Online purchases account for over half of all card-related fraud in the Single Euro Payments Area (SEPA), including 35 European nations. To safeguard consumers and European Economic Area (EEA) financial institutions against fraud and financial crime, the EEA established the SCA rules in 2019.
As mandated by the Revised Directive on Payment Services (PSD2) of the European Union, the SCA ensures that payment service providers inside the EEA use multi-factor authentication (MFA), as it further strengthens the security of electronic or online payments.
This article delves deeper into the various payment methods affected by Europe’s Strong Customer Authentication (SCA) mandates. Also, we will explain how SCA affects your company and what kinds of transactions are exempt or not covered.
Table of Contents
What is Strong Customer Authentication (SCA)?
SCA is a European legislative requirement designed to combat cybercrime and increase the security of offline and online payments.
Financial institutions must implement additional authentication into the checkout process to authorize payments and comply with SCA laws. They must use two of the following three components for authentication in SCA:
- Something only the customer knows (the password or PIN);
- Something a client possesses (phone, computer);
- Identifiable features of the customer (facial or fingerprint recognition).
End-users can feel more at ease making online payments thanks to the additional protection provided by SCA. Previously, buyers just had to enter their payment information and finish the purchase. Customers will have a simpler time verifying their accounts, resulting in fewer cancellations.
Why Are PSD2 and SCA Important?
This new directive expands on three major provisions of the old 2007 directive. Some of these are:
- Enhanced protections for consumers while making financial transactions;
- Bringing the regulation of third-party access and account information into the fold creates fair competition;
- Enhanced security.
When we talk about security, we mean a specific set of guidelines called Strong Customer Authentication (SCA). Any company operating online in the EEA region must comply with these standards; if not, the effects will be far-reaching.
When did Strong Customer Authentication Take Effect?
On September 14, 2019, PSD2’s Strong Customer Authentication (SCA) requirements went into effect. Later, because of industry unreadiness, the European Banking Authority pushed the deadline to December 31, 2020. So far, all EEA member states have implemented mandatory PSD2 SCA compliance. The UK’s deadline for full implementation was March 14, 2022.
PSD2 (PSD2 meaning – European legislation that forces payment services to strengthen customer authentication) was proposed in 2013 and officially adopted by the European Parliament and the Council of the European Union in 2015. PSD2 replaced the previous Payment Services Directive (PSD), which was introduced in 2007. PSD2 was initially scheduled to come into effect in January 2018, but the deadline was later extended to September 2019 to allow more time for implementation. Since then, PSD2 has been gradually implemented across the European Union, with some countries adopting it earlier than others.
As of 2021, PSD2 is fully implemented across all 27 EU member states, as well as Norway, Iceland, and Liechtenstein, which are part of the European Economic Area. The regulation applies to all payment service providers operating within the EU, including banks, payment institutions, and e-money institutions.
One of the most significant changes introduced by PSD2 is the requirement for banks to allow third-party providers to access their customers’ account information and payment initiation services through open APIs (Application Programming Interfaces). However, with the increased access to customer data and payment initiation services, there was also a risk of increased fraud and security breaches. Therefore, to address these concerns, PSD2 introduced another requirement called Strong Customer Authentication (SCA).
Under PSD2, consumers have greater control over their payment transactions, as they can choose to authorize third-party providers to access their account information and initiate payments on their behalf. This has led to increased innovation in the payments market, as well as improved security standards and consumer protection. However, it has also posed challenges for some payment service providers, particularly smaller ones who may struggle to meet the requirements for SCA.
How Does Strong Customer Authentication Work?
The best way to implement Strong Customer Authentication for a payment system varies. In most cases, 3D Secure is a must when paying with a debit or credit card. Many regional payment options, including e-wallets, also provide their SCA-compliant authentication phase. Let’s look at the two major ones:
Most online card payments today use 3D Secure for authentication. Similarly, most cards in Europe adhere to this authentication standard. When using 3D Secure, the customer’s bank will probably ask for supplementary information after the customer has completed the checkout process. For example, a one-time code delivered to their phone or fingerprint authentication via their mobile banking application.
Currently, 3D Secure 2.0 is the most widely adopted approach for verifying the identities of cardholders making purchases online under SCA guidelines. This updated version improves the user experience and reduces the extra steps normally required for authentication throughout the purchasing process. With offline card transactions, a PIN entry will satisfy authentication requirements.
Digital Wallets and Regional Payment Options
There are currently payment processes with an integrated layer of authentication supported by other card-based payment systems like Google and Apple Pay (biometric or password). With these, stores can provide customers with a streamlined purchasing process without sacrificing compliance.
It’s also true that several widely used European payment systems, such as iDEAL, Bancontact, or Multibanco, will conform to the SCA requirements without substantially affecting the user experience.
What Situation Calls for Strong Customer Authentication?
Any transaction deemed to be “consumer-initiated” (CIT) calls for strong customer authentication. It will apply to both online and bank transfers. SCA is unnecessary when a transaction is “merchant initiated,” (MIT) as with recurrent debits.
So, the SCA is mandatory for online European payments when both the merchant and cardholder’s bank are within Europe. Also, any online payments made within the European Economic Area (EEA), the United Kingdom, or Morocco must be SCA compliant. That’s why online shoppers must complete an additional level of authentication during the checkout process.
Exceptions to the SCA
Exemptions from the SCA should maintain a smooth user experience for certain types of transactions. Transactions that are outside of PSD2’s limits do not require SCA. Listed below are the most notable exempt or out-of-scope transactions.
An SCA exception applies in certain circumstances. The retailer will inquire with the bank or credit card company about the exemption as part of the payment processing.
The level of risk involved allows the retailer to determine whether the purchase falls outside the mandate of the SCA. If so, it won’t need to go through the second authentication step.
Here are some typical cases where the SCA rules don’t apply:
A payment processor may do a real-time risk assessment when deciding whether to apply SCA to a transaction. For this to be possible, the overall fraud rates for card payments at the payment provider or bank must be below the following limits:
|Exception Value Threshold (Euros)||Card-Based Payments|
When necessary, they will adjust these cutoffs to reflect the current value in the local currency. It’s reasonable to assume that the cardholder’s bank will deny the exemption and insist on authentication. That’s if the payment provider’s fraud rate is lower than the threshold, but the cardholder’s bank’s rate is higher.
If the total of all charges on a single card is less than 30 Euros or if any one purchase is less than 100 Euros, no SCA is necessary. To clarify, this means that transfers of less than 30 Euros do not require verification, but the issuing bank will note how often this exception applies. If the sum of the payments is over 100 Euros, or if there are over five separate payments, it will request the buyer to complete an SCA.
After the first transaction that satisfies the SCA standards, subsequent transactions of the same type and amount are exempt. Since these are ongoing, they are “merchant-initiated” transactions and, therefore, exempt from the SCA.
Customers can “whitelist” a trusted merchant during the payment authentication process so that they don’t have to provide authentication for future purchases with that merchant. The customer’s bank or payment service provider will add these companies to a list of “trusted beneficiaries.”
Businesses can avoid SCA by conducting transactions with one another using a payment method designed explicitly for B2B transactions. As we have established, the SCA does not apply to “merchant-initiated” transactions in which the customer is not directly involved.
The same goes for phone and mail orders, as they aren’t electronic transactions and hence fall beyond the limits of the SCA. Also, outside the bounds of the SCA is any card issuer or cardholder not in the European Economic Area (EEA), Monaco, or the United Kingdom.
Out-Of-Scope SCA Transactions
In particular, there are four kinds of transactions that are not covered.
Merchant Initiated Transactions (MITs)
The term “merchant-initiated transaction” (MIT) refers to a transaction in which the merchant initiates it instead of the client. With the customer’s permission, it automatically deducts the payment from their stored card details on the due date.
For example, some items, like water, have variable costs based on usage. Anytime a customer uses the card for the first time, whether as part of a purchase or to save payment information, authentication is a requirement. Yet if designated as a “Merchant Initiated Transaction,” the subsequent payments can bypass SCA.
Mail Order/Telephone Order (MOTO)
It refers to sales made by mail or phone to MOTO sales. SCA does not apply to MOTO transactions conducted entirely through mail or telephone. Payments made by mail or telephone order are not part of it since SCA do not regard them to be “electronic.”
Specifically, this term refers to deals in which the issuer or buyer is outside the European Economic Area. SCA sees these kinds of transactions as being outside of the scope. It means European companies are free to accept payments from customers outside of Europe without meeting the standards set forth by the PSD2 SCA.
If a customer pays through an anonymous way (such as a gift card), they are exempt from completing SCA.
There are a lot of other exceptions and out-of-scope situations, and how the bank, plan, and regulations interpret them will vary widely. The technical and regulatory standards for SCA under PSD2 contain the list of all the exemptions.
When you use the Solidgate payment processing platform, our team takes compliance off your shoulders, as Solidgate is fully certified for standards such as PSD2 and PCI-DSS. What is more, Transaction Risk Analysis (TRA) exemption allows for certain transactions to be exempted from SCA, provided that a robust risk analysis is performed, and the merchant meets specific fraud thresholds.
What Will Happen if You’re not SCA Compliant?
The bank associated with the cardholder will reject any transactions that do not comply. If this happens, it could cost your company a lot of money, mainly if you rely on online payments for most or all of your income. If a company cannot meet the SCA standards, the FCA says it will take full supervisory and enforcement measures against the company.
The good news is you don’t have to view this as a threat to your company but rather as an opportunity. If you prepare for SCA now, you can have an advantage over inadequately prepared rivals later.
Controls and Standards for PSD2 Compliance
PSD2 compliance requirements include several key elements such as open APIs for third-party access, strong customer authentication (SCA), enhanced transparency, faster complaint resolution, and cessation of debit/credit card surcharges. Learn more about these requirements below:
- Open APIs for Third-Party Access – Banks must allow third-party payment providers access to their APIs for free.
- Strong Customer Authentication (SCA) – All electronic payments must be authorized using a minimum of two independent factors, such as fingerprint + password.
- Enhanced Transparency – For example, PSD2 bans the use of non-transparent pricing methods, and banks must clearly explain financial products.
- Improved Complaint Resolution – Third-party payment service providers must give a full response to complaints that are governed by PSD2 in under 15 days.
- Elimination of Debit/Credit Card Surcharges – Under PSD2, debit/credit surcharges have been outlawed. This means a merchant can not add extra fees when a customer opts to pay via card.
Checklist for PSD2 Compliance
As PSD2 continues to transform the payments industry within the European Union, banks and third-party payment systems must ensure that they are compliant with the directive’s regulations. PSD2 compliance not only ensures that financial institutions and payment service providers meet legal requirements but also enables them to capitalize on the opportunities provided by open banking. However, achieving and maintaining compliance can be a complex and challenging task. Below we will provide a checklist for PSD2 compliance to guide banks and third-party payment systems through the process of staying compliant and taking advantage of the benefits of open banking.
Banks can achieve PSD2 compliance by sticking to this checklist:
- Register with the relevant regulatory authority – Banks must register with their national regulatory authority as a payment service provider to operate under PSD2.
- Implement strong customer authentication (SCA) – Banks must implement SCA using at least two authentication factors for all electronic payment transactions.
- Provide access to account information and payment initiation – Banks must provide third-party providers with access to their customers’ account information and payment initiation services through open APIs.
- Ensure data protection and confidentiality – Banks must ensure the confidentiality and protection of customer data by implementing adequate security measures.
- Keep records – Banks must keep records of all payment transactions for at least six years.
- Notify customers of any security breaches – Banks must notify their customers of any security breaches that may affect their account information or payment transactions.
- Conduct regular security assessments – Banks must conduct regular security assessments to identify any vulnerabilities in their systems and implement the necessary security measures.
- Provide transparency – Banks must provide transparent information to customers regarding fees, charges, and payment transaction details.
- Ensure compliance of third-party providers – Banks must ensure that any third-party providers they work with are also PSD2 compliant by monitoring their compliance.
For Third-Party Payment Systems
To ensure third-party payment systems are PSD2 compliant, we recommend following this basic checklist:
- Apply for and receive an Account Information Service Provider (AISP) or Payment Initiator Service Provider (PISP) licence.
- Implement Strong Customer Authentication – Generate one-time authentication codes and use at least two factors (2FA). Also, avoid SMS-based authentication and other non-compliant authentication methods.
- Implement Know Your Customer (KYC) – Third-party payment providers need to gather information such as full name, address, contact details, identity documents, tax identification numbers, and other legal documents.
- Build secure applications featuring
- Generate user consent – Under PSD2 regulations, third-party payment providers (TPPs) are required to obtain user consent before accessing their account information or initiating payments on their behalf. The three main methods include decoupled, embedded, and redirect.
What is PSD2 compliance?
PSD2 compliance refers to adhering to the requirements set forth by the Revised Payment Services Directive (PSD2), a European Union regulation aimed at enhancing payment security and promoting competition in the payment industry. It imposes obligations on merchants, banks, and payment service providers to ensure the protection of customer data and facilitate secure online payments.
What steps can merchants take to achieve PSD2 compliance?
To achieve PSD2 compliance, merchants can take several steps, including implementing strong customer authentication (SCA) for online transactions, using secure payment service providers that are licensed under PSD2, and ensuring they have appropriate fraud prevention measures in place. They may also need to update their payment systems to support open banking APIs and share transaction data with authorized third parties.
What are the consequences of non-compliance with PSD2?
Non-compliance with PSD2 can have serious consequences for merchants. Regulatory authorities can impose fines or penalties for non-compliance, which can be substantial. In addition, merchants may face reputational damage, loss of customer trust, and potential legal action. It is crucial for merchants to understand and meet the requirements of PSD2 to avoid these negative outcomes.