SCA explainer: The new PSD2 rules online retailers need to know

30 Aug 2019

Paul Conroy. Image: Square 1

New European regulations come into force this September in an attempt to reduce online payment fraud. Paul Conroy explains why these regulations are needed now, and asks if online retailers will be ready in time.

Across Europe’s Single Euro Payments Area (SEPA), €1.8bn was lost to fraud in card-based transactions in 2016. The largest, fastest-growing category of this fraud is ‘card not present’ situations. These are transactions where the retailer doesn’t have physical access to the card, such as payments via internet, telephone or mail.

Strong customer authentication (SCA) is a new set of rules to combat the rise of fraud in online payments. By forcing online retailers to ask for extra authentication from a potential customer, banks have an increased level of trust that the transaction is low-risk and safe to approve.

SCA is part of the revised Payment Services Directive (PSD2), and comes into effect on 14 September. As of that date, any online retailer not complying with the new regulations is at risk of a substantial increase in failed transactions, lost revenue and customers.

Fraud prevention now

Anyone who has used a credit card online since 2001 has likely run into either Verified by Visa or Mastercard’s SecureCode – collectively known as 3D Secure systems. These systems allow a customer to go through an online checkout process, then get redirected to a page from their bank asking for an additional code or password before payment is approved.

3D Secure systems should be a win-win-win for all involved: the customer, retailer and bank. With confidence that the customer is who they say they are, the bank can release funds, the retailer can be paid and the customer can receive their goods. Unfortunately, the reality hasn’t quite lived up to this ideal.

Logos for Verified by Visa and Mastercard SecuredCode

Common 3D Secure systems seen in use online. Images: Visa and Mastercard

‘3D Secure’ is a phrase only marginally more popular among internet users than ‘spam’, ‘virus detected’ or ‘Wi-Fi signal has been lost’. The pages on which banks ask for this additional authentication are often very basic in design terms, rarely seeming like an integrated part of a website’s checkout process. This is a problem in an industry where security best practice warns users not to enter sensitive information into suspicious-looking sites.

Inconsistent implementation of 3D Secure has caused confusion for large numbers of users, leading many would-be customers to abandon their purchase and seek an alternate retailer with a smoother checkout process. Depending on the industry, this level of cart abandonment can be as high as 20pc.

When retailers did a cost-benefit analysis of the money lost to fraud versus the loss of legitimate customers put off by 3D Secure implementation, absorbing the increased fraud level as just another cost of doing business became a common decision. 3D Secure is currently used in only 19pc of online transactions.

However, as the volume of online fraud increases, retailers are spending more time and money dealing with chargebacks (a cardholder dispute of a suspicious charge on their statement), while cardholders are becoming more likely to have their card used successfully by a fraudster on a website that didn’t perform stringent identity checks.

Enter SCA

SCA is applied to any customer-initiated online transaction where the banks of both the customer and retailer are located inside the European Economic Area. Customer-initiated transactions are considered to be ones where the cardholder has triggered the payment, such as purchases on Amazon or transfers via online banking. Direct debits, by contrast, would be considered a merchant-initiated transaction, so would be exempted from the new regulation.

Under SCA, online retailers need to build additional authentication into their payment flows. Some card-based payment methods such as Apple Pay or Google Pay already have a built-in layer of biometric or password authentication, so any business with customers paying through those channels can be confident they meet the new requirements.

For traditional card payments, transactions will require two-factor authentication using at least two of the following three elements:

  • Something the customer knows (a password or PIN)
  • Something they have (a phone or physical token)
  • Something they are (fingerprint, facial recognition)

After 14 September, any SCA-eligible transaction that does not meet these criteria will be rejected by the customer’s bank.

Is anyone ready?

Only 44pc of impacted businesses expect to be ready by 14 September. Payment providers such as Stripe and PayPal are making a number of resources available to aid the technical migration work required but, for any online business, payment handling is a core system function requiring extensive planning and testing.

The danger is that many businesses may be unaware of the scope of the changes they need to make until it’s too late to avoid a round of lost revenue. To butcher the old Chinese proverb, the best time to start working on SCA integration was several months ago – the second best time is now!

But, despite the hype and hoopla to the contrary, SCA may not be happening after all in September.

A core element of SCA is the two-factor authentication mentioned above. Many banks were implementing this using customers’ possession of the credit card and a code sent via SMS. However, the European Banking Authority (EBA) recently said the Eurocrat equivalent of ‘no dice’ to that, which put the cat amongst the birded rodents somewhat.

The few banks and issuers that had prepared themselves for SCA were hit hard by this decision and lobbying pressure increased. As it stands, the EBA has punted the enforcement decision back to the national authorities.

What happens on 14 September?

The PSD2 legislation still comes into effect on 14 September, but each national body now has the choice to work with industry in their own country, assess best efforts and determine if they’re sufficient to warrant an extension. However, ‘best efforts’ is not defined in any more specific detail.

There’s now a window of 12 to 18 months in which legislation will be on the books, but enforcement will vary from country to country, depending on the decision of each national authority. So instead of simply heading into sweeping, pan-European legislation that will disrupt online payments, businesses are facing sweeping pan-European legislation that will disrupt online payments, implemented in an as-yet-unclear manner, likely on different dates per country, and based on different assessment of ‘best efforts’ by each authority.

Stripe’s official guidance is that 14 September is still the target date to aim for, as countries may decide to implement SCA shortly after that anyway and expect compliance by that deadline.

This would be the cautious approach, but many businesses are wary of making any changes to their payments infrastructure until it’s absolutely necessary, meaning the period of confusion will likely extend well beyond 14 September.

By Paul Conroy

Paul Conroy is the CTO at Square 1, an award-winning digital agency specialising in payments and online publishing. Square 1 has offices in Ireland, the UK and Spain.