Published by Lucie Poirier
In this blog post we will look into the details and new regulations that are imposed by PSD 2 on online payments and merchants with regards to Secure Customer Authentication. We are fully aware that this posts does not cover all the changes introduced by PSD 2 but only focuses on the changes introduced for merchants due to Secure Customer Authentication.
This revision, known as PSD2, will have a significant impact on online payments made on e-commerce platforms such as Shopify or any other shopping cart as it will introduce a mandate for Secure Customer Authentication. Its primary goal is to increase the level of security of online payments. PSD2 will apply to online payments within the European Economic Area (EEA) with both the cardholder’s bank and the payment provider based in Europe.
Therefore, it is important that you as a merchant are aware of what changes PSD2 involves and how you need to comply with those changes. Shopping carts such as Shopify with their current checkout not allowing 3D Secure cannot cover the new security standards required by PSD2 by default unless used in combination with a payment provider such as wallee as PSD 2 will enforce Secure Customer Authentication. Check below to find out what exactly is meant by the term secure customer authentication.
One of the biggest challenges for online businesses is to combat fraud given its negative impact on customer confidence in using online services and the high cost of processing fraudulent transactions. Therefore, one major goal of the new regulation is to make online payments more secure. One of the methods particularly effective to maintain a high level of security is to use multi-factor authentication. Authentication consists in verifying the identity of customers during transactions in order to:
The European Union is introducing as part of the second Payment Services Directive (PSD2) a new regulation called Strong Customer Authentication (SCA) which requires a stricter authentication process for online transactions. Strong Customer Authentication is defined as an authentication based on the use of two or more of the following elements:
Strong Customer Authentication will apply to customer-initiated online payments within Europe. From September 14th, 2019, Strong Customer Authentication will be a mandatory requirement to verify and authenticate payments. Two factor authentication will be required at the time of the transaction.
For credit card transactions this means that the standards of PSD 2 will have to be implemented in the new authentication protocol 3DS 2.0. Recurring direct debits are considered merchant-initiated and will not require SCA.
Although the new regulation will apply to the majority of online payments, there will be exceptions for specific types of payments:
Transactions under 30 euros will be exempt from Strong Customer Authentication unless the payment method provider or the card holder’s bank detects more than five exempted transactions or exempted transactions reaching a total amount of 100 euros.
Low risk transactions will also be exempt from SCA. A payment will be considered as low risk based on the fraud rate assessment made by the card issuer and the provider processing the payment.
This exemption will also apply to subscription / recurring transactions with a fixed amount. SCA will only apply to the initial transaction. As long as the amount does not change, SCA will not be required for subsequent payments. Recurring transactions with variable amount and merchant-initiated are also exempt from SCA requirements.
Customers may be allowed by their bank to whitelist businesses where they shop regularly as ‘trusted beneficiaries’. SCA will in that case only required for the first purchase but not for the subsequent purchases. Not all issuing banks support this feature currently but it should be more and more implemented during 2019.
Payments made by corporate cards will not apply to SCA requirements. Exemption will be possible only if requested by the the card holder’s bank as neither the business or the payment method provider will be able to detect whether the card used is a corporate card or not.
Mail Order and Telephone Orders (MOTO) will be exempt from SCA as they are not considered as electronic payments.
In case of transactions where the card issuer or acquirer is not based in Europe, SCA will also not apply.
Although 3D Secure 1.0 protects you from fraud, it requires your customers to leave your shop to complete additional steps during the payment process which may affect their purchase experience. With 3D Secure 2.0, you will be able to integrate the authentication process within your shop without redirection thanks to an embedded iframe.
Find out why 3D Secure 2.0 will help you to increase your conversion:
3D Secure 2.0 will use frictionless authentication which consists in allowing merchants to verify a transaction with customer’s issuing bank without the customer having to provide a pin or being redirected to the 3D Secure page.
Payment data such as billing and shipping address entered by the customers in the checkout of the shop as well as digital footprint such as IP address or Machine address used will be securely transmitted in the background to the cardholder's issuing bank with no perceivable change in the checkout flow for the customers. The bank will then make the risk assessment and complete or not the authentication based on the data provided. If the data exchanged in the background is sufficient to verify the transaction, validation will then be processed via the frictionless flow without the customer having to follow any additional authentication step.
In case the bank requires additional data, the transaction will go through the challenge authentication flow: The customer will be prompted to provide additional information for the authentication (e.g. 2 factor authentication code send by email/sms or biometric fingerprint or face recognition used in the issuing bank app).
3D Secure 2.0 greatly simplifies the payment authentication process for customers. During checkout, customers will either go through the authentication process without having to do anything (frictionless flow) or have their payment authenticated without being redirected to an external page for 3D Secure authentication (Challenge flow embed directly in the checkout flow).
Thanks to new mobile SDKs, it will be quick and easy for customers to go through the authentication process using their mobile banking app. In case of transactions made from a mobile device and if the customer has his bank app installed on his device, the SDK will detect this and automatically open the app for the customer to authenticate his payment using a 2 factor password, fingerprint or facial recognition.
First of all, the good thing is that, as wallee merchant, you will not have to worry about those regulations. We will make sure that our API makes use of the new benefits and burden without implication on your API integration.
We are currently working on building a solution in wallee to comply with the new regulations, allowing you to smoothly transition from 3D Secure 1.0 to 3D Secure 2.0 and offer to your customers a more secure and pleasant purchase experience. The implementation of 3D Secure 2.0 will be phased in during 2019. Some issuing banks will start supporting 3D Secure 2.0 in early 2019 already but it will take several months before it becomes widespread.
The new changes should be rolled out somewhen in April 2019 and will not require any changes to your implementation. We aim to provide the issuing bank with as many data points available in order for you to also profit from a risk based and frictionless authentication.
If you do not have a wallee account you can easily start to create an account.
If you have any remaining questions, do not hesitate to contact us.