As commerce has moved online and the world has become increasingly digital and mobile, businesses have been reaching new markets by meeting the shopping and payment preferences of today’s consumers. At the same time, because of the rapid growth of online transactions – particularly credit card payments – cybercriminals have seized an opportunity.
Fraudsters are always quick to follow the technology curve and exploit security weaknesses, which has led to a big rise in crimes linked to credit card payments. For example, UK-issued card losses totalled £671.4m in 2018, up 19% from £565.4m in 2017, according to a recent fraud report by UK Finance.
In response, the payments industry has been tightening security to catch up with the technology trend. To bring regulation and compliance up to date across Europe, the EU created the second Payment Services Directive (PSD2). Introduced in 2018, PSD2 includes a security component known as Strong Customer Authentication (SCA) which will heighten security for ‘customer-initiated’ credit card payments.
If you sell through the internet, your business must meet the requirements for Strong Customer Authentication, which apply to transactions where both the business and the cardholder’s bank are inside the European Economic Area.
Much information has been published to help merchants and payment service providers understand their responsibilities and prepare for this important change; however, the road to SCA has not been easy and has involved a few twists and turns. Due to concerns about meeting deadlines and the level of industry readiness, the rollout has been extended beyond the original implementation date of 14 September 2019.
Here’s a reminder of what strong customer authentication means for your business, together with the revised rollout plan and the actions you must take to be compliant.
Strong Customer Authentication is compulsory for any business that takes credit card payments online for transactions above €30. It requires more rigorous security checks than previously apart from certain exemptions (see later). Customers who checkout online with their credit or debit card details will now need to provide additional identification to satisfy these checks and minimise fraud.
Strong Customer Authentication is built on three layers of security of which at least two must be applied to be compliant. This is known as two-factor authentication and involves selecting two of the following options:
● Something you know (the traditional password or PIN approach)
● Something you have (eg, a phone, token, or smart card)
● Something you are (eg, biometric security such as fingerprint or facial recognition)
3-D Secure (3DS) has long been the industry security standard for card payments, but it required updating to support Strong Customer Authentication. This is because the first version of 3DS was not designed for e-commerce or m-commerce. The new solution for online card payments is 3-D Secure 2 (3DS2).
Rather than the simple password/code approach with the original standard, the new version reflects the realities of today’s digital world. 3DS2 draws on a wide range of data to verify transactions, and authentication is built into the payment flow so that there are no redirects to enter security data (a weakness with the original standard).
Set for 14 September 2019, the deadline for compliance has been moved to allow more time to prepare. On 16 October 2019, the European Banking Authority announced a new deadline: 31 October 2020. Most European regulators have accepted this, but because of the Covid-19 crisis, the UK’s Financial Conduct Authority has extended it to September 2021. There may be further revisions depending on the state of readiness across Europe, and announcements will be posted by the European Banking Authority.
Under Strong Customer Authentication, any payment that doesn’t fit the criteria for frictionless commerce (ie, exempt from security checks) is likely to be challenged and require two-factor authentication. Although transactions below €30 can go unchallenged, authentication is required if there have been five exempted transactions or the sum of exempted transactions exceeds €150.
Subscription payments and whitelisted merchants (trusted suppliers) are examples where payments can be exempted. Transactions below €50 for up to five consecutive transactions or an accumulated value up to €150 are also exempt, as are unattended terminals (eg, for a transport fare or parking).
Shoppers will no longer have to use pop-up windows, while security checks such biometric recognition promise to bring a swifter and more practical solution for mobile payments. However, some people believe two-factor authentication will mean delays and complicate the shopping experience, leading to lost sales. In reality it’s a question of balance. There is no avoiding the need for increased security, and if Strong Customer Authentication is applied in the way intended, with frictionless flows maximised wherever possible, merchants should not be disadvantaged.
The important thing is for merchants to be prepared so that they avoid unnecessary payment declines. That means working with payment service providers to ensure that the right structures are in place for Strong Customer Authentication.
If a payment service provider can’t support SCA, an issuer bank may reject non-authenticated transactions. Merchants should therefore align themselves with payment service providers who can migrate them to 3DS2 and who have a good understanding of exemptions and how to promote frictionless flows. Even though the deadline for Strong Customer Authentication has been moved, merchants should not be complacent. They should prepare for 3DS2 as soon as possible, optimise payment journeys and exemptions, and collaborate with payment specialists who can find the best solutions for their businesses.