When that happens, all transactions processed by merchants must comply with SCA if no exemption applies.


Sources:

https://eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2/-/regulatory-activity/press-release

https://www.visa.co.uk/dam/VCOM/regional/ve/unitedkingdom/PDF/visa-preparing-for-psd2-sca-publication-version-1-1-05-12-18-002-final.pdf

Exit mobile version