New regulations for authenticating online payments are coming into force on 14th September 2019, as part of the EU’s Second Payments Services Directive (PSD2), known as Strong Customer Authentication (SCA).
Strong Customer Authentication has been designed to boost security for ecommerce websites, making online payments more secure and reducing fraud. Once SCA comes into effect, your online payment security will need to comprise at least two of the following three:
- Something the customer knows, ie a PIN or a password;
- Something the customer has, for example a phone or hardware token;
- Or something the customer is, ie fingerprint or face recognition.
From 14th September, banks will decline transactions which do not meet these criteria.
What Type of Payments Will CSA Apply to?
These new 3D security regulations will apply to all online card payments where both the business and the cardholder’s bank are located within the European Economic Area; SCA is expected to be enforced in the UK, too, regardless of the outcome of BREXIT.
Payments in person (except contactless);
Direct debits, which are considered “merchant-initiated transactions”
Payments which originate from or are made to a merchant outside Europe.
At the discretion of the cardholder’s bank, certain “low-risk” transactions may also be exempt from Strong Customer Authentication (SCA). These might include payments below €30 and transactions for which the payment provider or bank’s overall fraud rates for card payments fall below a certain threshold.
What Steps Do I Need to Take to Minimise the Impact of PSD2 on My Business?
Popular online payment processing partners such as PayPal and Stripe are urging businesses to prepare themselves for these changes well in advance.
Depending on which package you have, your online checkout may be automatically upgraded so no action may be necessary – this is the case for most standard Paypal accounts. However, it may be the case that you need to integrate 3D authentication to your checkout process in order to comply with PSD2 and the new 3D security regulations.
3D Secure 2 is one of the main, SCA-compliant methods for authenticating online card payments.
PayPal, for example, is partnering with CardinalCommerce, which is owned by Visa, to provide a merchant plug-in which will activate 3DS and apply the necessary level of security before funds are released.
Other card-based payment methods such as Apple Pay or Google Pal are already compliant with the new regulations.