PSD2 regulations in Europe around strong customer authentication came into force on 14 September 2019. UK providers are phasing in the changes for online banking for completion by 14 March 2020. And for online shopping by March 2021. At the same time, the 3D secure protocol behind Verified by Visa and Mastercard SecureCode is being updated. We explain the implications for those who accept and use cards.
In this section:
What is strong customer authentication?
What is driving the change in authentication requirements?
What are the benefits for those who accept and use payment cards?
What is changing?
When are the changes effective?
What the exemptions to strong customer authentication?
What are the main changes between 3DS 1.0 and 3DS 2.0?
How can CashFlows help you prepare for strong customer authentication?
Authentication is the process of determining whether someone or something is indeed who or what they claim to be.
We’re all familiar with entering passwords or passcodes when we bank or shop online. This will continue and be strengthened under EU legislation, known as the revised Payment Services Directive (or PSD2). The regulations apply across countries in the European Economic Area, including the UK irrespective of Brexit negotiations.
Strong customer authentication is defined as two or more of the following: something a customer knows (e.g. PIN or passcode), something they have (e.g. card or phone) and something they are (e.g. fingerprint).
There are exemptions but generally every electronic transaction is subject to strong customer authentication.
A combination of customer habits, technology and regulation is driving change.
Banking and shopping habits are changing. Customers are transacting more online. They are also browsing, comparing, buying and paying more from mobile devices.
By 2021, 55% of European retail sales will either take place online or take place offline yet be digitally-influenced, according to research firm Forrester. Smartphones and tablets are expected to influence €620 billion of retail sales in 2022, up from €306 billion in 2017. They will account for 81% of all digitally-influenced retail sales in Europe, says Forrester. 1
Technology has also evolved since the first version of the 3D secure online authentication protocol from the late 1990s. Biometrics is increasingly being used outside law enforcement, border and access control. Data analytics and device ID have also changed what is possible since the days of dial-up connections and browser-based authentication.
As banking and commerce have migrated online, so have the fraudsters. Regulators are keen to protect consumers, drive market efficiencies, competition and security. Strong customer authentication is part of a package of measures included in the PSD2. This is driving the regulatory agenda in Europe, yet the themes contained in the PSD2 are being echoed in regulation worldwide.
In short: better, more secure and more right-first-time payments.
Regulators hope that the new measures will increase consumer confidence to transact electronically, foster innovation and competition, and create a level playing field for all players, including new ones.
CashFlows does not provide online access to bank accounts or facilitate bank transfers for end-users (consumers or businesses). So from here on in, we’ll be discussing strong customer authentication in the context of online (e-commerce) purchases only.
In short: payment service providers are required to undertake strong customer authentication when a customer makes an online payment, unless one of the permitted exemptions applies.
This is a significant change from what has happened around online authentication previously.
Major international card schemes have had strong customer authentication protocols for online payments in place for around 20 years. However, while participation in 3D Secure was strongly recommended by the card schemes for both card issuers and acquirers, it remained largely optional.
Acquirers and merchants could decide whether or not they used Verified by Visa, Mastercard SecureCode or equivalents during the checkout process — and when they applied this.
The main changes are two-fold: the responsibility to undertake strong customer authentication now sits with payment service providers, i.e. card issuers and acquirers not merchants. And this must be done for every online payment, unless one of the permitted exemptions applies. As such, cardholders may be asked for additional information when they make online payments.
The changes were effective 14 September 2019. For UK providers, the changes will be phased in for online shopping for completion by March 2021. More on the timelines can be found on the Financial Conduct Authority2 website.
Contactless payments up to €50 with a cumulative limit of €150 or five consecutive transactions are exempt from strong customer authentication (limit applies to Card Holder Present transactions). As are low-value payments up to €30, with a cumulative limit of €100 or five consecutive transactions (limit applies to Card NOT Present transactions (ECOM)).
Transport fares or parking payments at unattended devices are exempt.
Recurring payments and those to trusted beneficiaries already white-listed by the payer do not require strong customer authentication, under certain circumstances. One of these is when the payer initiates a series of payment transactions of the same amount to the same business. For these merchant-initiated transactions, only the first transaction in the series requires strong customer authentication.
Low-risk transactions are also allowed as an exemption within certain limits (e.g. fraud rates by transaction value bands), subject to strict monitoring requirements.
So-called ‘one leg out’ transactions when either the card issuer or card acquirer are outside the European Union are also exempt from strong customer authentication.
The 3DS protocol is managed by EMVCo and underpins Verified by Visa, Mastercard SecureCode and other authentication solutions. Version 1.0 already facilitates strong customer authentication. Version 2.0 will do this better as it:
• Addresses the need for omni-channel by optimising the customer experience on mobile devices, PC, digital television as well as in-app.
• Allows the passing of more data to enable issuers to better assess the risk of each transaction.
• Supports current and future innovations for more frictionless authentication e.g. biometric or ‘behaviometrics’ if the issuer supports Apple TouchID or facial recognition.
While 3DS 2.0 is the new, enhanced version of the existing protocol, it still connects the acquirer, issuer and card scheme (the three domains in the 3DS protocol). This remains unchanged.
3DS Secure is PSD2-compliant. It is already in widespread use and offered by CashFlows today.
CashFlows is already able to accept 3DS 2.0-enhanced data to and from gateways as an acquirer. We are also able to support merchants using hosted payment pages to take advantages of the extra 3DS 2.0 functionality. No changes are required to the current merchant and gateway integrations to support 3DS 2.0.
CashFlows is currently working with customers to support them with 3DS 2.0 planning in advance of the 14 September 2019 EBA deadline. For further information, please contact us here.
For more information please download our PSD2 white paper on the upcoming requirements under the revised Payment Services Directive (PSD2) and the accompanying Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA).
1 By 2021, €1 trillion of EU retail sales will be digitally impacted, press release, Forrester, 14 May 2018, https://go.forrester.com/press-newsroom/by-2021-e1-trillion-of-eu-retail-saes-will-be-digitally-impacted/
As an online business you are required to comply with various Card Schemes rules, industry regulations, our Terms and Conditions and the following website requirements:
The products and services displayed on your website must match the description and category of those recorded on your application. If you redirect to a different URL for part or all of the products and services, then this website must also match your application details.
If you intend to sell a new product or service that is in a different category than your current offering, please contact our applications team before adding these to the website.
You must clearly display on the website the following contact details to your consumers:
Terms and conditions must be clearly displayed on your website and contain all the required information and disclosures to be compliant in all the regions that your business trade in.
An unambiguous refund/returns policy must be displayed on your website enabling the consumer to review the policy details before they make a payment.
Your website must display the logos of the payment methods that can be accepted through your CashFlows Merchant Account. If you are using the CashFlows hosted payment page the card logos that you can accept will automatically be displayed on the payment page. However you are also required to display on your website the card logos at the point the consumer enters the store.
By adding trusted card logos such as Visa and Mastercard to your store you will enhance shopper confidence and encourage them to make a purchase.
The "Payments Powered by CashFlows" logo must also be displayed on your website ideally alongside the card logos at the point the consumer enters the store. This reassures your consumers that their payments will be processed by a recognised secure merchant service provider. The "Payments Powered by CashFlows" logo must also be hyperlinked to http://www.cashflows.com