eCOMM Merchant Solutions Statement on SCA
From 14 September 2019, new rules were to apply that would affect the way banks or other payment services providers check that the person requesting access to their account or trying to make a payment is the person permitted to make a payment and validate specific payment instructions. Due to the industry concerns, the deadline for these rules have been postponed to 31 December 2020 in EU and 14 March 2021 in Denmark, France and the UK, with the phased rollout planned prior.
The new rules, referred to as Strong Customer Authentication (SCA) are a new European regulatory requirement intended to reduce on-line fraud and make online payments more secure.
These rules are set in The Second Payment Services Directive 2015/2366/EU (or PSD2), which applies to payment services in the EU. In the UK, PSD2 has been transposed into the legislation in the Payment Services Regulations 2017 (PSRs 2017). In Ireland PSD2 became law on 13 January 2018 with the signing of the European Union (Payment Services) Regulations 2018.
The original deadline for compliance with the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the PSD2 Directive was 14 September 2019. Due to industry concerns, European Banking Authority (EBA) agreed to postpone the deadline until 31 December 2020. Prior to EBA’s decision, regulatory authorities of Denmark, France and the UK had already established 18-month extensions until 14 March 2021.
What is Strong Customer Authentication (SCA)?
When a shopper in the European Economic Area (the EEA) uses a card issued from an EEA bank to make a payment, additional levels of authentication will be required. It will be no longer possible to pay for something online by using only card details, such as card number and CVC code.
The "two factor authentication" requirement of SCA means that an online shopper will have to provide two out of the three acceptable means of proving their identity:
- Knowledge: Something they know (Password, PIN, Secret fact etc)
- Possession: Something they own (Mobile phone, token, smart card)
- Inherence: Something they are (Iris recognition, fingerprint, voice recognition, face recognition)
The biggest change will involve the type of security software used to process online transactions. From the 31 December 2020 all ecommerce transactions should be processed via secured industry protocol such as 3D Secure or they will most likely be declined by the card issuing bank (issuer).
We are advising our merchants to implement 3D Secure v2.1 in January 2020, and v2.2 when it becomes available in summer 2020.
More dynamic data points will be used to verify users' identities, with SCA and the enhanced versions of 3DS. It is a win win, as more customer choice could mean better authentication experiences and less drop-offs. Consumers will have less passwords to remember. Online businesses will benefit from higher security with lower cart abandonment.
Another huge advantage for merchants is the fact that the SCA shifts the liability for fraud away from merchant’s business to the issuer, if the transaction did turn out to be fraudulent (even in the case of certain exemptions).
The general rule on exemptions is that if the transaction is exempted by action of the merchant – merchant remains liable, if by the issuer – liability lies with the issuer.
The following transactions will be exempt from SCA as they aim to ensure easy shopping experiences with additional security levied only on shoppers' larger and less frequent payments.
1. Low value and low risk transactions
Transactions under €30. However, the issuing bank will keep track of the amount of payments made. When a cardholder initiates more than five consecutive low value payments with any merchant, or if the total value of those transactions is greater than €100 in 24 hours, (€150 for contactless), the exemption ceases to apply and SCA is required.
2. Recurring transactions
Subscription or recurring transactions with a fixed amount and frequency will be exempt from the second transaction onwards. Only the initial transaction will require SCA. If the amount or frequency change, 3D Secure will be required for every new amount / frequency.
In the case where products have a variable cost per period based on usage, like in the case of the recurring direct debits with variable amounts, these will be considered 'merchant initiated transactions' and will be exempt from SCA after the first transaction provided the merchant and customer have an agreement allowing such variable charges.
3. Whitelisted merchants
Cardholders can assign businesses to a whitelist of "Trusted Beneficiaries", which are maintained by their bank. These whitelisted merchants will be exempt from 3D Secure, so customers who regularly shop with a given business will be able to avoid SCA requirements. Whether a cardholder's request is granted is up to their issuer, who can turn down the proposed exemption or withdraw it at any time. Currently, many issuers are not ready to support whitelisting. eCOMM Merchant Solutions is monitoring the situation and will provide a relevant update.
We advise our merchants who have a regular relationship with large numbers of customers to consider how best to motivate them to put you on their whitelist.
4. MOTO transactions
Mail Order and Telephone Orders (MOTO) will be exempt from SCA in all cases. MOTO transactions are not considered to be 'electronic payments' and so are out of the scope of PSD2.
5. B2B transactions
Payments made between two businesses are exempt from SCA when the payment method is one which is dedicated to make such B2B payments.
6. TRA (Transaction risk analysis exemption)
A developing exemption involves the use of existing risk data to support transactions outside of SCA.
In the future, eCOMM may use TRA to exempt certain transactions from SCA if our analysis determines the transaction would be of low enough fraud risk. In this instance, eCOMM could potentially make a request to the issuer to allow the transaction to proceed. However, in all case it will be the issuer who ultimately decides whether to allow this to take place, so eCOMM's ultimate ability to use this transaction will always be limited by the issuer.
The details of this exemption are still being worked out. eCOMM will continue to monitor the issue and will provide an update when it becomes available.
What is eCOMM Merchant Solutions doing about SCA?
In line with the developing regulatory guidance, we have taken the necessary steps to ensure, at a minimum, the 3DS 1.0 mandate is met, while at the same time exploring options to achieve the right balance between managing fraud risks and minimising disruption to the consumer while conducting a payment.
What should the merchants do?
We advise the merchants to consider how these SCA changes will impact their customer journeys and sales models. SCA may have different implications to your business, depending on the design of the payment experience and operating model.
Merchants should ensure that your eCommerce payments are ready to be authenticated using 3D Secure V2.1 in January 2020 and 2.2 upon its launch in summer 2020.
DO NOT RELY ON TRANSACTIONS BEING EXEMPT OR OUT OF SCOPE.
Not all of the exemptions will be available as of 14 September and perhaps 31 December 2020, and issuers have announced that they will be declining large numbers of transactions if they are deemed to be within scope of SCA.
There are also new rules applicable to contactless transactions. A normal chip and PIN authorisation will be required when the below levels are exceeded:
- the value of the transaction exceeds €30
- the cumulative amount of consecutive contactless transactions exceeds €150;
- the number of consecutive contactless transactions since the last chip and PIN transaction exceeds five
Unattended terminals for transport fares and parking fees are exempt from this requirement.
- 14th September 2019 – PSD2's SCA requirements were to go live in Europe.
- January 2020 – eCommerce merchants should ensure they have their eCommerce infrastructure is 3DS v2.1 enabled
- Summer 2020 – 3DS 2.2 will launch worldwide.
- 31 December 2020 – SCA requirements go live in Europe
- 14 March 2021 – SCA requirements go live in UK, Denmark, France
We advise merchants to review your eCommerce infrastructure to ensure you have 3DS v2.1 enabled from January 2020, and v 2.2 when it becomes available.
eCOMM will ensure that all of our terminals are in full compliance with all requirements surrounding SCA. As and when any changes to software or hardware are required, we will advise you of the required changes in advance and schedule an appropriate time to make the changes.