2-Factor Authentication for Payments in the EU

2-Factor Authentication for Payments in the EU

A new EU law will soon change how Payment Service Providers authenticate customers making payments online.

The EU revised Payment Services Directive (PSD2) imposes strict verification requirements via a process called "Strong Customer Authentication" (SCA).

The law aims to tackle online fraud, but some ecommerce businesses are concerned that it may lead to more abandoned carts and lower conversion rates.

PSD2 regulates Payment Service Providers, such as banks and financial institutions. But retailers of all sizes across the EEA and the UK must take steps to remain legally compliant. You may also be able to mitigate the potential harm to your online sales.


Revised Payment Services Directive (PSD2)

PSD2.imposes numerous changes on how Payment Services Providers operate. This has knock-on effects for all businesses that take payments from customers.

What is PSD2?

PSD2 (available here) is an EU directive. It is a revision of a 2007 law known as the Payment Services Directive.

PSD2 has several key objectives:

  • Improving the security of online payments
  • Enhancing customer protection
  • Encouraging innovation
  • Increasing competition among Payment Service Providers

Who Has to Comply with PSD2?

PSD2 is directed at Payment Service Providers: Companies that provide the tools that allow businesses to accept card payments from customers.

Payment Service Providers include:

  • Card-issuing financial services companies, such as Visa, MasterCard, and American Express
  • Online payment processors, such as PayPal and Stripe
  • Third-Party Payment Service Providers, such as iDEAL and Trustly

Note that, although PSD2 is directed at Payment Service Providers, practically all customer-facing businesses (particularly ecommerce stores) will be impacted by the changes.

Where Does PSD2 Apply?

PSD2 applies across the whole of the European Economic Area (EEA), which is a larger area comprising all EU countries plus Iceland, Lichtenstein, and Norway. The law also applies in the UK.

PSD2 is a directive, meaning that the countries in its scope are responsible for bringing the new rules into their national legislation. Different affected countries approached this in different ways.

  • In the Netherlands, the PSD2 came into national law via amendments to two existing laws, the Act on the Financial Supervision (available in English here) and the Dutch Civil Code.
  • The United Kingdom (which was still an EU member state when PSD2 came into force) implemented the PSD2 by enacting the Payment Services Regulations 2017 (available here).
  • Germany implemented the PSD2 by amending the German Banking Act (available in English here) and the German Civil Code.

The basic rules of PSD2 will be preserved in each of them. However, there may be some minor differences, and it's important that you are familiar with the national law of any European markets in which you operate.

Does the PSD2 Affect Non-EEA Businesses?

Unless an exemption applies, all businesses (wherever they are based) must implement SCA for all payments that are:

  • Initiated by the customer
  • Made using a payment card issued by a card issued in the EEA or UK
  • Processed by an EEA or UK-based Payment Service Provider

If a transaction fulfills all three conditions above, it is within the scope of PSD2, and the SCA rules apply. The location of the retailer is not relevant.

When Will PSD2 Come Into Force?

The following parts of the law have been in force since January 13th, 2018:

  • Increased customer rights
  • Prohibition on surcharging (businesses can no longer issue a fee on credit or debit card transactions)
  • Improved complaints procedure

The original deadline for implementing SCA was September 14, 2019. However, certain stakeholders (most notably, retailers) were not equipped to implement SCA by the deadline date. The deadline for implementing SCA has now been extended to December 31, 2020.

This means businesses must have systems in place to protect payments using SCA by this date.

Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA)

Here's how PSD2 defines 'Strong Customer Authentication' (SCA):

EUR-Lex PSD2: Definition of Strong Customer Authentication

Let's break that down. Strong Customer Authentication is a verification method that is:

  • Based on at least two factors that are:

    • Independent
    • Designed to protect the customer's confidentiality
  • Categorized as:

    1. Knowledge
    2. Possession
    3. Inherence

Knowledge (Something the Customer Knows)

Knowledge factors help verify a customer's identity by testing whether the customer knows something that only the customer is likely to know.

You regularly verify your identity online using knowledge factors, i.e. the passwords you use to log into email, social media, and other online accounts.

Along with passwords, other common knowledge factors include:

  • Passphrases
  • Personal Identification Numbers (PINs)
  • Authentication codes
  • Secret answers to secret questions

Knowledge factors are simple to verify online. However, there are flaws in using them, including:

  • Cybercriminals can crack weaker passwords using brute force.
  • Knowledge factors can be stolen by hackers who can penetrate unencrypted storage or log a customer's keystrokes.
  • Secret answers may be known to people other than the customer.

Possession (Something the Customer Has)

Possession factors verify a customer's identity by confirming that the customer can access something that only the customer is authorized to possess. Essentially, a key is a possession factor that opens your front door.

Another common possession factor is a credit or debit card. A credit or debit card be used as a possession factor:

  • As part of a single-factor authentication process, for example:

    • A "contactless" payment at the point of sale
    • An online payment without 3D Secure protection
  • As part of a multi-factor authentication process, for example:

    • At point-of-sale, alongside the customer's PIN
    • As part of an online payment alongside the customer's 3D Secure password

Other possession factors may include:

  • Mobile phones
  • Connected card readers
  • Wireless tags
  • USB authentication devices such as YubiKey
  • An authentication code, generated by a card reader or authenticator app

The main risks involved in using possession factors are theft and replication.

Inherence (Something the Customer Is)

Inherence factors are biometric data, such as:

  • Fingerprints
  • Voiceprints
  • Iris or retina scans
  • Facial recognition
  • Keystroke dynamics (a person's unique typing characteristics)

With fingerprint scanning and facial recognition now commonplace on mobile phones, there is likely to be a lot of innovation in this area.

Using biometric data requires very strong security measures, as biometric data is extremely sensitive.

Exemptions to Strong Customer Authentication

Exemptions to Strong Customer Authentication

There are several types of transactions that do not require SCA.

When an exemption applies, the customer can make a purchase using only one authenticating factor, rather than two or more.

The SCA exemptions are set out between Articles 10-18 of Commission Delegated Regulation (EU) 2018/389 (also known as the Regulatory Technical Standards, or RTS), available here.

A retailer doesn't get to decide whether an exemption applies. That's up to the Payment Service Provider. However, it's important for retailers to understand these exemptions so they can optimize their operations and make it more likely that payments will be exempted.

The chance of a customer abandoning their purchase is higher whenever there is friction in the checkout process. An exempted payment requiring only one authentication factor is more likely to be completed.

Let's take a look at some of the SCA exemptions that could impact retailers when taking payments from customers.

Contactless Payments at Point of Sale (Article 11)

Payment Service Providers don't have to apply SCA if the customer is making a contactless payment at the point of sale (not online), and all of the following conditions are met:

  • The transaction does not exceed €50,
  • The customer has spent €150 or less via contactless payments since SCA was last applied, and
  • The customer has made five or fewer consecutive contactless transactions since SCA was last applied.

Low-Value Remote Transactions (Article 16)

Payment Service Providers don't have to apply SCA where a customer makes a remote (i.e. online) transaction and all of the following conditions are met:

  • The transaction does not exceed €30,
  • The customer has spent €100 or less via remote transactions since SCA was last applied, and
  • The customer has made five or fewer consecutive remote transactions since SCA was last applied

Transaction Risk Analysis (Article 18)

Payment Service Providers don't have to apply SCA to certain low-risk transactions.

This is a powerful exemption and it requires a good record of fraud prevention on the part of a Payment Services Provider.

Before it can apply this exemption, the Payment Service Provider must be able to show that it has a low overall rate of fraud; both in general and in respect of the particular type of transaction taking place.

The Payment Services Provider will also need to undertake a real-time risk analysis to establish that:

  • The customer has not engaged in unusual spending or an unusual pattern of behavior.
  • There is no evidence of anything unusual about the customer's device or app access.
  • There are no signs of a malware infection during the authentication procedure.
  • The transaction does not relate to a known fraud scenario that can occur when providing payment services.
  • The customer is not in an abnormal location.
  • The payee is not in a high-risk location.

A Payment Service Provider cannot use this exemption if it has high fraud rates for more than two consecutive quarters.

This exemption should serve to stimulate competition among Payment Service Providers.

If you want your customers to have a smoother checkout experience, choose a Payment Service Provider with a low fraud rate. It will be more likely to be able to apply the "transaction risk analysis" exemption.

Direct Debits

Direct Debits are not covered by SCA. A customer does not need to be subject to SCA in order to set up a Direct Debit.

This is not technically an exemption. Direct Debits are initiated by the merchant/retailer and therefore fall outside of the scope of the PSD2.

3D Secure

3D Secure

3D Secure is a common 2-Factor Authentication method. Various Payment Services Providers operate a version of 3D Secure, or will begin to do so once SCA becomes mandatory.

Various Payment Service Providers use the 3D Secure framework under a brand name, for example:

  • Visa Secure
  • Mastercard Identity Check
  • American Express SafeKey

3D Secure 1

The first generation of 3D Secure, which has been in operation since 2001, is optional for both retailers and customers.

For customers, 3D Secure adds some friction at checkout, but it does allow them to shift liability for fraudulent transactions onto their card issuer (meaning that they will have little trouble getting a refund for fraudulent transactions).

Customers must register with their card issuer to set up 3D Secure. They will be redirected to the card issuer's website during checkout to enter additional authentication information.

3D Secure 2

3D Secure 2 aims to provide a smoother checkout process once SCA becomes compulsory. This should help mitigate any potential damage to conversion rates.

Some features of 3D Secure 2 include:

  • Frictionless authentication: 3D Secure 2 aims to passively extract information about a customer, such as their device ID and transaction history, in order to satisfy the SCA requirements without the customer even noticing that an additional layer of authentication is taking place.
  • Biometric authentication: 3D Secure 2 will allow Payment Services Providers to authenticate customers using fingerprint readers and other biometric authentication methods.
  • In-app authentication: 3D Secure 2 will allow customers to authenticate directly within a mobile app rather than being redirected to a browser.

Implementing Strong Customer Authentication

Implementing Strong Customer Authentication

When the SCA deadline hits, banks will be forced to decline transactions that are not compliant with SCA.

This means retailers whose websites or payment terminals cannot facilitate 2-Factor or Multi-Factor Authentication will be unable to accept payments from customers.

Upgrading Your Payments Infrastructure

You must be capable of accepting SCA-compliant payments before the PSD2 deadline hits at the end of 2020.

Payment gateways may not upgrade to 3D Secure 2 automatically. Many retailers will need to upgrade their systems to incorporate 3D Secure 2. Action items include:

  • Upgrading your website checkout processes
  • Updating your mobile app API

Your existing Payment Service Provider probably has a plan to help retailers make the upgrade to 3D Secure 2. Here are some links to such guidance from some popular Payment Service Providers:

Certain Payment Services Providers are already compliant with SCA, or else they will be making the upgrade to 3D Secure 2 automatically, including:

  • Shopify Pay
  • Apple Pay
  • Google Pay

If you're in any doubt about whether you need to take action in time for the deadline, contact your Payment Services Provider.

If PSD2 increases your abandoned cart rate or harms your online sales, you may want to consider shopping around for a new Payment Services Provider with a lower fraud rate.

Updating Your Privacy Policy

Updating Your Privacy Policy

Privacy laws such as the EU General Data Protection Regulation (GDPR) require that you inform your customer of the types of personal data you collect, and the types of third parties that may collect personal data on your behalf.

3D Secure processes the personal data of your customers. The current version of 3D Secure requests card details and a password. 3D Secure 2 may request biometric data and automatically collect other personal data such as device IDs.

As such, it's important to update your Privacy Policy to make customers aware that you use 3D Secure.

Many businesses using the first generation of 3D Secure are already doing this. Here's an example from home improvement company Hallstone:

Hallstone Privacy Policy: 3D Secure clause

Hallstone explains 3D Secure by comparing it to "Chip and PIN," a point-of-sale 2-Factor Authentication process that UK consumers will be familiar with. Hallstone then provides links to its Payment Services Providers' websites.

Here's another example from online retailer Menkind:

Menkind Privacy Policy: Payment Security clause

Menkind explains 3D Secure and how to register with the service. This is mostly relevant to the first generation 3D Secure, which is optional for retailers and their customers. But it is worth noting the final paragraph, which explains that Menkind does not hold or access its customers' payment information.

Preparing for PSD2: Summary

Before the PSD2 hits in December 2020, you should:

  • Understand PSD2, SCA, and their implications for your business
  • Consider whether you can optimize your sales process to take advantage of the "low-value transaction" and "low-risk transaction" SCA exemptions
  • Implement SCA into your systems:

  • After PSD2 takes effect, keep an eye on your abandoned cart rates and consider switching Payment Service Provider if required
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.