- What is Strong Customer Authentication?
- When is SCA required?
- Strong Customer Authentication in a payment flow
- Exemptions to Strong Customer Authentication
- Merchant-initiated transactions
- What if the transaction is declined ?
14th September 2019 new requirements for Strong Customer Authentication (SCA) is introduced for online shops all over Europe. The requirements are part of the second Payment Service Directive and is mandatory for Shops, PSPs, Acquirers and Card issuers.
This article will explain Strong Customer Authentication (SCA) and how it may affect your business. Finally, Ill will take you though the exemptions for mandatory SCA for some types of payments.
Reepay are ready with support for all aspects of the requirements, but acquirers and issuers may have limited support in the beginning.
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is the directives name for is a method of customer authentication to reduce fraud and make payments more secure.
SCA is build upon the two-factor methodology that requires authentication to use at least two of the follow three elements.
SOMETHING THE CUSTOMER KNOWS
(eg. password, credit card number)
SOMETHING THE CUSTOMER HAS
(e.g., phone or hardware token)
SOMETHING THE CUSTOMER IS
(e.g., face recognition or finger print)
Requirements and exemptions for SCA are set out in Regulatory Technical Standards or RTS for PSD2. In accordance with PSD2 the SCA requirements should be enforced by all banks from September the 14th, meaning payments without SCA that does not meet the exemption criteria will be declined.
But EBA (European Banking Authority) have published a guidance last month about market preparedness for SCA. It opens up for national regulators to postpone the SCA enforcement date for select banks and payment providers.
When is SCA required ?
Strong Customer Authentication will only be enforced for “customer-initiated” payments within Europe.
For recurring payments the first initial transaction has mandatory SCA while following subsequent transactions are considered as “merchant-initiated” and will not require SCA.
Strong Customer Authentication in a payment flow
At the moment 3D Secure is the SCA of choice for most European card brands. 3D Secure version 1.1 is in use at the moment, the danish Dankort has a variant called Secure By Nets, but it is by effect the same.
3D Secure adds an extra step to the checkout flow where the customer is prompted by their bank for additional information after entering the credit card data. The additional information can be a one-time password, sent to their phone, or authentication through their mobile banking app.
A new version of 3D Secure called 3D Secure 2.0 is being rolled out this year. The new version supports additional data that might limit the times a customer will be prompted for additional information while using same device at the same merchant. The new version will also support better and more frictionless ways for the customers to authenticate in the 3D flow.
Mobile wallets like Apple Pay and Google Pay supports payment flows with SCA built in, with great user experience. Danish MobilePay is working to implement a similar good user experience without the need for additional SCA other than the one built into MobilePay.
Exemptions to Strong Customer Authentication
Under PSD2, specific types of payments may be exempted from Strong Customer Authentication. For these types Reepay and your acquirer can request these exemptions when processing the payment. It is then up to the cardholder’s bank to assess the exemption type and risk level of the transaction in order to approve the exemption, or decide that SCA is still necessary.
Although SCA (3D Secure) has the benefit of liability-shift in case of fraud, it can add friction to the checkout flow and increase customer drop-off. Using exemptions can reduce the need for SCA and hereby increase conversion. Exemptions can be used with the Reepay APIs.
Most relevant exemptions are:
It is possible to exempt low-risk transactions if your acquirer and cardholder’s bank both have a low overall fraud rate. The fraud rate is done by your acquirer and cardholder’s bank as real-time risk analysis.
If your acquirers’s or cardholder’s bank’s overall fraud rates for card payments do not exceed the following thresholds:
- 0.13% can exempt transactions below €100
- 0.06% can exempt transactions below €250
- 0.01% can exempt transactions below €500
This exemption can be well adopted and supported by card issuing banks, but the real-time risk analysis is at the moment not supported by the TODO: Nets, Swedbank, … Clearhaus.
Your can read more in the RTS – Article 18
Payments below €30
Transactions below €30 will be considered “low value” and may be exempted from SCA. The cardholder’s bank however needs to keep track how many times the exemption have been used since the cardholder’s last successful authentication, if it is more than five times, the cardholder must be prompted for SCA. Also if the sum of previously exempted payments exceeds €100, SCA is required.
Using this exemption have a risk of required SCA, therefor dependant upon your acquirer using the “low-risk” exemption may be in your favour.
Your can read more in the RTS – Article 16
We expect this exemption to have a high success rate, but only apply for same amount subscriptions.
Your can read more in the RTS – Article 14 (called recurring)
The idea behind “trusted beneficiaries” is that issuers banks can add an option within their bank apps where customers can pre-approve merchants.
We don’t expect this exemption to be implemented in the beginning and also not being used much.
Your can read more in the RTS – Article 13
Payments initiated by the merchant were the customer is not pressent in the checkout flow.
A transaction, or series of transactions of a fixed or variable amount and fixed or variable intervals governed by an agreement between the cardholder and merchant that, once agreed, allows the merchant to initiate subsequent payments without any direct involvement of the cardholder.
The RTS does not mention Merchant-initiated payments, so you can say it is not a “real” exemption. Visa and Mastercard’s position is that these are out-of-scope for SCA. Where the initial mandate is set up through a remote electronic channel, SCA is required in most cases, but is not necessary for subsequent payments initiated by the merchant. This applies to all payment instruments including cards and tokens.
What if the transaction is declined ?
Even if the transaction is sent with an exemption or is merchant-initiated it is still up to the cardholder’s bank to accept the transaction without strong customer authentication, so it can be declined. Reepay will then “if the customers is present” send the customer though the SCA process.