Payment Services Directive (PSD2): requirements for strong customer authentication
At the beginning of the year, the European Payment Service Directive (PSD2) came into force. The aim of the directive is to promote technical innovations for payment transactions while at the same time strengthening consumer rights, improving security and simplifying payment processing. But what impact will PSD2 have on merchants both in and outside the EU? What measures must be taken now or in the near future?
The main changes and additions at a glance:
- Strong customer authentication (in the course of 2019): more information below.
- Elimination of payment fees (already in force): charging fees for payment with credit cards has been prohibited in Switzerland since August 2017 and in the EU since January 2018.
- Opening of bank interfaces (already in force): PSD2 requires banks to provide interfaces that allow third parties to access account information and initiate payments. There is currently no legal requirement for Swiss banks to implement this, and it remains unclear just how specific PSD2 requirements will be implemented in Swiss legislation in the future.
Strong customer authentication (SCA)
In the future, customers will have to verify their identities using at least two (dual-factor authentication) of the three factors: knowledge, ownership and inherence (biometric factor such as fingerprint). The latter category is seen as highly important, particularly when it comes to offering a customer-friendly, smooth authentication process for mobile e-commerce (more information on SCA in the RTS technical standards).
Exceptions to SCA
Exceptions to SCA for low-risk transactions still exist in certain cases in order to enable convenient and fast checkouts, for example:
- Small amounts: payments of up to EUR 30 do not require SCA as long as the total amount has not exceeded EUR 100 since the last SCA or no more than five successive transactions have been processed.
- Recurring payments: based on how the card schemes are structured, an SCA exception applies to recurring payments of the same amount and to the same payee.
- Whitelisting: creating a list of trusted merchants who are subject to exceptions.
- Low risk: a risk-based authentication can take the place of SCA if the purchase amount is less than EUR 500. The maximum amount depends on the fraud probability calculated by the payment provider. The risk-based authentication determines the risk level of a transaction in real time based on various parameters, such as patterns of behaviour and where the purchaser is located, purchase amount, etc.
In the case of ‘one-leg-out’ (OLO) transactions in which only one of the payment parties (acquirer or issuer) is located in the EU, the PSD2 applies only to the payment service that is located in the EU.
Because it is currently still controversial whether and to what extent SCA requirements should be applied to OLO transactions, we recommend that all merchants actively keep their eye on the topic of SCA, get in touch with their acquirers and monitor further developments.
3-D Secure 2.0 (3-DS 2.0)
The international credit card organisations are launching the new authentication standard 3-D Secure 2.0 (3-DS 2.0) by way of the joint standardisation committee, EMVCo. The 3-DS 2.0 method enables the standardised implementation of SCA and its derogations according to PSD2 requirements.
There is still need for further clarification with respect to the practical implementation of the requirements. Datatrans recommends that both EU and Swiss merchants consult with their acquirers concerning the 3-DS 2.0 requirements as well as the planned timeline for the technical implementation. Datatrans is currently evaluating appropriate technical solutions and will be offering them in due course.
Datatrans provides regular updates about developments in the area of PSD2 and particularly 3-DS 2.0 on its website, www.datatrans.ch.
If you have questions relating to PSD2 and 3-DS 2.0, please feel free to contact us by sending an e-mail to [email protected].