PSD2 has a compliance surprise for unaware U.S. merchants
Although PSD2 is only being enforced in the European Economic Area (EEA), European companies are not the only ones who should be paying close attention to these new regulations.
This September, the Payment Services Directive 2 (PSD2) requirement to perform Strong Customer Authentication (SCA) will officially go into effect.
SCA is aimed at combating fraud and we are supportive of the Commission’s objective. As such, Worldpay is proactive in their support of merchants who need to comply while reducing unintended consequences.
For U.S. companies doing business abroad, PSD2 could still have an impact. So as the countdown to September continues, U.S.-based merchants should educate themselves now—especially if they may need to take steps to maintain compliance.
All online transactions in the EEA will be subject to SCA, which requires that two of three authentication factors are used to complete a transaction. Those authentication methods include something only the user knows like a PIN or password; something only the user possesses like a physical card or mobile phone; and biometric information like facial or fingerprint recognition on a mobile phone
So an example of an SCA-compliant transaction would be a consumer using their mobile phone to order a product online, and the checkout uses his fingerprint to confirm the purchase. While PSD2 does potentially add more steps in the payment process, it is meant to help combat rising online fraud and protect consumers.
If your business operates globally and processes any payments locally in the EEA, you may be subject to the directive. If a merchant cannot authenticate or exempt a transaction based on the SCA criteria after the September deadline, then there is significant risk that issuers will decline the transaction, which could cause merchants to lose sales and revenue.
There are three types of exclusions to SCA. If the card issuer or payment acquirer are U.S.-based in respect of a particular transaction, it is out of scope. While the initial payment of a subscription service is subject to SCA, each recurring transaction can be excluded. Finally, mail order and telephone order transactions are also excluded.
There are also a few other ways a merchant could qualify for an SCA exemption.
Low-value transactions. Transactions less than €30 can qualify for exemption for up to five consecutive transactions, or a total of €100.
Whitelisting. After the first SCA-verified purchase, consumers can whitelist merchants to avoid future SCA requirements.
Corporate payments. Corporate cards not in a cardholder’s name are exempt.
PSD2 is all about adding new levels of security to transactions, particularly to combat online fraud to protect consumers and merchants. U.S. merchants need to do their research now, seek independent legal advice, and work with their payments provider to determine their exact needs and next steps in order to stay compliant and not risk losing revenue.