PSD2 & Strong Customer Authentication (SCA)
Announcement: The FCA have announced that they will not take enforcement action against firms for simply not meeting the relevant SCA requirements for areas covered in the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan.
As of 14th March 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action.
A revised Payment Service Derivative (PSD) was implemented in January 2018 (PSD2). PSD, the original derivative, was adopted in 2007 which lead to the creation of a single market for payments and resulted in the legal foundation for the Single Euro Payments Area (SEPA).
Since 2007, technological innovation has drastically increased, which has led to new avenues for services online and on mobile. These new services are outside the remit of PSD, meaning these were not regulated by the EU within the original derivative. These technological advances have also seen an increase in Third Party Providers (TTPs) who offer new and innovative ways of accessing consumers’ account information, as well as initiating payments.
However, creating a gateway to consumer accounts in this way increases security risk, and the trade-off is a strict regulation on how TPPs and payment service providers gain access to these accounts. In 2018 alone, online payment fraud cost businesses more that €17billion and by 2020 is expected to increase to €100billion. The PSD2 aims to improve security, enhance consumer right and prevent payment fraud. The Financial Conduct Authority (FCA), who will be responsible for enforcing SCA when it comes into force, summarises the aims of the derivative as:
- Contribute to a more integrate and efficient European Payments market
- Create a level playing field for Payment service providers
- Promote the development and use of innovative online and mobile payments
- Make payments safe and more secure
- Protect consumers
- Encourage lower prices for payments
As a result of these aims, Strong Customer Authentication (SCA) is being introduced by EU regulators as a mandate of PSD2.
Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) is a requirement of PSD2 for payment service providers and is designed to make paying online more secure, which will consequently reduce the risk of online payment fraud.
At present, end consumers simply have to enter their payment details to complete their purchase. Some businesses will voluntarily ask for further authentication however, this is not legally required at present in the European Economic Area.
As of September 2019, millions of European consumers will have to complete two factor authentication when making purchases online. Two factor authentication is designed to prove that the end consumer is who they say they are and to provide an extra layer of security for end consumers.
SCA requires the use of two independent sources of validation by selecting two out of three categories to ‘authorise’ a payment. Until an end consumer has been able to provide two of these forms of authentication, the payment will not complete.
The 3 categories are:
Something the end consumer knows
- Examples of knowledge would include Personal Identification Number (PIN), Username, Password or an answer to a Security Question
Something the end consumer owns
- Examples of possession would include Card, Mobile Phone, Security Token or Smart Watch
Something the end consumer is
- Examples of inherence would include Fingerprint, Voice Recognition, Hand Measurements or Eye Retinas
Where is SCA applicable?
Within Article 97 of SCA, it states that payment providers must use Strong Customer Authentication where a payer:
- Accesses it’s payment account online;
- Initiate an electronic payment transaction;
- Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Card payments and bank transfers are most likely to be impacted by SCA and this is because card payments and payments to/from an online account are instant. This creates an increased risk of fraud and would breach consumer rights.
There are a multitude of other services that will be affected by Strong Customer Authentication including reoccurring payments. This means that subscription businesses, SaaS businesses and membership businesses will all need to prepare for the implementation of SCA in September 2019.
In relation to these reoccurring payments, SCA will only apply to the first payment in a series of reoccurring payments if the transaction is initiated by the end consumer. If the amount is the same thereafter, SCA is not applicable. However if the amount changes, SCA will apply.
With the exemption of standard Direct Debits, SCA will typically be required for the first payment when initiated by the merchant receiving the funds. When the subsequent payments are requested by the merchant and the collection is within a reasonable expectation of the end consumer, SCA will not apply.
As SCA is a European-wide requirement, it will be mandatory for any online transaction where both the business’ payment service provider and the end consumer’s bank or card provider are located within the European Economic Area (EEA). If one of these are located outside of Europe, there is still a requirement for the payment service provider in Europe to use ‘best efforts’ to apply SCA.
But what about the UK?
The FCA have made its plans clear in relation to SCA and the UK – it wants SCA to continue to apply regardless of the timing or outcome of Brexit.
How to prepare your business for SCA
It is not uncommon for businesses to feel under prepared for the implementation of Strong Customer Authentication. In fact, a survey ran in May 2019 found that only 15% of businesses felt extremely prepared with only 44% expecting to be ready by the deadline date, 14th September 2019. In conjunction with this, a survey of 300 online businesses resulted in only 25% even being aware of the upcoming legislation.
So where the responsibility of implanting SCA does lay?
A business taking payments online will not be directly responsible for ensuring SCA is met. This responsibility will fall onto the banks and the Payment Service Providers (PSP).
Paying banks must ensure that online transactions are SCA compliant and must reject any transactions that they deem non-compliant. In order to do this, they must collect the authentication information from the PSPs. As part of the payment flow, PSPs must securely capture the relevant information and they securely pass this to the banks in the requested form and by the requested mechanism.
The decision as to whether a transaction is compliant or not will be a decision solely decided by the paying bank. However, practical difficulties can arise given the level of control one PSP may have over the compliance and activities of another. As a result of this, each PSP must implement their own compliance. This can lead to a further drastic approach to SCA than is deemed necessary.
There are many potential impacts of SCA that may affect businesses therefore it is critical that they are working with a prepared and proactive PSP.
Here are the 4 potential impacts of SCA
With more end consumers transactions not being completed as a result of a PSP rejection, the European Economy is sure to be knocked. In fact, it has been estimated that European businesses stand to lose €57bn in the first 12 months of SCA implementation.
Pressure on Resources
Implementing SCA in the short term, will require resources from product, legal, finance and operations teams – even marketing teams if a business wish to communicate SCA to their end consumer. One survey of online businesses concluded that 71% felt that SCA would be a burden on resources.
Conversion Rate Drop Off
For any transaction that requires authentication, SCA will require additional steps within the checkout flow. In May 2019, 69% of purchases were abandoned with 27% of these being abandoned due to the checkout process being too long. As a result of the new legislation, businesses can expect to see a drop within conversion rates.
The European Council has advised that ‘PSD2 foresee that a payer can claim full reimbursement from their PSP in case of an unauthorised payment if there was no SCA measure in place if the payer did not act fraudulently’. In short, this means that if a PSP (card acquirer) acts upon exemption or does not implement SCA, they will be liable for all fraud claims. If SCA is applied, the liability will then be passed to the party applying SCA e.g. – the card issuers.
Impact upon end consumers
As well as having an impact on businesses, SCA will have a noticeable effect on end consumers when purchasing online. Although banks have noticed and started to inform businesses of the upcoming legislation, only 25% of end consumers are aware of the changes.
The changes in legislation will greatly impact the convenience for end consumers. In September 1999, Amazon Trademarked the ‘1-Click’ checkout which changed how online shopping was perceived and is greatly referenced to when comparing online checkout methods. With the changes, this process may no longer be as seamless for end consumers.
Security will also have a great impact upon how end consumers now shop online. With the introduction of two factor authentication, the process of online shopping becomes lengthier, yet more secure. With the increase in security, cases of online payment fraud are expected to fall.
How to implement SCA into your business
3D Secure is the most common way of authenticating an online card payment and is an authentication standard supported by the majority of European Cards. This typically adds an extra step to the checkout flow when the end consumer is asked to provide additional information prior to completing the transaction.
As part as SCA, businesses will need to update their checkout flow, which will be the most visible and obvious change an end consumer will see. Credit and Debit card transactions will primarily be the most affected by SCA therefore, Visa have released an updated version of 3D Secure to ensure the checkout flow is compliant.
3D Secure 2
3D Secure 2 will be the main method for authenticating online card payments and meeting the new SCA requirements. This new version introduces better user experience and will help minimise the friction that authentication adds to the checkout flow – particularly created by the original 3D Secure product.
Many other cards based methods such as Google Pay & Apple Pay already support this checkout flow by requesting additional authentication such as fingerprint (inherence) and/or passwords (knowledge). These create a frictionless checkout experience for end consumers and also meet with the new SCA requirements.
Although many online businesses have started to implement 3D Secure 2, many banks are yet to start supporting 3D Secure 2 procedures and testing and rollout of the product is unlikely to be complete by 14th September 2019.
The EU Commission completed and distributed a full report in November 2018 outlining the full specifications of what is required by all stakeholders and this information was provided by The Regulatory Technical Standards of SCA.
Where is SCA not applicable?
Merchant Initiated Transactions
Merchant Initiated Transactions are reoccurring payments that are taken with the end consumers consent on a specific collection date.
In line with the new SCA regulations, if a payment is both fixed and variable and is initiated by a merchant, it will be exempt from SCA.
The payment flow of a merchant initiated transaction are not necessarily instant, meaning that the end consumers details are collected at one time and are not submitted to the paying banks until later on. This means that the communication does not happen in ‘real time’ and is often referred to as an asynchronous transaction. As these are reoccurring transactions, it would be unrealistic to be able to apply SCA. However, as previously advised, SCA will still apply to the first collection, in most cases.
In relation to electronic ‘paperless’ Direct Debits, in June 2019 the EBA confirmed that SCA is not required for electronic ‘paperless’ Direct Debits so long as the end consumers PSP is not involved in the set up process.
Under the new legislation, certain types of low risk transactions may be exempt. Payment Providers must request exemptions from the end consumer’s bank and they will assess the risk level of the transaction.
If a PSP uses exemptions for their low risk payments, them this can reduce the number of times an end consumer must be authenticated, resulting in reduced checkout friction.
As merchant initiated transactions are outside the remit of SCA, they do not need to request exemption.
The most relevant exemptions are:
If a PSP wishes to utilise exemption, they must first evaluate whether the transaction would be deemed low risk.
An exemption is only possible if the PSPs or banks overall fraud rates do no exceed the following strict threshold:
- 13% to exempt transactions below €100
- 06% to exempt transactions below €250
- 01% to exempt transactions below €500
The exemption may be applied by both the payees and end consumers PSP however the ASPSP may decide to reject the application for exemption. As a rule, we expect merchants PSPs’ requests for exemption to be upheld as the liability will reside with the PSP who accepted the exemption.
Payments below €30
This is another exemption to SCA as transactions below €30 are deemed low risk transactions. However, banks will request authentication if:
- Exemption has been used 5 times since the last successful transaction
- If the unpaid low value payments total up to €100
Fixed amount subscriptions
As mentioned earlier, exemption can be applied when making reoccurring payments for the same amount. However, SCA is requires for the first transaction.
End consumers will have the option to whitelist a business they trust when completing payment authentication. They will appear as ‘trusted beneficiary’ on a list maintained by the bank.
When making transactions between two corporate companies, SCA will be exempt. However, this is only if the payment method is a dedicated B2B method.
What happens if exemption fails?
Although the list of exemptions is clear, the end consumer’s bank will ultimately decide whether an exemption is valid and if rejected, the transaction will trigger a decline code.
If an application for exemption fails, the transaction must be initiated again and will have to be authorised using Strong Customer Authentication protocol.
SmartDebit and SCA
SCA is due to take affect across the European Economic Area on 14th September 2019. At SmartDebit, we are fully compliant with PSD2 and Strong Customer Authentication as SCA does not apply to paperless Direct Debits processed through SmartDebit. As a result of this, our customer will not need to implement any additional authorisation methods for processing through us.
The EBA has also confirmed that the ‘paperless’ Direct Debit mandates will not require SCA on any payment collection, including any initial payment. This is because the process of setting up a paperless Direct Debit does not directly involved the end customer’s PSP.
If you have any queries regarding SCA or want to know how SmartDebit can help you prepare, please do not hesitate to make contact on email@example.com. Alternatively, you can call through to our Customer Support Team on 01276 851820.