Payment Services Directive 2 (PSD2)
In 2007, against the backdrop of a continuously growing eCommerce market, the European Commission (EC) and the European Banking Authority (EBA) concluded that it was time consumers were offered a wider choice of secure payment services. Thus, the two regulatory bodies encouraged the rise of non-bank financial institutions that could provide the digital market with faster payment options, but at the same time increasing consumer protection and transaction transparency. This is how the first Payment Services Directive (PSD) came into being.
In 2015, in an eCommerce market dominated by increasing mobile usage and internet payments, the EC decided to review and adjust the PSD to the current digital context, adding necessary improvements to ensure customer security. As a result, PSD2 came into effect on January 13th, 2018 bringing clear changes and significant enhancements to the payment industry regulations.
Payment Services Directive 2 (PSD2)
What is PSD2 bringing new?
With an initial start on January 13th, 2018, the Payment Services Directive 2 (PSD2) has taken effect in the entire European Union in the local legislation. Although not all areas are in effect yet, PSD2’s biggest relevant changes for the European online sellers are related to:
• Security of payments done by European Union shoppers through mandatory Strong Consumer Authentication component (SCA)
• Access to an account (XS2A) for account information and payment initiation services –allowing bank customers to give access to third-party providers to retrieve data and initiate payments directly from banks accounts
• Recurring transactions treatment
The PSD2 requirements are based on three pillars:
- Pillar 1 addresses transparency in terms of pricing, extended customer rights, and stricter reporting standards for banks. It applies to transactions where at least one party (one Leg out) is in the European Economic Area (EEA).
- Pillar 2 concerns security, including requirements for strong customer authentication (SCA). This impacts all parties involved in the eCommerce flow.
- Pillar 3 sets out the technological requirements by which banks must allow Payment Institutes to use their infrastructure to access account data and initiate payments on behalf of customers.
Compliance with PSD2 is to be implemented in two stages: Pillar 1 (transparency) became effective on January 13th, 2018, while Pillars 2 and 3 must come into force on September 14th, 2019.
Strong Customer Authentication (SCA)
To prevent ever-evolving fraud methods, starting September 14th, 2019, Payment Service Providers (PSPs), such as 2Checkout, must apply extra security steps to implement SCA and further protect the confidentiality of consumers’ data.
SCA increases the smoothness and the security of the transaction, therefore increasing the trust level of the merchant and the consumer bank who will be more willing to authorize and to complete the consumer's purchase because they trust the security of the transaction.
The implementation of SCA will be based on a 3-layer authentication method, out of which at least two layers will be mandatory for customers:
- knowledge (something the customer knows, like a password or PIN),
- possession (something the customer has, such as a smartphone, application, token) and
- inherence (something the customer is – fingerprint or face recognition).
For card-based payments, this resulted in the implementation of 3D Secure version 2 (3DS2 or EMV 3DS). 3D Secure has been employed to secure online card transactions since 2001, but now a new version has been developed to meet the PSD2 SCA requirements. Basically, to be able to accept payments from the world’s largest card networks (Visa, Mastercard, Amex,etc.), any merchant will need to have implemented 3D Secure version 2 for their online store. The initial start will be mainly EU-based merchants and their clients. Outside the EU, the current implementation pace of the 3D Secure 2 is considered slow and less dominant.
3D Secure 2 is an evolutionary step from its predecessor and allows the card issuer (bank) to use a wider range of data-points from the transaction to run a risk-based analysis. For low-risk transactions and low-value (< 30 EUR), the card issuer will not send an authentication request to the cardholder, although authenticating the transaction. However, for all other customer-initiated transactions, the cardholder will be required to authenticate with an SMS/APP or other biometric means.
3D Secure 2 will be mobile-friendly unlike its previous version, so it will display a responsive design easily adjustable to any mobile device and will also bring improvements in terms of UX.
SCA applies also to alternative payment methods, but it’s important to note that many e-wallets, or other mobile payment services, already have SCA implemented, as these services already use multiple-step authentication.
What is the 3D Secure version 2 flow?
Unlike 3D Secure version 1, 3D Secure version 2 makes it easier for banks to offer innovative authentication experiences through their mobile banking applications. Instead of entering a password or just receiving a text message on their mobile phone, the cardholder can authenticate a payment through the banking application by simply using their fingerprint or even facial recognition.
The second improvement in user experience is that 3D Secure 2 is designed to embed the challenge flow directly within the web and mobile checkout flows, without requiring full page redirects.
3D Secure version 2 is the technical solution to comply with the SCA regulations. 2Checkout will support two types of flows:
- Frictionless flow – if the issuing bank considers the transaction to be secure, shoppers don't have to authenticate themselves, hence no friction in the payment process,
- Challenge flow – if the issuing bank requires more proof to authenticate a transaction, it can request additional information from the customer like a password that the cardholder will need to provide via an SMS or a generated token from a mobile device and fill it into the issuer webpage, just as it happens now with the current version of the 3D Secure.
Transactions that require Strong Consumer Authentication (SCA)
SCA will be required for all customer-initiated online transactions (CIT) within Europe, which means most payment options (contactless payments included) and bank transfers are performed with SCA. In the case of online payments, SCA will apply to transactions where both the business and the cardholder’s banks are located within the European Economic Area (EEA).
The 3D Secure version 2 protocol itself will allow payment providers like 2Checkout to request exemptions from SCA and skip authentication for low-risk payments. Payments that require SCA will need to go through the ‘challenge’ flow, whereas transactions that can be exempted from SCA can be sent through the ‘frictionless’ flow.
An online seller cannot apply for these exemptions themselves, but a payment provider can apply on their behalf.
The SCA exemptions mentioned below refer only to online transactions (eCommerce), but it’s good to remember that there are other offline transactions that are impacted by SCA which, however, will not be mentioned here. Merchant-initiated transactions (MIT), such as recurring billing will not require SCA, with some exceptions. Read the list below to find out the SCA exemptions that apply to online commerce transactions:
|Recurring transactions – renewals that do not change the price or recurrence
|No need for SCA if no details of the recurring transaction are changed. However, any changes in transaction details (new card, new name, new address, different price, different recurrence) will require SCA.
|Merchant-initiated transactions (MIT)
|Merchant-initiated transactions (MIT) exemptions fall within the PSD2, if they fulfill all the following conditions:
• MIT's for periodic payments where the first payment is an SCA-based payment
• When there is a pre-existing mandated agreement in place (including CoF* transactions initiated by the merchant)
• A dynamic ID linking is made between initial CIT and the subsequent MIT's
|Low-value transactions (< €30)
|The amount of the electronic payment transaction must be less than €30.
For low-value transactions (<30 euro) with recurring payments, the first transaction is subject to SCA. The follow-up transactions are limited to either a maximum number of 5 transactions (max 150 euro in total) with equal value (maximum €30 each transaction) or a maximum of €100 (per the highest transaction) for several transactions that can differ in amount. This should be agreed beforehand with the PSP.
|PSPs are exempt from SCA when a transaction risk analysis (TRA) is provided, which means that the amount of online card transactions is lower than the exemption threshold value (ETV) corresponding to the PSP reference fraud rate. These thresholds are set at a very low level and we do not expect 2Checkout to be able to comply with these.
An online card transaction is considered low-risk when it meets the all following criteria in combination with the risk analysis:
• No abnormal spending behavior from the payer
• No unusual information about the payer’s device
• No malware detected during the authentication process
• No fraud attempts identified during payment
• No abnormal location for the payer
• The location of the payee (business) must NOT be high-risk (OFAC countries especially)
|Checking payment account information
|Viewing the balance or payment transactions made in the last 90 days through one or more designated accounts.
|Paying trusted beneficiaries
|Payment made by the payer towards a payee included in a white list of trusted beneficiaries previously confirmed by the payer through their ASPSP (bank). It’s not expected that this will become generally available as of September 2019.
|Transactions outside the EEA
|SCA regulations apply to all online payments within the EEA where both legs of the transaction (i.e. the beneficiary and the cardholder) are within the EEA. One-leg transactions (where either the beneficiary or the cardholder are outside the EEA) are not included.
|*Note: Card-on-File (CoF) transactions are transactions where the card number is not obtained from the cardholder. Instead, this data is either obtained from a file stored by a merchant, or from a token obtained through the Payment Gateway.
Impact for merchants
- Increased security for transactions, limiting the fraud cases and also decrease of chargebacks
- Customer experience will be affected as the SCA will introduce new steps in the checkout and might affect conversion rates, therefore merchants need to have communication and choose the best flows for their shopper to avoid disruption as much as possible. Online sellers, 2Checkout as well, will attempt to use SCA as little as possible, but it won’t be possible to avoid it completely. The exemption has to be sought from and granted by the shopper’s issuing bank, who remains the ultimate arbiter on this.
- UX for mobile checkout experience will be improved, as 3D Secure version 2 is focused on mobile and tablet, which was an issue with the current version, thus it will increase conversion rates from mobile visitors
- Competitive prices as a result of market openness and the fact that banks will share their data to be used by third parties
Impact for shoppers
- Safer and more secure payments, limiting the fraud cases
- Lengthier checkout flow due to the two mandatory authentication layers for customers
- Lower prices for payments/banking and non-banking services due to increased market competitiveness on longer-term
How we help our merchants
2Checkout payment solutions are constantly optimized and updated to follow the latest bank and card network regulations and will apply relevant exemptions for low-risk payments to only trigger authentication when required. We have designed our SCA-ready payment solutions to let you take advantage of exemptions when possible and help protect your conversion.
We are upgrading our checkout pages and our payment APIs that support strong customer authentication, in a way that is designed to keep changes for merchants at a minimum and minimize the impact of SCA on your checkout conversion.
Recommendations for online merchants
- Multiple models flexibility and having intelligent payment routing with a multitude of processors with SCA support helps merchants worry less about the conversions/authorization rates impact as we can test user experience impact by routing the transactions to different flows treating exceptions of SCA and/or combination of authentication factors implementations
- Having access to alternative payment methods that were already built-in with SCA traits will give additional choice to buyers without disrupting their flow – i.e. iDeal, Bancontact, SEPA Payments, mobile wallets
- Having analytics, customization and advanced ordering engine/eCommerce will empower merchants to understand and reduce friction with proper communication or different flows (i.e. retry pages, change of payment method, abandons recovery, dunning, etc). We see this as an upgrade of technologies in the financial ecosystem and immediate impact on Card, not Present transactions is a growth of omnichannel with focus on mobile but also increased subscriptions volumes given the transparency of the renewal process (if different pricing or recurring interval subscriber is informed and asked to authenticate).