When the new PSD2 requirements were announced for the European Economic Area (EEA), merchants and customers had a lot of questions and few answers. The regulations promise a more secure online payment environment for everyone, but the challenges in implementing requirements like strong customer authentication (SCA payments) and delays in the official timeline for enforcement have diverted attention from the good that comes with PSD2 strong customer authentication regulation and SCA..
Signifyd recently hosted a webinar with Vendorcom Chairman Paul Rodgers to introduce its new Seamless SCA product and help merchants understand what they can do to get up to speed on PSD2 authentication requirements in the EEA. The webinar featured a demo of Seamless SCA plus background on the new regulations. We’re sharing a few key questions from the webinar with clear, concise answers to help merchants understand the requirements better.
Key points:
- Signifyd’s latest webinar focuses on PSD2 regulation and how the new Signifyd Seamless SCA product helps merchants provide the required privacy upgrades to consumers.
- Signifyd leaders and SCA expert Paul Rodgers clarify what PSD2 and the associated acronyms (SCA, 3ds payment) mean to help consumers better understand the upcoming regulations in the European Economic Area (EEA).
- Our team of experts encourages more education and transparency between merchants, consumers and payment providers to help everyone better understand PSD2 regulations.
PSD2, 3DS, SCA: What do these acronyms mean?
In the webinar, Signfiyd leaders J. Bennett and Ed Whitehead defined what each of the key acronyms for PSD2 requirements stand for:
- PSD2 is the second Payment Services Directive (the number 2 was tacked on to the end of the acronym to update the directive). PSD2’s main objective is to regulate payment services and payment service providers in the European Union (EU) and EEA. Consumer protection is a key tenet of the regulations, and payment providers have specific rights and obligations for accepting ecommerce payments.
- SCA stands for strong customer authentication. It’s the primary method for payment service providers and merchants to secure their transactions under PSD2. SCA requires a baseline two-factor authentication to increase the security of electronic payments and authenticate a purchase.
- 3DS2 stands for 3-D Secure, or Three-Domain Secure. It enables consumers to authenticate their purchases directly with their card issuer when making card-not-present (CNP) ecommerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from fraud. The three domains refer to the merchant, payment issuer and the payment systems provider.
All three of these security protocols or layers seek to protect consumers, merchants and payment providers against fraud in ecommerce purchases. Their tight relationship helps define why additional security is essential for better ecommerce operations. PSD2 SCA solutions requires better security protocols — which is why Signifyd hosted the webinar to introduce Seamless SCA and share insights into the current issues merchants and consumers face in the EEA.
What are the three authentication methods for SCA?
The goal of SCA is to obtain information required to authenticate payments on a more personal level. Privacy matters most in SCA, both in defending personal information and in bringing control of transaction data back to each user.
PSD2 requires at least two authentication factors for SCA. Each of these methods falls under a unique group of data that directly relates to the authorized user: something you know, something you have and something you are.
What you know is information protected by mitigation measures to prevent disclosure to third parties. It’s the first step to test if a real, authorized person is requesting the transaction.
- What works: Knowledge-based challenge questions. Only the authorized user should know the answers to identifying questions like, “What was your grandmother’s nickname growing up?”
- What doesn’t work: Card details from the card itself. Anyone can get this information for CNP transactions. Thanks to the evolving sophistication of scam artistry, card details are easier to swipe than ever before. Keep in mind that numbers can be memorized and used in any CNP transaction.
What you have is a secure, dynamic generated or received validation on your device. The payment processor will send some kind of authorization request to the shopper to determine if the order is legitimate. The authorized user must then respond to validate the request to finalize the transaction.
- What works: A signature generated by a device through a hardware or software token. The authorized user must initiate the token send to complete the transaction, often in a brief time span (often less than 15 minutes).
- What doesn’t work: An installed app without registration. There’s nothing about the app that guarantees secure transactions right out of the box. Extra steps are often needed to authenticate the user within the app, and from there extra security layers are recommended.
What you are is a human’s physical feature, physiological characteristic or behavioural process. It’s the most secure of the three payment SCA authentication methods because it’s the most unique and personal of all — because these characteristics belong only to the person and cannot be copied (not yet, at least). Biometrics is making huge strides in the security technology space for this very reason.
- What works: Fingerprint or iris scanning. Hackers haven’t yet determined how to crack biometrics on a reliable scale. Since it’s impossible (or at least, not recommended) to tear off your skin or poke out your eye to share biometrics information like this, it’s much harder for scammers to get ahold of biological material to pull off their grifts in the shadows.
- What doesn’t work: EMV 3-D Secure on its own. The European Banking Authority in June explained in a memo that “communication protocols such as EMV 3-D Secure version 2.0 and newer would not currently appear to constitute inherence elements, as none of the data points, or their combination, exchanged through this communication tool appears to include information that relates to biological and behavioral biometrics.”
SCA’s multi-factor authentication can be broken down into even more granular data. In the webinar, Bennett shared an overview of factors used in SCA and how they fit into key aspects of ease of use and security — because customer experience is at the heart of a successful SCA strategy.
Which authentication methods work for SCA?
Ideally, authentication methods for SCA should achieve high ease of use and security. Customers want their payment and personal data to be safe, but making them jump through too many hoops to complete a transaction leads to cart abandonment. Some acceptable SCA methods are less secure than others, even though they meet the security standards. Merchants should consider their customers’ needs and their ability to invest in and implement security methods that support the best possible shopping experience.
In the webinar, Bennett presented a matrix model displaying where the most common SCA methods land on the two scales of ease of use and security. The best authentication methods combine both usability and security, like a token sent directly to the authorized user’s device for each transaction, or keystroke dynamics that match the authorized user’s behavior patterns.
Other methods that don’t check all the boxes are still safe to use for SCA. For example, vein recognition has a high ease of use but offers lower security than other options. Another method like a passphrase scores low on both the usability and the security scale, partially because entering multiple words can be challenging on a mobile device. But each is an approved SCA method and can work with the right implementation.
What is the timeline for PSD2?
PSD2 SCA solutions might look like hard deadline. At this point, different authorities in different jurisdictions are sending different messages about when the requirements will be enforced. The UK, for instance has sketched an 18-month rollout, while the competent authority in France has released a timeline spanning two years. Part of the problem in implementing the tougher security standards is a lack of leadership and guidance in the EEA, as webinar guest host Paul Rodgers pointed out. Rogers, chairman of Vendorcom and Payment Systems Regulator panel member, cited poor policy alignment between different countries in Europe.
The Sept. 14, 2019 “deadline” was set as the original SCA enforcement date. Now only a few days away, this “deadline” has become more of a wake-up call to get the attention of merchants and encourage them to get educated on PSD2 and SCA.
Rodgers did present a slide featuring the timeline for managed rollout endorsed by the Financial Conduct Authority in the UK. That plan acknowledges the official kickoff date of Sept. 14, and lays out three stages toward the expected full enforcement of the regulation in early 2021. By Mar. 14, 2020, merchants should complete their SCA-compliant payment provider evaluations. Phase two is the SCA solutions implementation and testing period and ends Sept. 14, 2020. The final phase is where merchants should implement and optimize their newly secure payment options by Mar. 14, 2021 — the designated (for now) PSD2 enforcement date.
The three-stage rollout was developed to help merchants ramp up their payment systems to include PSD2-ready solutions. Each phase is spaced out over six months to help merchants gradually step up to the implementation. The next 18 months are crucial to the successful implementation of PSD2 and SCA. With tools like Signifyd’s Seamless SCA, merchants can get there a little bit faster.
How can merchants prepare for the upcoming PSD2 requirements?
In the webinar, Rodgers advocated for harmonized language around SCA and PSD2 requirements to empower merchants and customers. He created the #SCADay tag on LinkedIn to share his expertise on the issues and to break down communication barriers.
Rodgers said that the UK media response to PSD2 hasn’t provided much actionable information, fueling negative responses to the set of regulations that’s designed to protect people, not to take anything away from them. Add that to the conflicting approaches from banks and payment issuers, and it’s easy to see why merchants and consumers don’t know where to find the right information to help them implement SCA.
Through activities like this webinar and #SCADay on LinkedIn, Rodgers has created an open SCA conversation that he hopes will become a widespread dialogue between anyone who shops online and relies on CNP payments. He is also determined to educate consumers about scams that use SCA in phishing attempts and help them identify legitimate SCA methods from attempted identity theft.
Change is coming — learn to embrace it
The main takeaway from the presentation by Bennett, Whitehead and Rodgers is that it’s better to work with PSD2 and SCA than against it. As Bennett said in Signifyd’s press release announcing the Seamless SCA launch, “Avoidance strategies, such as optimizing exemptions to bypass the need for SCA, are not a real solution. Delivering a great SCA experience is. Retailers that prepare themselves now will hold a competitive advantage when enforcement begins.”
PSD2 and SCA are designed with the best interests of merchants and consumers in mind. The webinar “Meet PSD2 Requirements With Signifyd Seamless SCA” is now available to watch on-demand. Get an overview of the Seamless SCA product with a live demo on an ecommerce storefront and an expanded look at how SCA and PSD2 work together to protect consumer privacy.
Watch the on-demand webinar now.