PSD2’s Strong Customer Authentication
What ecommerce businesses need to know about the EU’s pending requirements for SCA and Dynamic Linking
Last updated on 7 August 2019
On 14 September 2019, the European Economic Area will face new regulatory obligations for authenticating online payments. Part of the second Payment Services Directive (PSD2), the core of these obligations is referred to as Strong Customer Authentication (SCA) and has a stated objective of “ensuring that payments across the EU are secure, easy and efficient.”
- Signifyd expects that, pursuant to the European Banking Authority’s (EBA’s) opinion issued on 21 June 2019, Competent Authorities throughout Europe will provide for an enforcement exemption period for PSD2’s SCA obligations, as already announced by the Financial Conduct Authority in the United Kingdom.
- Consistent with that expectation, Visa, Mastercard and a group of European payments and retailer consortiums released a Joint Industry Statement on 1 August 2019 that requested greater clarity from the EBA and Competent Authorities during a “transition period” of “flexible enforcement” of at least 18 months so that all ecommerce stakeholders could rely on a consistent application throughout the EEA.
|2013||EU publishes proposal for PSD2 (July)|
|2016||PSD2 comes into force (Jan.)
Consulting period for SCA and RTS (Q3)
|2017||Final draft RTS on SCA published (Feb.)
EU approves RTS (Sept.)
|2018||PSD2 transposed in local legislation (Jan.)|
|2019||3DS2 certification live, test period begins (March)
EBA update on compliant SCA methods (June)
Original SCA enforcement, postponed by UK, expected in rest of EEA (Sept.)
|2020||Expected Exemption Period|
|2021||Expected Enforcement Period (Q1)|
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a European regulatory framework that describes three types of information that should be reviewed as part of an online payment transaction, so as to increase security and reduce fraud. To accept ecommerce payments once PSD2’s obligations go into effect, merchants will need to build authentication technologies into their checkout flows that measure at least two of the following three elements:
“Something you know”, the KNOWLEDGE Element (e.g., password or PIN)
“Something you have”, the POSSESSION Element (e.g., phone or hardware token)
“Something you are” the INHERENCE Element (e.g., fingerprint or face recognition)
The Knowledge Element: “Something you know”
What PSD2 describes as “Something the user knows,” the EBA refers to as the knowledge element. Acceptable knowledge elements are sets of information that are protected by mitigation measures to prevent disclosure to third parties and that existed prior to the transaction being attempted. The EBA has outlined the following as a non-exhaustive list of possible knowledge elements:
|EBA Verified as SCA Compliant||EBA Verified as Not Compliant with SCA|
The Possession Element: “Something you have”
What PSD2 describes as “Something the user has”, the EBA calls the possession element. Possession elements are measured by the generation or receipt of a secure, dynamic validation on a device. Possession elements can be measured by some technologies that do not require active customer interaction (e.g., capturing the unique signature generated by a device) or more commonly by pushing a one-time password to the device via SMS text. The EBA has outlined the following as a non-exhaustive list of possible possession elements:
|EBA Verified as SCA Compliant||EBA Verified as Not Compliant with SCA|
Note, the card itself or information contained on it cannot qualify as something the user “has.”
The Inherence Element: “Something you are”
What PSD2 describes as “Something the user is”, the EBA refers to the inherence element. This element consists of measuring data related to the physical properties, physiological characteristics or behavioural processes of the body. The EBA has outlined the following as a non-exhaustive list of possible Inherence elements:
|EBA Verified as SCA Compliant||EBA Verified as Not Compliant with SCA|
Many of these data elements are available only on mobile devices, so merchants should consider how to handle transactions placed on both mobile apps and in-browser. Additionally, note that authentication protocols such as 3DS do not include any inherence elements, per the EBA, in the current versions of 2.0 or newer.
Signifyd’s Seamless SCA™ solution does include both browser- and mobile-friendly inherence elements.
If you would like to read the original SCA requirements, they are set out in the Regulatory Technical Standards or RTS. The EBA issued an Opinion on 21 June 2019 that describes which technologies adequately measure the three different elements of SCA, which the above tables summarize.
When is Strong Customer Authentication required?
Strong Customer Authentication will apply to “customer-initiated” online payments within the European Economic Area (EEA) and is not only for companies based in the EEA. If you have customers whose cards are issued in the EEA and you sell in (payments are acquired in) the EEA, then the PSD2 requirements will apply. As a result, most credit and debit card payments and all bank transfers will require SCA. Recurring direct debits are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.
For online credit and debit card payments, these requirements will apply to transactions where both the merchant and the cardholder’s bank are located in the EEA.
- We currently expect that SCA will be enforced in the UK, regardless of the outcome of Brexit.
How to authenticate a payment
Currently, the most widely adopted way of authenticating an online card payment in the EEA relies on 3-D Secure—a protocol created by EMVCo, a consortium of the card scheme brands. 3-D Secure usually requires that consumers take at least one extra step during or after the checkout to provide additional information to complete a payment (e.g., entering a one-time code sent to their phone or authentication through their mobile banking app).
3-D Secure 2 (or 3DS2)—the new version of the protocol released in 2019—will be the main method that merchants use to meet PSD2’s requirement to “dynamically link” the payment to the issuing banks and confirm that SCA has been conducted.
This new version introduces support for mobile applications, but on its own will require even more additional steps to conduct SCA (e.g., both requiring the cardholder to enter a previously known password or PIN and also confirming the cardholder’s device by entering a one-time password provided by SMS).
- The EBA’s Opinion on 21 June 2019 confirmed that 3DS2 does not support the ability to measure any inherence data points and that a one-time password may satisfy possession but does not satisfy the knowledge element.
Other card-based payment methods such as Apple Pay or Google Pay support payment flows with a built-in layer of authentication (including biometrics for the inherence element). These can be a great way for merchants to offer a frictionless checkout experience while meeting the new requirements, but they have relatively low adoption rates among consumers.
Signifyd’s Seamless SCA™ solution adopts a similar approach to Apple Pay and allows merchants to passively conduct SCA while customers shop on their site, by measuring device token information to satisfy the possession element and behavioral and biometric information to satisfy the inherence element. Our built-in 3DS2 capabilities ensure that a merchant’s payment provider and the cardholder’s issuing banks receive the information necessary to authenticate the transaction.
Exemptions to Strong Customer Authentication
Under PSD2, specific types of payments may be exempted from the requirement to conduct SCA. Payment providers may be able to request these exemptions when processing the payment. The cardholder’s bank will then receive the request, assess the risk level of the transaction and ultimately decide whether to approve the exemption or whether authentication is still necessary.
- Our expectation is that the exemptions will be difficult, if not impossible, for merchants to manage in a compliant manner, and that merchants will not be able to control their customers’ experience even if they have relatively low-fraud rates. This is because the exemptions are ultimately dependent on the bank’s level of fraud, and the payment providers and banks bear the responsibility to ensure that SCA has been conducted.
- Instead, we suggest preparing for a reality where SCA is conducted on every transaction and choose a solution that offers the least friction when authenticating your customers.
Building traditional 3DS2 authentication into your checkout flow introduces an extra step that can add friction and increase customer drop-off. Using exemptions for low-risk payments may reduce the number of times you will need to authenticate a customer and reduce friction.
Some of the most relevant exemptions for internet businesses are, in order from most to least likely to be helpful:
This exemption can apply when the customer authorises a series of recurring payments for the same amount, to the same merchant. SCA will be required for the customer’s first payment—subsequent charges, however, will be initiated by the merchant and may be exempted from SCA.
- We expect this exemption will be an excellent option for merchants to take advantage of, if their business model allows for it.
Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO). Marking a payment as being a MOTO transaction will be similar to requesting other exemptions, with the cardholder’s bank making the final decision to accept or reject the transaction.
Low-risk transactions (TRA)
A payment provider will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s and issuing bank’s overall fraud rates for card payments do not exceed the following thresholds:
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions below €250
- 0.01% to exempt transactions below €500
These thresholds will be converted to local equivalent amounts where relevant.
In cases where only the payment provider’s fraud rate is below the threshold and the cardholder’s bank is above it, we expect the bank to decline the exemption and require authentication.
- While this exemption may seem promising, we consider the fraud rate thresholds unrealistically low for almost all merchants and industries. If a merchant expects to utilize this exemption, they should ensure they are not turning away genuine customers in order to achieve the target fraud rates.
Payments below €30
Transactions below €30 will be considered “low value” and may be exempted from SCA. Banks will, however need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.
- We expect this exemption will be impossible for merchants to take advantage of as part of a real-time checkout experience, as banks and payment providers will have to pass the cardholder’s data back and forth multiple times in order to even determine if the exemption is available.
When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
We expect this exemption will be impossible for merchants to take advantage of in the near-term future, except possibly for American Express cards, as it has not been broadly implemented by banks.
Are exemptions a viable compliance strategy?
While exemptions may someday be useful for merchants, it’s important to remember that the issuing bank will decide whether or not to accept an exemption; thus the bank will control the merchant’s checkout experience. Payments where an exemption are declined will have to be resubmitted to the customer with a request for SCA, including the multiple step-up methods described above if the merchant is relying only on 3DS2.
Signifyd suggests that you instead implement a solution that is able to preemptively conduct SCA on all transactions, so that your online store can be both compliant with PSD2’s requirements and offer a seamless customer experience.
Signifyd’s Seamless Strong Customer Authentication™
The changes introduced by PSD2 will deeply affect ecommerce in the EEA. Impacted businesses that don’t prepare for these new requirements, or that only rely on 3DS2 to conduct SCA, will see their conversion rates significantly drop after the enforcement of SCA. Stripe, Worldpay and Amazon estimated that relying on 3DS2 alone will result in conversion drop off of 25% or more for card payments.
We strongly believe that merchants should not be liable for fraudulent activity conducted using card payments—and thus 3DS2 and its shift of liability onto the issuing banks is a step in the right direction. However, we also believe that merchants should be able to control their customer’s experience, and that all cardholders should be able to engage in online commerce, especially if they don’t have access to SMS or own the latest generation mobile device.
Exemptions from SCA might provide that experience someday for some portion of ecommerce transactions, but as indicated above, those exemptions will not be effective and we expect there will be differences in how national regulators and even individual banks will support them.
By integrating with a merchant’s storefront and payment provider, Signifyd can both collect the information necessary to conduct SCA on every single transaction, without resorting to step-ups, and dynamically link that transaction to the issuing bank. Merchants in our Commerce Network will be compliant with PSD2 well ahead of its enforcement period, provide their customers with a frictionless shopping experience and fearlessly ship more good orders with our chargeback guarantee.
Click here to learn more about Signifyd’s products. If you have any questions or feedback, please let us know!