Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
A new EU law will soon change how Payment Service Providers authenticate customers making payments online.
The EU revised Payment Services Directive (PSD2) imposes strict verification requirements via a process called "Strong Customer Authentication" (SCA).
The law aims to tackle online fraud, but some ecommerce businesses are concerned that it may lead to more abandoned carts and lower conversion rates.
PSD2 regulates Payment Service Providers, such as banks and financial institutions. But retailers of all sizes across the EEA and the UK must take steps to remain legally compliant. You may also be able to mitigate the potential harm to your online sales.
What customers say about TermsFeed:
This really is the most incredible service that most website owners should consider using.
Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.
- Bluesky's review for TermsFeed. Read all our testimonials here.
With TermsFeed, you can generate:
PSD2.imposes numerous changes on how Payment Services Providers operate. This has knock-on effects for all businesses that take payments from customers.
PSD2 (available here) is an EU directive. It is a revision of a 2007 law known as the Payment Services Directive.
PSD2 has several key objectives:
PSD2 is directed at Payment Service Providers: Companies that provide the tools that allow businesses to accept card payments from customers.
Payment Service Providers include:
Note that, although PSD2 is directed at Payment Service Providers, practically all customer-facing businesses (particularly ecommerce stores) will be impacted by the changes.
PSD2 applies across the whole of the European Economic Area (EEA), which is a larger area comprising all EU countries plus Iceland, Lichtenstein, and Norway. The law also applies in the UK.
PSD2 is a directive, meaning that the countries in its scope are responsible for bringing the new rules into their national legislation. Different affected countries approached this in different ways.
The basic rules of PSD2 will be preserved in each of them. However, there may be some minor differences, and it's important that you are familiar with the national law of any European markets in which you operate.
Unless an exemption applies, all businesses (wherever they are based) must implement SCA for all payments that are:
If a transaction fulfills all three conditions above, it is within the scope of PSD2, and the SCA rules apply. The location of the retailer is not relevant.
The following parts of the law have been in force since January 13th, 2018:
The original deadline for implementing SCA was September 14, 2019. However, certain stakeholders (most notably, retailers) were not equipped to implement SCA by the deadline date. The deadline for implementing SCA has now been extended to December 31, 2020.
This means businesses must have systems in place to protect payments using SCA by this date.
Here's how PSD2 defines 'Strong Customer Authentication' (SCA):
Let's break that down. Strong Customer Authentication is a verification method that is:
Based on at least two factors that are:
Knowledge factors help verify a customer's identity by testing whether the customer knows something that only the customer is likely to know.
You regularly verify your identity online using knowledge factors, i.e. the passwords you use to log into email, social media, and other online accounts.
Along with passwords, other common knowledge factors include:
Knowledge factors are simple to verify online. However, there are flaws in using them, including:
Possession factors verify a customer's identity by confirming that the customer can access something that only the customer is authorized to possess. Essentially, a key is a possession factor that opens your front door.
Another common possession factor is a credit or debit card. A credit or debit card be used as a possession factor:
As part of a single-factor authentication process, for example:
As part of a multi-factor authentication process, for example:
Other possession factors may include:
The main risks involved in using possession factors are theft and replication.
Inherence factors are biometric data, such as:
With fingerprint scanning and facial recognition now commonplace on mobile phones, there is likely to be a lot of innovation in this area.
Using biometric data requires very strong security measures, as biometric data is extremely sensitive.
There are several types of transactions that do not require SCA.
When an exemption applies, the customer can make a purchase using only one authenticating factor, rather than two or more.
The SCA exemptions are set out between Articles 10-18 of Commission Delegated Regulation (EU) 2018/389 (also known as the Regulatory Technical Standards, or RTS), available here.
A retailer doesn't get to decide whether an exemption applies. That's up to the Payment Service Provider. However, it's important for retailers to understand these exemptions so they can optimize their operations and make it more likely that payments will be exempted.
The chance of a customer abandoning their purchase is higher whenever there is friction in the checkout process. An exempted payment requiring only one authentication factor is more likely to be completed.
Let's take a look at some of the SCA exemptions that could impact retailers when taking payments from customers.
Payment Service Providers don't have to apply SCA if the customer is making a contactless payment at the point of sale (not online), and all of the following conditions are met:
Payment Service Providers don't have to apply SCA where a customer makes a remote (i.e. online) transaction and all of the following conditions are met:
Payment Service Providers don't have to apply SCA to certain low-risk transactions.
This is a powerful exemption and it requires a good record of fraud prevention on the part of a Payment Services Provider.
Before it can apply this exemption, the Payment Service Provider must be able to show that it has a low overall rate of fraud; both in general and in respect of the particular type of transaction taking place.
The Payment Services Provider will also need to undertake a real-time risk analysis to establish that:
A Payment Service Provider cannot use this exemption if it has high fraud rates for more than two consecutive quarters.
This exemption should serve to stimulate competition among Payment Service Providers.
If you want your customers to have a smoother checkout experience, choose a Payment Service Provider with a low fraud rate. It will be more likely to be able to apply the "transaction risk analysis" exemption.
Direct Debits are not covered by SCA. A customer does not need to be subject to SCA in order to set up a Direct Debit.
This is not technically an exemption. Direct Debits are initiated by the merchant/retailer and therefore fall outside of the scope of the PSD2.
3D Secure is a common 2-Factor Authentication method. Various Payment Services Providers operate a version of 3D Secure, or will begin to do so once SCA becomes mandatory.
Various Payment Service Providers use the 3D Secure framework under a brand name, for example:
The first generation of 3D Secure, which has been in operation since 2001, is optional for both retailers and customers.
For customers, 3D Secure adds some friction at checkout, but it does allow them to shift liability for fraudulent transactions onto their card issuer (meaning that they will have little trouble getting a refund for fraudulent transactions).
Customers must register with their card issuer to set up 3D Secure. They will be redirected to the card issuer's website during checkout to enter additional authentication information.
3D Secure 2 aims to provide a smoother checkout process once SCA becomes compulsory. This should help mitigate any potential damage to conversion rates.
Some features of 3D Secure 2 include:
When the SCA deadline hits, banks will be forced to decline transactions that are not compliant with SCA.
This means retailers whose websites or payment terminals cannot facilitate 2-Factor or Multi-Factor Authentication will be unable to accept payments from customers.
You must be capable of accepting SCA-compliant payments before the PSD2 deadline hits at the end of 2020.
Payment gateways may not upgrade to 3D Secure 2 automatically. Many retailers will need to upgrade their systems to incorporate 3D Secure 2. Action items include:
Your existing Payment Service Provider probably has a plan to help retailers make the upgrade to 3D Secure 2. Here are some links to such guidance from some popular Payment Service Providers:
Certain Payment Services Providers are already compliant with SCA, or else they will be making the upgrade to 3D Secure 2 automatically, including:
If you're in any doubt about whether you need to take action in time for the deadline, contact your Payment Services Provider.
If PSD2 increases your abandoned cart rate or harms your online sales, you may want to consider shopping around for a new Payment Services Provider with a lower fraud rate.
Privacy laws such as the EU General Data Protection Regulation (GDPR) require that you inform your customer of the types of personal data you collect, and the types of third parties that may collect personal data on your behalf.
3D Secure processes the personal data of your customers. The current version of 3D Secure requests card details and a password. 3D Secure 2 may request biometric data and automatically collect other personal data such as device IDs.
Many businesses using the first generation of 3D Secure are already doing this. Here's an example from home improvement company Hallstone:
Hallstone explains 3D Secure by comparing it to "Chip and PIN," a point-of-sale 2-Factor Authentication process that UK consumers will be familiar with. Hallstone then provides links to its Payment Services Providers' websites.
Here's another example from online retailer Menkind:
Menkind explains 3D Secure and how to register with the service. This is mostly relevant to the first generation 3D Secure, which is optional for retailers and their customers. But it is worth noting the final paragraph, which explains that Menkind does not hold or access its customers' payment information.
Before the PSD2 hits in December 2020, you should:
Implement SCA into your systems:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022