Merchants can't let 'PSD2' and 'SCA' be vague initials

Register now

Businesses that process payments in Europe have probably seen or heard the terms “PSD2,” “SCA” and “3-D Secure” being tossed around more than usual lately.

However, many companies don’t understand what these regulations are or how they will impact their business. More important, they are struggling to figure out what actions they need to take to become compliant, avoid increased payment declines and improve their payment security.

With the deadline for businesses to update their payment process to meet new PSD2 regulations quickly approaching in September, companies need to act now to ensure that their payment processing will be compliant in time. Here is some key information about the regulations and factors for companies to contemplate as they prepare for the transition.
The Payment Service Directive 2 (PSD2) is a new set of regulations pertaining to the European Economic Area. It was created to improve the existing EU rules for electronic payments and better integrate payment services across the European Union. Part of that involves increasing the level of protection for consumers when they make electronic payments to businesses located in EEA. The new regulations also intend to create a clear and comprehensive set of rules that will apply to providers of both existing and new, innovative payment services.

PSD2 requires that SCA is applied to all electronic payments — including proximity, remote and mobile payments — within the European Economic Area (EEA). The SCA mandate is complemented by some limited exemptions that aim to support a frictionless customer experience when transaction risk is low.

Specifically, the PSD2 regulation that will impact businesses the most this year is Strong Customer Authentication (SCA).

It is a key mandate included in the PSD2 within EEA that requires electronic payments initiated by the buyer to be authenticated by at least two independent factors.

PSD2 requires businesses to implement two-factor authentication SCA for online payments processed by EEA acquiring banks. If SCA is not in use, credit and debit card issuers will likely decline the transaction.

However, there are some exceptions to this requirement. Mail order/telephone order (MOTO), merchant-initiated transactions, such as auto-paid subscriptions and recurring payments, low-value transactions, TRA-based transactions and secure corporate payments are some examples.

These rules take effect when a shopper uses a credit or debit card issued by a bank in the European Economic Area and the business is registered in the EEA (which includes EU countries and Iceland, Liechtenstein and Norway). Even businesses that are not based in the EEA but are registered in the EEA are impacted by the new rules if the acquiring bank they use for payment processing is in the EEA.

EEA merchants whose business sells online to shoppers in this region need to ensure their payment process is PSD2 compliant by Sept. 14, 2019.

But what’s the Difference Between 3-D Secure 1.0 and 3-D Secure 2.0? 3-D Secure has been around for many years, but the first version was notoriously not very user-friendly. The original version required shoppers to remember a specific security code to authenticate their identity during checkout. Additionally, 3-D Secure 1.0 does not work on mobile, so businesses that used it were experiencing high levels of cart abandonment.

3D Secure 2.0 has solved those issues. The most recent upgrades include filling a number of functionality gaps, including the addition of mobile support; offering significant improvements to the user experience, which could lower shopping cart abandonment; allowing for a more seamless integration with businesses’ existing e-commerce solutions; and creating better transaction fraud protection

Now, card issuers can send one-time security codes to cardholders via email, SMS or other, more convenient channels. Biometrics like fingerprint scanning and facial recognition are supported as well, allowing banks to validate transactions with minimum disruption to the shopper’s workflow.

Businesses who implement 3D Secure 2.0 can not only meet the new compliance requirements, but can also reduce transaction fraud and shift their chargeback liability to issuers if authenticated using 3D Secure. The improved user experience would also lower the shopping cart abandonment rate.

To comply with the regulations, all European businesses should implement 3D Secure prior to Sept. 14. If they don’t implement 3D Secure by the deadline, they face a significant risk of payment declines and disruption to their typical revenue model. By making sure their payment processing solution is compliant, they can save themselves the hassle of declined payments and make sure they’re capitalizing on the expansive European e-commerce market.

For reprint and licensing requests for this article, click here.
Retailers Payment processing Compliance Authentication ISO and agent