PSD2’s Strong Customer Authentication
What ecommerce businesses need to know about the EU’s pending requirements for SCA and Dynamic Linking
Last updated on 16 October 2019
As of 14 September 2019, the European Economic Area faces new regulatory obligations for authenticating online payments. Part of the second Payment Services Directive (PSD2), the core of these obligations is referred to as Strong Customer Authentication (SCA) and has a stated objective of “ensuring that payments across the EU are secure, easy and efficient.”
- Signifyd expects that, pursuant to the European Banking Authority’s (EBA’s) opinion issued on 16 October 2019, Competent Authorities throughout Europe will provide for an enforcement exemption period for PSD2’s SCA obligations, and is tracking the pronouncements of the below Competent Authorities.
- Consistent with that expectation, Visa, Mastercard and a group of European payments and retailer consortiums released a Joint Industry Statement on 1 August 2019 that requested greater clarity from the EBA and Competent Authorities during a “transition period” of “flexible enforcement” of at least 18 months so that all ecommerce stakeholders could rely on a consistent application throughout the EEA.
- In a second Joint Industry Statement on 4 September 2019, the same group requested that the EBA and EC issue a working plan towards enforcement of SCA, rather than rely on individual plans from each Competent Authority. In this statement, Visa estimated that simply implementing 3DS2 on the original timeline of 14 September 2019 “would lead to an overall 25-30% [in] card abandonment/authorisation decliness, which will be a huge disruption to European e-commerce and payments.”
Below is a compliance timetable that Signifyd has reviewed with several Competent Authorities regarding the next three six-month periods leading up to the industry’s suggested enforcement date of 14 March, 2021.
|Country||Competent authority||Latest Announcement regarding SCA|
|Austria||Financial Market Authority||19 August 2019 - “FMA will extend the deadline for implementing strong customer authentication ('2-Factor Authentication') for e-commerce card payments to allow additional time for technical switch-over to payment service providers and trading companies.” Translated|
|Denmark||Finanstilsynet||4 September 2019 - “[I]t is the opinion of the Danish Financial Supervisory Authority that the market may be ready to comply with the new rules on March 14, 2021. Therefore, the Danish FSA will allow card issuers, card acquirers and e-commerce to receive an additional 18 months to ensure compliance with the new rules.” Translated|
|Finland||Finanssivalvonta (Fin-FSA)||5 September 2019 - “On a temporary basis, the FIN-FSA does not intend to impose administrative sanctions on its supervised entities, [...] The additional time granted by the FIN-FSA for the implementation of requirements and change processes is temporary. The FIN-FSA will decide on the length of the transitional period this year after consulting the European Banking Authority and the supervisors of other Member States on the issue.”|
|France||Autorité de contrôle prudentiel et de Resolution||9 July 2019 - The Bank of France plan provides for a three year migratory period until full compliance in 2022, while setting a target for the majority of transactions be compliant with SCA by December 2020. The plan also includes an intermediate assessment in June 2021 on the residual “customers of SMS OTP”--as a disfavored technology for the possession element--in order to determine how to best continue the phase out of the transition.|
|Germany||BaFin and Bundesbank||21 August 2019 - “The extension will be limited in time. BaFin will determine when it will expire after consulting the market participants and coordinating with the EBA and the national European supervisory authorities.” Translated|
|Greece||Bank of Greece||26 August 2019 - “The Bank of Greece will adopt the EU-wide time frame to be specified by EBA (following the collection and processing of individual national data) and to be announced during the last quarter of this year”|
|Hungary||Central Bank of Hungary||10 September 2019 - “[T]he Central Bank of Hungary decided to provide the domestic market players an additional 12 months period to comply with the requirements of strong customer authentication in case of e-commerce transactions.”|
|Ireland||Central Bank of Ireland||8 August 2019 - “A limited migration period will be put in place for firms regulated by the Central Bank of Ireland in relation to the application of SCA requirements under the PSD2 Directive.”|
|Italy||Banca d'Italia||6 August 2019 - “The Bank of Italy has decided to provide the Italian financial industry additional time to complete the adjustments [for] card-based online payments... During the migration period, payments carried out without strong customer authentication may continue to be sent and accepted according to the current procedures.”|
|Netherlands||De Nederlandsche Bank||8 August 2019 - “DNB intends to allow market parties that were unable to prepare for the introduction of SCA for credit card transactions in time to have limited additional time. How much additional time will be allowed has not yet been determined.” Translated|
|Poland||Polish Financial Supervision Authority||19 August 2019 - “The framework conditions, including maximum time limits for the implementation of the SCA solutions within the ‘migration plan’, will be indicated after the conclusion of the arrangements at EBA, which will take place most likely after 14 September 2019.”|
|Portugal||Banco de Portugal|
|Spain||Banco de España||11 September 2019 - “In order to avoid possible negative consequences for some payment service users after 14. September[, t]he Banco de España [will] provide limited additional time allowing issuers of payment instruments and acquirers to migrate to solutions that are compliant with SCA [and] will review the migration plans presented by the PSPs, in accordance with the Opinion of the EBA[.]”|
|Sweden||Finansinspektionen||4 September 2019 - “The rules will ... start to apply when they are introduced on September 14, 2019[.] However, those companies that are under the supervision of Finansinspektionen who consider themselves to need additional time for the application of strong customer authentication for transactions made via card payment in e-commerce ... have the opportunity to submit a detailed plan ... which should be in line with the timetable that the EBA will state later this year.” Translated|
|UK||Prudential Regulation Authority and Financial Conduct Authority||20 August 2019 - “The FCA [will] not to take enforcement action [for] firms that can demonstrate that they have taken the necessary steps to comply with the UK Finance co-ordinated plan to deliver SCA by 14 March 2021.”|
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a European regulatory framework that describes three types of information that should be reviewed as part of an online payment transaction, so as to increase security and reduce fraud. To accept ecommerce payments once PSD2’s obligations go into effect, merchants will need to build authentication technologies into their checkout flows that measure at least two of the following three elements:
“Something you know”, the KNOWLEDGE Element (e.g., password or PIN)
“Something you have”, the POSSESSION Element (e.g., phone or hardware token)
“Something you are” the INHERENCE Element (e.g., fingerprint or face recognition)
The Knowledge Element: “Something you know”
What PSD2 describes as “Something the user knows,” the EBA refers to as the knowledge element. Acceptable knowledge elements are sets of information that are protected by mitigation measures to prevent disclosure to third parties and that existed prior to the transaction being attempted. The EBA has outlined the following as a non-exhaustive list of possible knowledge elements:
|EBA Verified as SCA Compliant||EBA Verified as Not Compliant with SCA|
The Possession Element: “Something you have”
What PSD2 describes as “Something the user has”, the EBA calls the possession element. Possession elements are measured by the generation or receipt of a secure, dynamic validation on a device. Possession elements can be measured by some technologies that do not require active customer interaction (e.g., capturing the unique signature generated by a device) or more commonly by pushing a one-time password to the device via SMS text. The EBA has outlined the following as a non-exhaustive list of possible possession elements:
|EBA Verified as SCA Compliant||EBA Verified as Not Compliant with SCA|
Note, the card itself or information contained on it cannot qualify as something the user “has.”
The Inherence Element: “Something you are”
What PSD2 describes as “Something the user is”, the EBA refers to the inherence element. This element consists of measuring data related to the physical properties, physiological characteristics or behavioural processes of the body. The EBA has outlined the following as a non-exhaustive list of possible Inherence elements:
|EBA Verified as SCA Compliant||EBA Verified as Not Compliant with SCA|
Many of these data elements are available only on mobile devices, so merchants should consider how to handle transactions placed on both mobile apps and in-browser. Additionally, note that authentication protocols such as 3DS do not include any inherence elements, per the EBA, in the current versions of 2.0 or newer.
Signifyd’s Seamless SCA™ solution does include both browser- and mobile-friendly inherence elements.
If you would like to read the original SCA requirements, they are set out in the Regulatory Technical Standards or RTS. The EBA issued an Opinion on 21 June 2019 that describes which technologies adequately measure the three different elements of SCA, which the above tables summarize.
When is Strong Customer Authentication required?
Strong Customer Authentication will apply to “customer-initiated” online payments within the European Economic Area (EEA) and is not only for companies based in the EEA. If you have customers whose cards are issued in the EEA and you sell in (payments are acquired in) the EEA, then the PSD2 requirements will apply. As a result, most credit and debit card payments and all bank transfers will require SCA. Recurring direct debits are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.
For online credit and debit card payments, these requirements will apply to transactions where both the merchant and the cardholder’s bank are located in the EEA.
- We currently expect that SCA will be enforced in the UK, regardless of the outcome of Brexit.
How to authenticate a payment
Currently, the most widely adopted way of authenticating an online card payment in the EEA relies on 3-D Secure—a protocol created by EMVCo, a consortium of the card scheme brands. 3-D Secure usually requires that consumers take at least one extra step during or after the checkout to provide additional information to complete a payment (e.g., entering a one-time code sent to their phone or authentication through their mobile banking app).
3-D Secure 2 (or 3DS2)—the new version of the protocol released in 2019—will be the main method that merchants use to meet PSD2’s requirement to “dynamically link” the payment to the issuing banks and confirm that SCA has been conducted.
This new version introduces support for mobile applications, but on its own will require even more additional steps to conduct SCA (e.g., both requiring the cardholder to enter a previously known password or PIN and also confirming the cardholder’s device by entering a one-time password provided by SMS).
- The EBA’s Opinion on 21 June 2019 confirmed that 3DS2 does not support the ability to measure any inherence data points and that a one-time password may satisfy possession but does not satisfy the knowledge element.
Other card-based payment methods such as Apple Pay or Google Pay support payment flows with a built-in layer of authentication (including biometrics for the inherence element). These can be a great way for merchants to offer a frictionless checkout experience while meeting the new requirements, but they have relatively low adoption rates among consumers.
Signifyd’s Seamless SCA™ solution adopts a similar approach to Apple Pay and allows merchants to passively conduct SCA while customers shop on their site, by measuring device token information to satisfy the possession element and behavioral and biometric information to satisfy the inherence element. Our built-in 3DS2 capabilities ensure that a merchant’s payment provider and the cardholder’s issuing banks receive the information necessary to authenticate the transaction.
Exemptions to Strong Customer Authentication
Under PSD2, specific types of payments may be exempted from the requirement to conduct SCA. Payment providers may be able to request these exemptions when processing the payment. The cardholder’s bank will then receive the request, assess the risk level of the transaction and ultimately decide whether to approve the exemption or whether authentication is still necessary.
- Our expectation is that the exemptions will be difficult, if not impossible, for merchants to manage in a compliant manner, and that merchants will not be able to control their customers’ experience even if they have relatively low-fraud rates. This is because the exemptions are ultimately dependent on the bank’s level of fraud, and the payment providers and banks bear the responsibility to ensure that SCA has been conducted.
- Instead, we suggest preparing for a reality where SCA is conducted on every transaction and choose a solution that offers the least friction when authenticating your customers.
Building traditional 3DS2 authentication into your checkout flow introduces an extra step that can add friction and increase customer drop-off. Using exemptions for low-risk payments may reduce the number of times you will need to authenticate a customer and reduce friction.
Some of the most relevant exemptions for internet businesses are, in order from most to least likely to be helpful:
This exemption can apply when the customer authorises a series of recurring payments for the same amount, to the same merchant. SCA will be required for the customer’s first payment—subsequent charges, however, will be initiated by the merchant and may be exempted from SCA.
- We expect this exemption will be an excellent option for merchants to take advantage of, if their business model allows for it.
Card details collected over the phone fall outside the scope of the SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO). Marking a payment as being a MOTO transaction will be similar to requesting other exemptions, with the cardholder’s bank making the final decision to accept or reject the transaction.
Low-risk transactions (TRA)
A payment provider will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s and issuing bank’s overall fraud rates for card payments do not exceed the following thresholds:
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions below €250
- 0.01% to exempt transactions below €500
These thresholds will be converted to local equivalent amounts where relevant.
In cases where only the payment provider’s fraud rate is below the threshold and the cardholder’s bank is above it, we expect the bank to decline the exemption and require authentication.
- While this exemption may seem promising, we consider the fraud rate thresholds unrealistically low for almost all merchants and industries. If a merchant expects to utilize this exemption, they should ensure they are not turning away genuine customers in order to achieve the target fraud rates.
Payments below €30
Transactions below €30 will be considered “low value” and may be exempted from SCA. Banks will, however need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.
- We expect this exemption will be impossible for merchants to take advantage of as part of a real-time checkout experience, as banks and payment providers will have to pass the cardholder’s data back and forth multiple times in order to even determine if the exemption is available.
When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
We expect this exemption will be impossible for merchants to take advantage of in the near-term future, except possibly for American Express cards, as it has not been broadly implemented by banks.
Are exemptions a viable compliance strategy?
While exemptions may someday be useful for merchants, it’s important to remember that the issuing bank will decide whether or not to accept an exemption; thus the bank will control the merchant’s checkout experience. Payments where an exemption are declined will have to be resubmitted to the customer with a request for SCA, including the multiple step-up methods described above if the merchant is relying only on 3DS2.
Signifyd suggests that you instead implement a solution that is able to preemptively conduct SCA on all transactions, so that your online store can be both compliant with PSD2’s requirements and offer a seamless customer experience.
Signifyd’s Seamless Strong Customer Authentication™
The changes introduced by PSD2 will deeply affect ecommerce in the EEA. Impacted businesses that don’t prepare for these new requirements, or that only rely on 3DS2 to conduct SCA, will see their conversion rates significantly drop after the enforcement of SCA. Stripe, Worldpay and Amazon estimated that relying on 3DS2 alone will result in conversion drop off of 25% or more for card payments.
We strongly believe that merchants should not be liable for fraudulent activity conducted using card payments—and thus 3DS2 and its shift of liability onto the issuing banks is a step in the right direction. However, we also believe that merchants should be able to control their customer’s experience, and that all cardholders should be able to engage in online commerce, especially if they don’t have access to SMS or own the latest generation mobile device.
Exemptions from SCA might provide that experience someday for some portion of ecommerce transactions, but as indicated above, those exemptions will not be effective and we expect there will be differences in how national regulators and even individual banks will support them.
By integrating with a merchant’s storefront and payment provider, Signifyd can both collect the information necessary to conduct SCA on every single transaction, without resorting to step-ups, and dynamically link that transaction to the issuing bank. Merchants in our Commerce Network will be compliant with PSD2 well ahead of its enforcement period, provide their customers with a frictionless shopping experience and fearlessly ship more good orders with our chargeback guarantee.
Click here to learn more about Signifyd’s products. If you have any questions or feedback, please let us know!