In this day of global eCommerce, any new security measures that are mandated for payment transactions can affect merchants and consumers, regardless of where the business is operating. Last year the EEA-European Economic Area experienced new security measures go into effect for all businesses registered in the EEA. The Payment Service Directive (PSD2), and the Strong Customer Authentication (SCA) that goes along with it, are a new set of regulations designed to “contribute to a more integrated and efficient European payments market and…..ensure enhanced security measures to be implemented by all PSPs.” according to Visa.
PSD2 SCA applies to any merchants, acquirers and third party vendors processing eCommerce and mCommerce payments in the Visa European Region. While most of the updates involved with PSD2 went into effect over the last year, the last facet-SCA-Strong Customer Authentication, must be met by Sept. 14th.
Who is most affected by PSD2 SCA regulations?
What does this mean for merchants and consumers outside of the EU? This mandate will still have an effect on any business that is registered within the EEA, even if they are not actually based in the EEA.
The goal here is to create a more “open-banking” model along with regulatory standards for third party data sharing for the parties involved in the transmittal of sensitive data, including payment information, and ultimately to reduce the incidence of CNP fraud. In Europe, almost two thirds of all fraud is accredited to card-not-present fraud. The objectives of the new mandates for security include increasing consumer protection during electronic payment transactions and to create a comprehensive set of rules for new and existing providers of payment services.
Regulations set forth by SCA mandates that any payment now must be authenticated by at least two independent factors. What this means is that consumers will be asked to provide two authentication factors, that are independent of each other, in order for the transaction to obtain approval. These factors, according to the Visa PSD2 SCA Implementation Guide, are categorized as: “knowledge”: something you know, typically a password or PIN; “possession”: something you have, such as a device; and “inherence”: something you are, typically a fingerprint or other biometric.
Generally, authentication has been the responsibility of the card issuer. Once September 14th rolls around and the requirements for SCA go into effect it means that authentication will fall on the merchant’s shoulders- merchants will need to update their security processes to incorporate these new security measures.
Many businesses may be wondering what they need to do to become compliant and how the new regulations will affect their business as well as their customers.
Fortunately, any business that is already utilizing the 3-D Secure 2.0 solution will find that it checks all the boxes for meeting the new compliance requirements. 3-D Secure 2.0 (3DS 2.0) was developed by EMVCo in an effort to provide “consumers with a secure way to “authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases” in order to help protect consumers and merchants from exposure to CNP (card-not-present) fraud through the use of additional security measures.
3-D Secure 2.0 employs the use of biometrics such as facial recognition and fingerprint scanning and includes support for mobile devices. Card issuers are able to send a one time security code to the customer by way of email, SMS or any method preferred by the consumer. All of these methods were designed to leave the customer feeling more in control, add a layer of trust with the company, and complete authentication without causing friction for the customer or disrupting the payment process.
Now, there are a few exceptions in place, or transaction types that they consider low risk transactions, that would not be subject to the new SCA requirements. Some of those types of transactions include recurring or subscription payments where the consumer has likely already given authentication during the initial transaction – so there is no need to do it over and over again each month, transactions with a value under a specified dollar amount, and mail order/telephone order (MOTO) to name a few.
How can SCA benefit merchants, even if they are outside the EEA?
This new mandate brings with it several benefits for both the merchant and the consumer. For the merchant, it will help to reduce CNP transaction fraud, chargeback ratios, and the expense involved with fighting these situations.
Chargeback liability also stays with card issuers when 3D secure 2.0 is employed, instead of falling on the merchants shoulders. In addition, shopping cart abandonment is greatly reduced when customers experience less friction with the checkout process coupled with greater trust in the business’ security measures.
Considering the fact that the majority of CNP fraud is expected to shift towards transactions that are not utilizing two factor authentication, it is highly likely the U.S. will see a spike in online fraud instances following the September deadline. If a payment is made with a U.S. issued card through a company in the EU, SCA is not required. As well, if a customer makes a purchase with an EU issued card from a business in the U.S., SCA is not required. These types of payment transactions are exempt due to the “one leg out” exemption rule included in the regulations. The sheer fact that cyber criminals are opportunistic puts merchants and consumers in America at more risk for online fraud when two factor authentication is not being employed.
For the consumer, they will come to appreciate and rely on the fact that the places they like to do their online shopping are taking security seriously, and that they can shop with confidence that they are not putting their private payment information and personal data at risk for cyber crime.
In this day and age, eCommerce is a global market and the rules, regulations, and mandates have the potential to have an effect on us all. European Union or not. Just as we have seen America finally following in the footsteps of the EU with the long overdo but eventual upgrade to EMV compliance, there is an inevitability that PSD2 and SCA types of security measures will be expected from American consumers as the eCommerce and mCommerce markets grow and expand over time.
Most likely it will not be any regulatory body that drives open banking, but technological innovations and the marketplace itself that will demand opportunity and change in the United States.
With the Sept.14th deadline looming just under 60 days away, merchants need to begin now to make sure the integration is completed and all new security authentication requirements are set in motion on time.
At Bankcard Brokers we make a concerted effort to stay on the cutting edge of payment solution technology and innovation for our clients. Our merchant solutions are already capable of integrating with 3-D Secure 2.0 technology, as well as other security solutions available to both U.S. and international businesses, allowing all of our merchants to integrate smoothly, no matter where they do business!