The second Payment Services Directive (PSD2), issued on September 14th, 2019, has introduced new requirements for banks to reduce fraud, called strong customer authentication (SCA) requirements. This new PSD2 SCA regulation will be critical to advancing cybersecurity in Europe, especially as the fraud rate continues to climb. In this brief guide, we’ll cover all the key facts you can’t go without.
PSD2 Explained Simply
Originally adopted in December 2007, the Payment Services Directive (PSD1) was put into place to set regulations on financial institutions in regards to payment services to promote competition and commerce across the European Union (EU) and the European Economic Area (EEA).
The directive was later updated in 2015 in the form of PSD2, building upon the original directive to accommodate newer payment methods, while widening its scope in the process.
Included in PSD2 is the requirement that payment service providers establish strong customer authentication (SCA) for electronic payments, primarily affecting online transactions.
For PSD2 compliance, SCA requirements went into effect as of September 14, 2019.
PSD2 Strong Customer Authentication: Do I Need It?
For businesses that need to become PSD2 compliant, SCA applies to online card transactions where both the cardholder’s bank and the merchant are located in the EEA, also referred to as two-legged transactions. One-legged transactions, or those where only one of the parties is based in the EEA, do not apply.
If you only take physical card payments through a POS terminal, you are out of scope as the transaction likely already involves two-factor authentication (2FA) as one of its security measures. A card with a chip and PIN, for example, would already satisfy the 2FA requirements.
In other words, e-commerce or card-issuing banks are likely to be hard hit and will require SCA adjustments.
PSD2 SCA Requirements
The purpose of applying PSD2 SCA is to increase payment security while protecting customers’ sensitive information. The new PSD2 requirements allow payments under €500 to be protected by transaction risk analysis. By expanding 2FA requirements to online payments as a PSD2 requirement, the information needed to process this type of transaction is more difficult to obtain and use fraudulently.
But what qualifies as strong customer authentication?
SCA requires authentication consisting of two of the following three elements:
- Knowledge: something only the user knows, such as a password
- Possession: something only the user possesses, like a smartphone that can receive an authentication code
- Inherence: something the user is, demonstrated through biometric means
Many consumers who make purchases through their phone may already be familiar with the inherence type of 2FA, such as when one uses their fingerprint along with a password or PIN to process an online transaction.
Many transactions will also require 3D Secure authentication. This method requires the customer to also verify with their card issuer before finishing a transaction. 3D Secure is used to reduce fraud and is already being used by major card networks like Visa, Mastercard, and American Express.
What happens if I miss the PSD2 SCA deadline?
Penalties to EEU banks will be decided by the individual EU member states. In terms of how non-compliance would affect businesses and customers, if PSD2 SCA requirements are not met during an online payment, the cardholder’s bank can decline the transaction - which would have a negative effect on all parties involved.
There has been a PSD2 SCA delay in implementation from when the regulation was first announced. In the current PSD2 timeline, many European countries have set 31st December, 2020 as a hard deadline. It is recommended that businesses start addressing PSD2 SCA solutions immediately to comply and be compliance-ready for future regulation changes. It is likely as new requirements are added, they will build upon current 3d secure structures.
Are there exemptions to PSD2?
Possible exemptions include the following:
- Low risk transactions based on fraud thresholds for the cardholder’s bank
- Low value transactions (payments under €30)
- Recurring/subscription payments of the same amount, also known as merchant initiated transactions
- Whitelisted beneficiaries
- Corporate card transactions for employees
There are a number of additional situations and scenarios that are exempt from SCA, although it is up to the individual cardholder’s bank whether or not the exemption is permitted.