There have been some important updates by the European regulators regarding the implementation of Strong Customer Authentication (SCA) which may have an effect on your business.
We will explain these updates in this document and how they could affect you, but first a reminder of what SCA is.
The new Strong Customer Authentication regulations
We previously informed you that from 14 September 2019 it would be mandatory for all online payment transactions above the value of €30 to be authenticated using two independent methods, known as two factor authentication (2FA).
Two factor authentication is the process whereby the identification of the cardholder by the Issuer needs two independent sources of validation out of three possible categories:
- Something your customer knows. For example, PIN or password - this would be a dynamic one-time password rather than a static password e.g. sent by text message or the issuer to their cardholder.
- Something your customer has. For example, a credit card.
- Something your customer is. For example, fingerprint or facial recognition.
Elavon will enable you as a merchant to comply with the SCA requirements, but it is the responsibility of the issuer to verify the identity of their cardholder utilising 2FA methods.
The key change brought about by this regulation will be that unless a transaction is below €30 or can be exempted for another reason, your customer will have to authenticate themselves with their card issuer or bank and it will be necessary for each transaction to be opted into the latest version of 3D Secure.
The European Banking Authority (EBA), who are regulating the introduction of the new rules, has responded to concerns expressed by businesses, card acquirers and issuers and banks regarding the potential negative effects of strictly enforcing the new rules on 14 September 2019.
This is because some European financial institutions (card acquirers or issuers) will not be ready to be fully SCA compliant by the deadline.
The EBA announcement states:
"On an exceptional basis and in order to avoid negative unintended consequences for some payment service users (cardholders) after 14 September 2019, financial institutions may be granted limited additional time in order to migrate to authentication approaches that are compliant with the SCA requirements.”
The guidance goes on to state that it is down to the relevant National Competent Authority (e.g. the FCA in the UK) to decide whether limited additional time should be granted based upon a robust and closely monitored migration plan.
At this stage there is no clarity on how long ‘limited additional time’ can last for. Elavon will update you as soon as a date is known.
What does this mean for my business?
The default position of the EBA remains unchanged in as much as the 14 September deadline remains and will be embedded as National Law under PSD2.
Unless an extension has been formally agreed, financial institutions are expected to comply with the mandate. Elavon will be ready to meet its SCA obligations and should therefore enable you to be compliant too.
However, depending upon where your customers are based, some issuers may not be ready to handle SCA.
As with existing 3D Secure protocols, where your business initiates 3D Secure you will be protected from any potential fraud liability in Europe in the majority of circumstances if the issuer authorises the transaction, even if the issuer is unable to support SCA.
This does not affect non-European issued cards who are not subject to the new regulations.
Could there be an increase in declines as a result of SCA?
Issuers should not decline a transaction just because they are not ready to apply SCA and we are not expecting that they will do so as this would have a negative impact on their cardholder as well as affecting you.
Having said this, there is a danger that some issuers will decline a transaction in order to avoid the liability shift. We cannot control this but would expect all issuers to comply with card scheme rules regardless of their readiness to support SCA.
Can I decide not to participate in 3D Secure to avoid any potential friction?
The short answer is no. The new regulations become law on 14 September and from this time on only an acquirer or an issuer can exempt a transaction from SCA if it indeed qualifies for exemption in accordance with the regulations.
If you have a legitimate reason as to why your business is unable to accommodate 3DS within its sales process by 14 September, please contact your Relationship Manager or Customer Services to discuss.
The EBA has also clarified what qualifies as a factor for 2FA. This may contradict what some financial institutions had previously assumed. For example, the card number, expiry date and CVV number do not prove possession of the card when used online, unless it is further evidenced by a dynamic card security code.
Eric Horgan, Commercial Product Leader for Elavon Europe, has commented on the new EBA opinion and guidance -
"The EBA opinion paper represents a pragmatic response to an industry that is committed to optimising customer security, but is also keenly aware of the importance of a functioning payments system as well as the quality of the customer experience.
It provided clarifications around how the SCA requirements can be met that were out of kilter with the interpretation that issuers and acquirers had applied to the regulation (in terms of the application of 3D Secure). If the paper had been issued even a year ago it would really have helped issuers and acquirers, so we are feeling some frustration.
All of these developments will require additional time given the complexity of our ecosystem..
The industry is committed to making these changes. I expect there will be some impact to customer experience during the migration period, where it may differ depending on merchant and version of 3D Secure used and the position issuers take across the EU.
I expect by the end of it that authentication and the methods merchants apply to ensure they know who the payee is, will be as close to frictionless as possible and where security is optimised.
The authentication experience will be next battleground in the payments business to ensure carts aren’t abandoned and shoppers continue to move online across Europe.”
If you have any questions related to this guide, please contact your Relationship Manager or Customer Services.
Download your PSD2 Guide