eCOMM Merchant Solutions Statement on SCA
From 14 September 2019, new rules apply that affect the way banks or other payment services providers check that the person requesting access to their account or trying to make a payment is the person permitted to make a payment and validate specific payment instructions.
The new rules, referred to as Strong Customer Authentication (SCA) are a new European regulatory requirement intended to reduce on-line fraud and make online payments more secure.
These rules are set in The Second Payment Services Directive 2015/2366/EU (or PSD2), which applies to payment services in the EU.
In the UK, PSD2 has been transposed into the legislation in the Payment Services Regulations 2017 (PSRs 2017).
In Ireland PSD2 became law on 13 January 2018 with the signing of the European Union (Payment Services) Regulations 2018.
The deadline for compliance with the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the PSD2 Directive is 14 September 2019.
What is Strong Customer Authentication (SCA)?
When a shopper in the European Economic Area (the EEA) uses a card issued from an EEA bank to make a payment, additional levels of authentication will be required. It will be no longer possible to pay for something online by using only card details, such as card number and CVC code.
The "two factor authentication" requirement of SCA means that an online shopper will have to provide two out of the three acceptable means of proving their identity:
- Knowledge: Something they know (Password, PIN, Secret fact etc)
- Possession: Something they own (Mobile phone, token, smart card)
- Inherence: Something they are (Iris recognition, fingerprint, voice recognition, face recognition)
The biggest change will involve the type of security software used to process online transactions. From the 14 September 2019 all ecommerce transactions should be processed via secured industry protocol such as 3D Secure or they will most likely be declined by the card issuing bank (issuer).
We are advising our merchants to implement at least the most basic of the 3DS solutions (v1.0).
More dynamic data points will be used to verify users' identities, with SCA and the enhanced versions of 3DS. It is a win win, as more customer choice could mean better authentication experiences and less drop-offs. Consumers will have less passwords to remember. Online businesses will benefit from higher security with lower cart abandonment.
Another huge advantage for merchants is the fact that the SCA shifts the liability for fraud away from merchant’s business to the issuer, if the transaction did turn out to be fraudulent (even in the case of certain exemptions).
The general rule on exemptions is that if the transaction is exempted by action of the merchant – merchant remains liable, if by the issuer – liability lies with the issuer.
The following transactions will be exempt from SCA as they aim to ensure easy shopping experiences with additional security levied only on shoppers' larger and less frequent payments.
1. Low value and low risk transactions
Transactions under €30. However, the issuing bank will keep track of the amount of payments made. When a cardholder initiates more than five consecutive low value payments with any merchant, or if the total value of those transactions is greater than €100 in 24 hours, (€150 for contactless), the exemption ceases to apply and SCA is required.
2. Recurring transactions
Subscription or recurring transactions with a fixed amount and frequency will be exempt from the second transaction onwards. Only the initial transaction will require SCA. If the amount or frequency change, 3D Secure will be required for every new amount / frequency.
In the case where products have a variable cost per period based on usage, like in the case of the recurring direct debits with variable amounts, these will be considered 'merchant initiated transactions' and will be exempt from SCA after the first transaction provided the merchant and customer have an agreement allowing such variable charges.
3. Whitelisted merchants
Cardholders can assign businesses to a whitelist of "Trusted Beneficiaries", which are maintained by their bank. These whitelisted merchants will be exempt from 3D Secure, so customers who regularly shop with a given business will be able to avoid SCA requirements. Whether a cardholder's request is granted is up to their issuer, who can turn down the proposed exemption or withdraw it at any time. Currently, many issuers are not ready to support whitelisting by 14 September. eComm Merchant Solutions is monitoring the situation and will provide a relevant update.
We advise our merchants who have a regular relationship with large numbers of customers to consider how best to motivate them to put you on their whitelist.
4. MOTO transactions
Mail Order and Telephone Orders (MOTO) will be exempt from SCA in all cases. MOTO transactions are not considered to be 'electronic payments' and so are out of the scope of PSD2.
5. B2B transactions
Payments made between two businesses are exempt from SCA when the payment method is one which is dedicated to make such B2B payments.
6. TRA (Transaction risk analysis exemption)
A developing exemption involves the use of existing risk data to support transactions outside of SCA.
In the future, eComm may use TRA to exempt certain transactions from SCA if our analysis determines the transaction would be of low enough fraud risk. In this instance, eComm could potentially make a request to the issuer to allow the transaction to proceed. However, in all case it will be the issuer who ultimately decides whether to allow this to take place, so eComm's ultimate ability to use this transaction will always be limited by the issuer.
The details of this exemption are still being worked out. eComm will continue to monitor the issue and will provide an update when it becomes available.
What is eCOMM Merchant Solutions doing about SCA?
In line with the developing regulatory guidance, we have taken the necessary steps to ensure, at a minimum, the 3DS 1.0 mandate is met, while at the same time exploring options to achieve the right balance between managing fraud risks and minimising disruption to the consumer while conducting a payment.
What should the merchants do?
We advise the merchants to consider how these SCA changes will impact their customer journeys and sales models. SCA may have different implications to your business, depending on the design of the payment experience and operating model.
Merchants should ensure that your eCommerce payments are ready to be authenticated using at least 3D Secure V1 and, if possible, you should use a later version of 3DS. Also, engage with your website developer.
DO NOT RELY ON TRANSACTIONS BEING EXEMPT OR OUT OF SCOPE.
Not all of the exemptions will be available as of 14 September and issuers have announced that they will be declining large numbers of transactions if they are deemed to be within scope of SCA.
There are also new rules applicable to contactless transactions. A normal chip and PIN authorisation will be required when the below levels are exceeded:
- the value of the transaction exceeds €30
- the cumulative amount of consecutive contactless transactions exceeds €150;
- the number of consecutive contactless transactions since the last chip and PIN transaction exceeds five
Unattended terminals for transport fares and parking fees are exempt from this requirement.
- 14th September 2019. PSD2's SCA requirements go live in Europe.
- 2020 and onward. 3DS 2.0 launches worldwide. Majority of banks will accept 2.0 by end of 2020.
We advise merchants to review your eCommerce infrastructure to ensure you have at a minimum 3DS v1.0 enabled.
If you are using a physical card terminal we will be upgrading your terminal software in the coming months to ensure it is compliant with the new rules around contactless transactions. We have already made many of the necessary changes to be compliant with SCA requirements and will continue to provide updates regarding these developments. Please check our web site for updates.