With online fraud on the increase, companies must take action to make sure they meet the updated version of the Payment Services Directive, PSD2, which will mandate Strong Customer Authentication (SCA), later this year. Adam Bromage-Hughes, Technical Director at Encoded, takes a closer look at the directive and discusses why SCA is so important for companies and customers.
The first Payment Services Directive (2007) levelled the playing field for payment institutions in the EU. It increased competition and set out common payment standards that benefited both customers and participators in the industry. The later revised PSD2(i) , introduced in 2015, has resulted in an even more integrated and efficient payments market, with the key addition of Strong Customer Authentication (SCA). Over the last five years SCA has helped to reduce online fraud by making payments safer and more secure for customers. The Financial Conduct Authority (FCA) has announced the deadline for implementing full SCA compliance for e-commerce transactions is now 14 March 2022. Any firm that fails to comply with the requirements will be subject to FCA supervisory and enforcement action.
What has changed and why is SCA so important now? Here are three important things to know:
1. SCA protects businesses and the customer from online fraud
Strong Customer Authentication (SCA), often referred to as multi-factor authentication, assures the card issuer and acquirer that the transaction is genuine. Now with non-cardholder present transactions (online) at least two criteria need to be met to confirm the customer’s identity, whether in the form of something they know, (PIN) have (card) or biometric (fingerprint or voice recognition).
SCA protects both the merchant/company and the customer. If a customer pays online for goods using an SCA process, but later claims it was a fraudulent transaction, the bank or card issuer accepts liability. Previously a fraudulent transaction meant that the merchant had to refund the money and incurred additional chargeback costs. With debit cards the merchant was even more vulnerable to fraud, as the money could only be credited back if there was still cash in the bank account.
The latest version of Visa’s 3-D Secure(ii) is an example of the SCA process, where customer details are used by the bank or card issuer to assess the risk of the transaction. More robust than the earlier version that simply required a password, the details are confirmed and then a one-time password or code is sent to the customer as authorisation. 3-D Secure (often referred to as ‘Verified by Visa’) provides confidence from the card issuer and bank that the transaction is genuine. If a purchase is considered low risk by the bank or card issuer, then the transaction is processed immediately with no authentication required. This is often termed ‘frictionless flow’ since it provides a smooth customer journey.
2. SCA will become mandatory on 14 March 2022
Transactions that do not meet the SCA requirements could be declined by the card issuer. The FCA will oversee and enforce the directive and repeat offenders of such transactions may be fined for non-compliance. Companies with high numbers of declined transactions could also see increased complaints, reduced customer confidence and suffer possible irreversible, reputational damage. Some transactions will be considered SCA exemptions, which include recurring payments (such as subscriptions) where the security checks are carried out in the initial set-up and ‘whitelisting’ where the recipient is a ‘trusted beneficiary’.
3. Working with the right Payment Services Provider helps achieve compliance
Working with an established payment services provider like Encoded means the transaction process and administration is managed from start to finish. The merchant captures the customer transaction and Encoded carries out all of the secure checks required by the acquirer to verify the card with the card issuer behind the scenes. With checks authorised, Encoded issues a secure link that takes the customer through the online process to complete the transaction.
Choosing the right payment service provider early on is an investment for the future. Encoded’s payment gateway is acquirer agnostic, which means that merchants can easily change banks without implementation costs.
With the next deadline of 14 March 2022 for SCA looming, now is the time to start thinking about how to protect your business from fraudulent transactions and how to comply with the new regulations.
Contact Encoded to find out how we can help you make the change.
(i). https://www.fca.org.uk/firms/revised-payment-services-directive-psd2
(ii). 3D Secure v1 is the 2015 version of the protocol designed to be the additional security layer for online credit and debit card transactions, adopted by Visa ‘secured by Visa’. https://www.barclaycard.co.uk/business/news-and-insights/strong-customer-authentication-sca
3DS v2 is the new and improved authentication framework being delivered by EMVCo, the global technical body that facilitates worldwide interoperability and acceptance of secure payment transactions. https://www.emvco.com/
