Our top 10 PSD2 frequently asked questions:
The Payment Services Directive 2 (PSD2) is a directive from the European Commission that requires Strong Customer Authentication (SCA) to be applied for all electronic commerce (eCommerce) transactions.
- It will affect all businesses based or serving customers in the European Economic Area (EEA) that accept card payments.
- These laws introduce security measures called two-factor authentication to keep customers safer when making payment transactions online. This is an industry-wide change.
- Businesses must upgrade their payments infrastructure to support two-factor authentication. This provides all parties involved in the eco-system with enhanced data, leading to better quality authorisation decisions.
- Elavon’s SCA solutions use the latest technology to enable real time risk analysis that can create a frictionless experience for your customers.
Strong Customer Authentication (SCA) means that banks must confirm the cardholder as being the genuine owner of the payment card before they approve the transaction.
To prove that they are the genuine owner of the card, cardholders must provide at least two out of three possible authentication factors to their bank when requested.
EMV 3D Secure is the standard protocol for SCA when accepting payments over the internet. It helps to reduce fraud and cart abandonment, whilst seamlessly supplementing existing data with additional information.
Upgrading to the latest version will allow you more flexibility as the merchant. As well as providing the traditional shift in liability expected when applying EMV 3D Secure.
Benefits of upgrading to the latest version of EMV 3D Secure
- Increased cardholder confidence when transacting with your business
- Reduced fraud and chargebacks – liability protection
- Prevention of unauthenticated transaction declines
- Improved risk based decisions leading to higher approval rates
- Full support for all available exemption types and payment device types
The new rules mean that most online transactions will require enhanced SCA to be performed, unlike today where you can choose whether to apply SCA or not.
We recommend that you apply the latest version of EMV 3D Secure as soon as possible.
Engage with your payment gateways to implement the latest version EMV 3D Secure.
The increased levels of security and control will directly benefit customers. Increasing their trust and confidence while shopping online.
The European Banking Authority recognised the complexity and challenges of implementing this directive within the payments environment and has extended its original deadline. The new deadline for eCommerce compliance is 31 December 2020 in Europe.
In the UK, the Financial Conduct Authority has granted some flexibility until 31 March 2021.
Get ready to start authenticating with the latest available version of the EMV 3D Secure framework. Commence planning with your payment gateway provider to migrate to the latest version EMV 3D Secure as it becomes widely available during 2020.
These upgrades will enable you to benefit from the maximum possible range of exemption types as they are released into the marketplace.
1. Low value exemption
Remote transactions up to €30 (or equivalent in other currencies) and contactless transactions up to €50 (or equivalent in other currencies) do not require SCA up to a maximum of five consecutive transactions or a cumulative limit of €100 (€150 for contactless). If the cardholder initiates more than five consecutive low value payments, or if the total payments value exceed €100 (€150 for contactless), SCA will be required. Please note that currently, only Visa and Mastercard have released their requirements to support exemptions. The monitoring of the consecutive transactions and cumulative limits will be the responsibility of the issuer.
2. Recurring payment exemption
Some transaction types are initiated without the cardholder being present or in-session. In these cases, SCA cannot be performed and there are exemptions designed to accommodate these flows. In the case of recurring transactions (same amount) or other customer initiated transactions (variable amount), the initial capture of card details for storing on file must be authenticated using SCA – this results in a unique identifier that is used in subsequent transactions within a series to indicate to issuers that SCA has already been performed. To ensure that these transactions are exempted from
SCA step-up requests, customers and their service providers must ensure that the card scheme MIT
frameworks are followed and that all transactions are appropriately flagged as recurring with reference to the original transaction via the trace/transaction ID value.
3. Transaction risk analysis (TRA) exemption
Issuers and acquirers’ may use TRA on customer’s partners’ behalf to exempt transactions from the need to have SCA performed. This effectively means that Elavon would analyse the transaction to determine the likelihood of it being genuinely performed by the cardholder and exempt it from 3DS. TRA will be available via two channels. Elavon will offer its own TRA service where Elavon will analyse transactions to determine if the transaction can be exempted from cardholder authentication. In addition Elavon will support TRA conducted by approved third parties. Further details on both services will be made available in due course. The issuer however will always have the final say, so for example, where Elavon were to apply the TRA exemption on our customers/partners’ behalf, the issuer retains the right to require SCA (known as step-up). The rules around TRA exemptions are complex and Elavon can only control how the transaction is handled up until the point that it is sent to the issuer. There are three threshold levels of exceptions – €100, €250 and €500. Elavon will be providing more guidance on TRA in the coming months.
4. Trusted payee exemption (or whitelisting)
With later levels of 3DS, cardholders will have the option to whitelist’ a business they trust with their card issuer. This means that the cardholder can elect to make a business a ‘trusted payee’ and therefore transactions at a ‘whitelisted’ business are to be exempt from future SCA. Whether a cardholder’s elected wishes are upheld is totally the decision of their issuer, as the card issuer may reject the initial request or subsequent exemption requests if it has cause to do so. Furthermore, it is not known at this stage whether issuers will be ready to support whitelisting by 14 September 2019. Elavon are staying very close to developments regarding the Trusted Payee Exemption and will keep our customers/partners’ informed of the latest situation regarding this exemption category as they develop. It should be noted that a business (or their acquirer) cannot elect to be whitelisted themselves, this can only be done between the cardholder and their issuer.
5. Secure corporate payments
Payments made through dedicated corporate processes and protocols (e.g. lodge cards, central travel accounts and virtual cards) which are initiated by business entities, not available to cardholders and which already offer high levels of protection from fraud may be exempted from SCA. Elavon is working closely with the card schemes to understand the determination of these transactions and will inform customers/partners once it becomes available.
We expect that card issuers may decide to ask for extra confirmation through the use of voice referrals or an immediate refusal of the transaction. The transaction types currently not supporting the SCA functionality that are most at risk are:
- 3DS1 transactions (where the issuer is only supporting 3DS2)
- Magstripe transactions
- Keyed customer present transactions
- Non-authorised transactions
- Chip fall back
- Deferred authorisations (non-Chip and PIN transactions)
- Unauthenticated eCommerce transactions
Merchant initiated transactions (MIT)
Merchant Initiated Transactions are payments initiated by the customer without the interaction of
the cardholder, for example:
- A single transaction, such as a cancellation fee
- Recurring payments for fixed or variable amounts such as a monthly membership subscription
- A series of transactions for a variable amount or at variable intervals – such as irregular payment installments for a holiday, or a regular but variable amount such as a utility bill
These transactions must be governed by an agreement between the cardholder and customer that, once agreed, allows the customer to initiate subsequent payments without any direct involvement of the cardholder, However, SCA should be applied to the first transaction/action mandating the customer to initiate payment.
Mail order/telephone order (MOTO)
MOTO transactions are not in scope for SCA, as the customer is not in the flow. However, there is a growing trend of fraud and chargebacks on MOTO transactions, and Elavon strongly recommends trying to find ways of taking transactions via eCommerce – perhaps using a Pay by Link type functionality.
MOTO should only be used where the cardholder details have been provided via mail or phone and are not intended to cover customer present interactions via eCommerce or keyed transactions.
Due to their very nature, payments made through the use of anonymous payment instruments, such as anonymous prepaid, for example, gift cards, are not subject to the obligation of SCA.
Unattended transport and parking terminals
Any payment for transport fares or parking at unattended terminals (e.g. at an airport or train station) will not require SCA.
One leg out transactions
It may not be possible to apply SCA to a transaction where the Issuer is located outside the EEA1 and is therefore considered out of the scope of SCA. SCA should be applied to these transactions on a ‘best effort’ basis.