Published by Lucie Poirier
PSD2 is a new European regulatory requirement to reduce fraud and make online payments more secure that enforces Second Factor Authentication (SCA). This means, customers using credit cards will not only have to enter the credit card number and the card verification value (CVV) but will also have to add an additional factor (something they know, possess or are). More Information can be found below.
Issuer Banks will need to start declining payments that require SCA and don’t meet this criteria. Based on the latest developments we expect a delayed enforcement. A summary can be found in our latest overview.
Strong customer authentication is made up of two independent elements. Such elements must be derived from the two of the following three categories: knowledge, possession and inherence. Examples are: password (knowledge), mobile telephone (possession) or a finger print (inherence). More information around 2FA can be found in our PSD2 Blog post. For online card payments, these requirements will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA).
Currently, the most common way of authenticating an online card payment relies on 3D Secure. 3D Secure adds an extra step to the authorization request as the merchant will be identified by the issuer with a SMS-OPT, password or similar. The card industry was working heavily on revamping the 3D Secure standard in order to meet the PSD2 requirement and take the chance to provide a better user experience for the merchants. 3DS 2.0 is now gradually being introduced. Over the course of the next days wallee merchants that process cards directly with an acquirer and not through a PSP will be automatically migrated to the new 3DS standard. Once the issuer supports 3DS 2.0 the transaction will automatically be challenged by the new standard.
As a wallee merchant, there are no modifications that you must do as we will automatically activate for 3DS 2.0. However, if you do not already have 3DS activated in your connector, there is a chance that you will be seeing more declines with your payments. Therefore, we suggest that you enable 3DS in your connector.
A lot has been written about and discussed about exemptions to SCA and how this can be handled. There are still a lot of unclarified questions. We therefore focus on the most relevant exemptions and how we handle them. Please note that the liability will be fully shifted to merchants in case of an exemption. You will most likely not be able to fight even non-fraud-related chargebacks. The European Payments Council anticipates that “the payer can claim full reimbursement from their PSP in case of an [unauthorized] payment, if there was no SCA measure in place and if the payer did not act fraudulently.”
Low value transactions are generally exempted. However, it is not that easy because Issuers will however need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. Therefore all issuers will track the number of times this exemption has been used and decide whether authentication is necessary.
We suggest that you enable 3DS on all of your connectors, as well as for low value transactions. We will automatically try to make use of this exemption. As mentioned above, it can always happen that customers are challenged also in the case of low value transactions. Last but not least you lose the liability shift on all exempted transactions. In other words, you will be responsible for any fraud-related chargebacks on exempt transactions. If you receive an exemption, you also forfeit the ability to shift liability to the issuer.
Payments made with tokens when the customer is not present in the checkout flow may qualify as merchant-initiated transactions. As in the use case of subscription (fixed amount or variable amount) the customer is not present therefore a second factor challenge can not be performed. In such cases, these payments technically fall outside the scope of SCA.
Strictly speaking PSD2 is not applicable to those payment types however, for simplicity we treat them here as exemptions.
Based on the context on the wallee API you provide on the transaction object whether the customer is present or not. This information helps us to flag the transaction as MIT and seek for an exemption. In one-click payments where you simply store the card for faster use in the checkout you will see SCA taking effect once the regulation is in force.
Card details collected over the phone fall outside the scope of SCA and do not require authentication. Similar to exempted payments, MOTO transactions will need to be flagged as such—with the cardholder’s bank making the final decision to accept or reject the transaction.
It’s important to understand that the issuer and not the regulator has the final say about exemptions. Banks will return new decline codes for payments that failed due to missing authentication. These payments will then have to be resubmitted to the customer with a request for Strong Customer Authentication.
In case we receive a soft-decline from an issuer, we have the relevant instruments in place with charge flows. With other words, in case of MIT the merchant will receive based on the configuration a Charge Flow email to update their payment information and perform an SCA transaction that will [hopefully] be accepted by the issuer.
Especially for our Swiss merchants, some words about the applicability of PSD2 in Switzerland. SCA is only required when both the cardholder’s issuing bank and the merchant’s acquirer are located in the EEA region. If either of these parties is outside the EEA, then the SCA regulation does not apply. It has also been clarified that only the geographic location of the acquiring and issuing bank are relevant not the payer or merchant. What sounds very good at first glance also involves major risks at a second glance. Some issuers may not have the logic in place to identify these types of situations, particularly in the short term after the regulation goes into effect. We therefore recommend merchants that have a huge international client base to challenge those transactions with 3DS.
There is a lot of confusion around PSD2. The latest reports and reactions of the regulators do not help to add clarity. In our view, there is too much fuss made around exemptions. Since 3DS 2.0 is expected to dramatically reduce the frequency with which a cardholder is prompted to be an active participant in the authentication process, the amount of friction is also expected to be dramatically reduced.
Given all the additional data elements available to issuers to help inform risk-based decisions in the background, the assumption should be that if a cardholder challenge is required, enough flags have been raised to cause concern. In other words, if the issuer suspects fraud, chances are it is fraud. So why not take advantage of this built-in risk algorithm while also protecting your business against potential fraudulent-transaction losses?
We continuously do our best to regularly challenge the way we process transaction together with the industry leaders to improve authorization rates and reduce hassle for merchants.
If you do not have a wallee account you can easily start to create an account.
If you have any remaining questions, do not hesitate to contact us.
#Strong Customer Authentication