21 Aug 2019
The new (second) EU Payment Services Directive (PSD2) introduces Strong Customer Authentication (SCA) and 3D Secure v2 (3DS2).
The new (second) EU Payment Services Directive (PDS2) from the European Commission regulates the provision of ‘payment services’ in Europe.
PSD2 aims to give consumers greater choice and better protection when making online payments, while opening up payment markets to new entrants and specifying how financial institutions should monitor and prevent fraud for remote commerce.
When does PSD2 start?
The regulations which transposed PSD2 into Irish law came into effect from 13 January 2018. The Final Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) were published in March 2018 and it’s those standards that come into effect on 14th September 2019.
Is SCA good for my business?
Secure Card Authentication (SCA) aims to reduce fraud and increase consumer confidence in electronic payments. In collaboration with your payment gateway, the Dotser eCommerce team will assist you with implementing the Dotser ePro eCommerce solution that enhances protection for you and your customers from fraud while offering the best possible payment experience for your customers now and in the future. The enhanced security that PSD2 offers will improve consumer confidence, reduce the risk of cart abandonment and ultimately support the growth of the eCommerce marketplace.
Dotser ePro eCommerce Customers - What Next?
The Dotser team has been working behind the scenes to ensure our customers' websites are as prepared as possible for the PSD2. Over the coming weeks Dotser will be making direct contact with all eCommerce clients and discussing the final steps to be prepared for the September 14th deadline.
PSD2 introduces Strong Customer Authentication (SCA) and 3D Secure v2 (3DS2).
Strong Customer Authentication (SCA)
There is now a requirement for multi-factor authentication for online payments.
The regulations define SCA as an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.
So we need any two of the following three elements:
1. something the customer knows (e.g., password or PIN),
2. something the customer has (e.g., phone or hardware token),
3. something the customer is (e.g., fingerprint or face recognition).
Furthermore, these things must be independent (so a code sent to a phone cannot count as something the user knows, because it is dependent on something they have, i.e., their phone). Obviously, we cannot verify these things ourselves, as we know nothing about the customer (nor do we want to know, as both GDPR and PCI require us to keep personal and banking data very very safe, with massive fines for breaches, and not to request or store data at all without good reason). Therefore, we use 3D Secure v2, which means that as part of the payment process, customers are connected to their bank’s website for verification, using whatever process they have previously set up with their bank. This may require a physical dongle, a thumbprint scanner, a text message with a verification code, or anything similar.
We don’t need to worry about the details. Some low-risk transactions may be exempt from SCA. However, this requires permission from the customers’ bank. This means that the 3D Secure v2 step is always called, but in cases which are exempt the bank responds with authorization immediately, without challenging the customer.
The customer may not even notice that they have briefly visited the bank’s website and immediately returned to the shop website.
3D Secure v2
EMV® 3-D Secure (3DS) is a messaging protocol that promotes frictionless consumer authentication and enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases (www.emvco.com/emv-technologies/3d-secure).
Further information and Frequently Asked Questions on PSD2 can be found on the Central Bank of Ireland's website - https://www.centralbank.ie/regulation/psd2-overview/faq