Enhance cardholder security with Strong Customer Authentication (SCA)
The EU introduced the Payment Services Directive 2 (PSD2) to make payments safer, increase consumer protection, foster innovation and competition. PSD2 is enshrined in law in most EU member state countries. The UK has committed to implement all provisions whatever the Brexit outcome. At Elavon we communicated aspects of these new regulations in January 2018.
We want to continue to keep our customers informed about how the new regulations will impact their business.
What is changing?
One of the more significant impacts of PSD2 relates to eCommerce transactions and the need to implement Strong Customer Authentication (SCA). This will become mandatory from 14 September 2019 across Europe.
What is Strong Customer Authentication (SCA)?
SCA refers to the introduction of additional security authentication requirements for online transactions over €30 and it means your customers will no longer be able to checkout online using just their credit or debit card details. They will need to provide an additional form of identification. This is known as ‘two factor authentication’ (2FA). Authentication factors simply refers to the ways a card issuer can be sure that the cardholder is the genuine owner of the card before authorising. Two factor authentication is the process whereby the identification of the cardholder by the issuer needs two independent sources of validation out of three possible categories:
- Something your customer knows. For example, PIN or password - this would be a dynamic one-time password rather than a static password e.g. sent by text message or the issuer to their cardholder.
- Something your customer has. For example, a credit card.
- Something your customer is. For example, fingerprint or facial recognition.
This is applicable to transactions in the European Economic Area (EEA) only, where both payer and payee are in the region. This means that if your customer is from Japan, the transactions will not be subject to mandatory SCA. This is known as a ‘one leg out’ transaction.
What does SCA mean for my business?
The card schemes have responded to the new regulatory requirements by mandating the use of a new authentication framework 3D Secure v2, which meets the SCA requirements.
How will Elavon assist you to comply with SCA?
Elavon will be enabling you to undertake SCA to meet the regulations through application of 3D Secure V2. In theory this would mean that every online transaction will require enhanced 3D Secure (3DS) to be performed, unlike today where you can choose whether to apply 3DS or not.
Some businesses have expressed concern that applying this enhanced security to verify the cardholder, utilising enhanced 3DS, it may add friction to the check-out process, with the danger that their customers do not complete their purchase, leading to checkout abandonment.
The good news is that there are some permitted exemptions to having to perform SCA and Elavon will work closely with you to discuss the exemption criteria that your business could benefit from.
Elavon has already upgraded its platforms to accommodate the new 3D Secure V2 for both Visa and Mastercard. Changes for American Express 3D Secure V2 for Full Service is completed and for Partial Service will be completed in July.
What are the exemptions to SCA?
There are four main exemption categories that can be applied by Elavon and/or the issuer. These are:
1. Low Value Exemption
Card transactions (below €30 for remote and below €50 for contactless) are considered low value and are generally exempt from authentication. However, if your customer initiates more than five consecutive low value payments with any merchant, or if the total payments value exceed €100, or €150 for contactless, SCA will be required. This would mean that if the transaction taking the cardholder above the permitted maximums were performed with your business, the issuer would step-up the transaction for SCA. You should therefore ensure that you have implemented 3D Secure V2 for eCommerce transactions in the event that the issuer requests this even for a low value transaction, otherwise the transaction may be declined. For contactless, you will be required to use ChIp & PIN authentication on the terminal.
2. Recurring Payment Exemption - e.g. subscriptions
Regular payments of the same value to the same business are exempt after the initial set up. The initial set up of the recurring payment will still require authentication, but all subsequent transactions will be exempt.
Regular card payments where the amount may vary from month to month (for example a mobile phone bill) are classified as Merchant Initiated Transactions. These transactions are also out of scope from SCA as long as the first transaction was authenticated by the card holder, and as long as the merchant has an agreement with the card holder that they can charge variable amounts..
3. Transaction Risk Analysis (TRA) Exemption
Elavon could use TRA on your behalf to exempt transactions from the need to have SCA performed. This effectively means that Elavon would analyse the transaction to determine the likelihood of it being genuinely performed by the cardholder and exempt it from 3D Secure.
The issuer however will always have the final say, so for example, where Elavon were to apply the TRA exemption on your behalf, the issuer retains the right to require SCA (known as step-up).
The rules around TRA exemption are complex and Elavon can only control how the transaction is handled up until the point that it is sent to the issuer. There are three threshold levels of exceptions - €100, €250 & €500. We will be providing more guidance on TRA in the coming months.
4. Trusted Payee Exemption (or whitelisting)
Cardholders will have the option to ‘whitelist’ a business they trust with their card issuer. This means that the cardholder can elect to make a business a ‘trusted payee’ and therefore transactions at a ‘whitelisted’ business are likely to be exempt from future SCA.
Whether a cardholder’s elected wishes are upheld is totally the decision of their issuer, as the card issuer may reject the initial request or subsequent exemption requests if it has cause to do so. Furthermore, it is not known at this stage whether issuers will be ready to support whitelisting by 14 September 2019.
Elavon are staying very close to developments regarding the trusted payee exemption and will keep you informed of the latest situation regarding this exemption category as it develops.
It should be noted that a business (or their acquirer) cannot elect to be whitelisted themselves, this can only be done between the cardholder and their issuer.
It may however be possible for businesses that have a regular relationship with customers (for example having an account or loyalty programme including the ability for the customer to leave their card on file to be tokenised and used for purchases), to encourage their customer to white list them to avoid possible future SCA friction.
Are any transactions out of scope for SCA?
One leg out – you may decide not to send these for SCA – it depends on the flexibility of your gateway. Alternatively, if these are sent for SCA, they will be handled as appropriate by the card issuer capabilities.
MOTO transactions are not in scope for SCA , as you don’t have the customer in the flow. However, there is a growing trend of fraud and chargebacks on MOTO transactions, and we strongly recommend trying to find ways of taking transactions via eCommerce – perhaps using a Pay by Link type functionality. In order to explore what options you may have to bring MOTO transactions in scope for SCA, thereby adding a layer of protection to your business, speak to your gateway provider.
Merchant Initiated Transactions (MIT)
A MIT is initiated by the merchant, for example:
- a single transaction, such as a cancellation fee,
- or series of transactions, of a fixed amount – such as a monthly membership subscription
- a series of transactions for a variable amount or at variable intervals – such as irregular payment instalments for a holiday, or a regular but variable amount such as a utility bill
These transactions must be governed by an agreement between the cardholder and merchant that, once agreed, allows the merchant to initiate subsequent payments without any direct involvement of the cardholder. Where the initial mandate is set up through a remote electronic channel, SCA is recommended if there is a risk of fraud but should not be necessary for subsequent payments initiated by the merchant.
Visa and Mastercard are updating their rules with respect to the submission of these transactions. Once we receive more information from the card schemes we will share this with you.
Who is liable if an exempted transaction turns our to be fraudulent?
Where Elavon processes an exemption without SCA your business would be liable if the transaction did turn out to be fraudulent.
Where the issuer exempts a transaction on behalf of their cardholder (e.g. for a trusted payee), the issuer would be liable if the transaction did turn out to be fraudulent. We expect more information to be provided soon about trusted payee.
How will I find out more on SCA?
Elavon will produce regular communication concerning Strong Customer Authentication and the exemption process under Transaction Risk Analysis. More information will be provided in the coming months.
Do I need to do anything?
Yes, you need to ensure that your eCommerce payments are ready to be authenticated using at least 3D Secure V1, although a new version called 3D Secure V2 offers your customers a better user experience and an increased chance of authorisation. If you’ve used 3D Secure V1, it should be a simple job to upgrade – speak to your payment gateway. If you’ve not used 3D Secure before, it might involve more work for you or your developer. Don’t delay – speak to your gateway or web developer now.
Even if the majority of your transactions will be either exempt or out of scope, you still need to be ready in case the card issuer still decides to request SCA – otherwise they may decline the transaction. Although Elavon or your gateway may, with or without the help of additional fraud tools, recommend that SCA is used and forward transactions for SCA, the card issuer will always have the final say and may request SCA on any online transaction.
However, if your whole business is mail order / telephone order (MOTO) payments - then this won’t apply to you.
As today, any transaction where you invoke 3D Secure protocols that the issuer approves will protect you from any potential fraud chargebacks. This is regardless of hether the issuer can support 3D Secure or not.
Are there any other PSD2 regulations I should be aware of?
PSD2 also provides a legal and regulatory environment for Open Banking (the XS2A provisions) in the EU. Banks must grant a new class of participant called a Payment Initiation Service Providers (PISPs) access to customer accounts. A PISP service could enable a business to accept a bank to bank payment for an online purchase.
Over the coming years new business to business payment methods like iDeal in the Netherlands may emerge and Elavon will keep you up to date on any developments in this area.
Contactless transactions – new rules also coming into force on 14 September 2019:
There are new rules governing SCA on terminals that accept contactless transactions. The value of the transactions must not exceed €50 and the cumulative limit of onsecutive contactless transactions without application of SCA must not exceed €150 or the number of consecutive contactless transactions since last application of SCA must not exceed five. In practice this will mean that you will need to ask the cardholder to authenticate - use the Chip & PIN (or online PIN where this is used) on the terminal when prompted.
Unattended terminals for transport fares and parking fees are exempt.
In summary
You need to review your business and the types of transactions you process. Using the guidance here should help you to determine which types of transactions you process are in scope or exempt from the new SCA rules..
Unless your business is 100% MOTO, you need to start talking to your payment gateway provider now. Transactions must be correctly flagged before submitting them for authorisation.
Elavon is engaging with all the gateways that connect to our acquiring platform. We have already made most of the necessary changes to be compliant with the new regulation and will continue with these developments over the coming months, as more details are made available by the card schemes.