PSD2 SCA is now in force, but it’s not always mandatory

3-D Secure PSD2
Datatrans AG – PSD2 SCA is now in force, but it’s not always mandatory

Online Merchants can use Datatrans to integrate 3-D Secure into all of their payment processes, with three simple solutions to take advantage of PSD2 exemptions and therefore optimise their conversion rate.

Since January 1 2021, the strong customer authentication (SCA) required by PSD2 will gradually be enforced in the individual countries of the European Economic Area (EEA). By the middle of the year, the 3-D Secure procedure for SCA will then be mandatory for card payments in online commerce in all member states. For customers, payments using two-factor authentication are more secure, but unfortunately also somewhat more cumbersome.

Nevertheless, the Directive permits a number of exemptions that enable customers to make frictionless payments without SCA, and help merchants to reduce the risk of abandoned shopping baskets. Datatrans offers three solutions for merchants to help them effortlessly shore up their conversion rate while remaining compliant with PSD2. All of the solutions are certified to 3-D Secure 2 and will continue to be updated to reflect the latest technical requirements imposed by card schemes.

Merchant-initiated transactions.

Merchant-Initiated Transactions (MIT) – payments that are triggered on the merchant’s side – are out of scope of PSD2. These include, for example the collection of subscriptions or charging variable amounts for monthly electricity bills. For such transactions, customers only need to authenticate once using 3-D Secure, when first registering for a service or during a first purchase. Additionally they need to agree to the web shop’s terms and conditions. Any subsequent payments can then be initiated directly by the merchant.

When using the MIT solution that is standard to all of Datatrans payments products, online merchants store their customers’ card information in the form of a token. The Datatrans Payment Gateway automatically recognises the subsequent MIT payments and flags them accordingly to ensure frictionless acceptance by the issuer.

PSD2, 3-D Secure, MIT, Merchant-initiated transactions

Frictionless payments thanks to exemptions for low-risk and low-value transactions.

Providing the most convenient payment experience for customers using their products is also important to card issuers. As a result, the issuers frequently grant their own SCA exemptions and assume liability for any fraud. Following the entry into force of PSD2, we are seeing a slow but steady increase in the number of frictionless transactions being granted by issuers. It is safe to assume that this proportion will continue to grow sharply in the future.

The PSD2 rules also allow merchants trading online to request their own exemptions from card issuers. However, when it comes to saying whether or not they will waive strong authentication for a given transaction, the issuers play their cards close to their chests. As a result, merchants need to adopt general rules for the exemptions they want to apply in their payments process.

Aquirer exemptions

There are two categories of this type of acquirer exemption: Transaction Risk Analysis (TRA), which applies to payments that represent a low risk of fraud, and Low Value Transactions (LVT), for payments involving small amounts.

The TRA exemption depends on the fraud rate experienced by the merchant’s acquirer (the organisation contracted by the merchant to accept card payments) in combination with defined transaction values. The maximum possible transaction values are based on three bands, up to 100 euros, 250 euros and 500 euros. The higher the transaction value, the lower the acquirer’s fraud rate should be. For example, for the top two bands it should be no more than 0.01 per cent.
The acquirer stipulates the maximum amount permitted for a payment for an online merchant. Therefore, merchants need to obtain the acquirer’s agreement before requesting an exemption from an issuer.

The LVA exemption applies to online transactions with a value of less than 30 euros. However, no more than five transactions can be posted in a row (or a maximum total value of 100 euros), before a new strong authentication process needs to be carried out. The transaction count is maintained by the card issuer, so merchants and acquirers have no way of knowing whether or not SCA will be required.

PSD2, 3-D Secure, exemptions

The ultimate decision on whether a payment is free from SCA on the basis of an acquirer exemption is also taken by the issuer. If the exemption is granted, then liability in the case of fraud shifts to the e-commerce merchant. In contrast, if the issuer insists on strong authentication then it also assumes the liability.

This complex relationship means that a fundamental decision whether or not to apply this type of exemption has to weigh up the potential costs of, for example, card misuse or charge-backs, against the potential for increased sales thanks to an improved conversion rate.

See our documentation for further details.

Interested? Datatrans customers can easily configure the desired exemptions, with the agreement of their acquirer, in the Datatrans Payment Backoffice. Then, the Payment Gateway automatically takes care of submitting the request to the card issuer and only takes customers through the 3-D Secure process if the issuer declines the exemption.

Applying 3-D Secure dynamically.

When merchants sell to markets both inside and outside the EEA, PSD2 adds yet more complexity. That is because transactions involving cards issued outside the EEA can be processed without 3-D Secure, assuming there are no requirements imposed by the merchant’s acquirer or cost liability considerations.

If web merchants want to allow as many as possible of their non-EEA customers to pay without authentication, Dynamic 3-D Secure offers a simple solution. This function ensures that the Datatrans Payment Gateway only directs transactions for which SCA is mandatory through the authentication process.

PSD2, 3-D Secure, Dynamic 3-D Secure, soft declines

It verifies whether the card comes from an EEA country and then steers the customer’s journey through the checkout process accordingly. The Gateway also reacts automatically to «soft declines», which the issuer returns to provisionally decline a payment pending strong authentication. This automated processing allows the solution to save payment transactions that might otherwise have ended in a cancelation.
Therefore, merchants that use Dynamic 3-D Secure benefit from a high share of frictionless transactions while always remaining PSD2-compliant.

Interested? If you want to enable the solution for your merchant ID, please contact [email protected] .