Strong Customer Authentication

Getting ready for Strong Customer Authentication.

What's that?

Back in October 2015 the European Parliament passed some legislation known as Payment Services Directive 2 (or PSD2 for short). This directive has since been incorporated into each European Union nation state's own legislative framework so whatever happens with Brexit it will apply to the UK as well as the other markets.

PSD2 has meant a number of changes for the payments industry, but one specific area is what’s known as Strong Customer Authentication (or SCA for short).

SCA is a new regulatory requirement to reduce fraud and make online card payments more secure, by having more “authentication” built into the checkout flow.

The requirement is to have payments authenticated as genuine using at least two of the following three data points :

• Something the customer knows (e.g. their password or PIN)
• Something the customer has (e.g. the phone or hardware token they are using)
• Something the customer is (e.g. their fingerprint or face recognition)

The regulatory requirement is to have these new processes in place for 14 September 2019, and from this date banks will decline payments that require SCA but don’t meet these criteria.

‍

‍

So what transactions require SCA and how will it benefit your business?

SCA applies to “customer-initiated” online payments within Europe. Any payment made by customers online. So most card payments will require SCA, although there are some exemptions.

Today, the most common way of authenticating an online card payments relies on 3D Secure (3DS) – the authentication standard developed by Visa and Mastercard and supported by the vast majority of European cards. This typically adds an extra step after the checkout where the cardholder is prompted to provide additional information to complete a payment (e.g. a one-time code sent to their phone or letters from their password to login to their online banking).

To meet the requirements of SCA, the major payment schemes are rolling out 3D Secure 2.0 during the course of this year. Whilst the original version of 3DS was fairly clunky, this new version introduces a better user experience that will help to minimise the friction that authentication adds into the checkout flow.

Visa reports that merchants using 3DS 2.0 will experience a 70% decrease in cart abandonment, and an 85% reduction in transaction time.

3DS 2.0 also gives merchants another anti-fraud tool as it’s designed to better authenticate valid transactions and deny fraudulent transactions. Additionally, it shifts the liability for fraudulent transactions from the merchant to the issuing bank.

Of course, as well as Visa and Mastercard’s 3DS solutions, there are other payment methods such as Apple Pay or Google Pay which Judopay facilitates – that already meet the new SCA requirements in a smooth and frictionless way.

‍

‍

What are we doing at Judopay to help you prepare for SCA?

The changes introduced by this new regulation are set to deeply affect internet commerce in Europe. Businesses that don’t prepare could see their conversion rates significantly drop after the enforcement of SCA begins on 14 September 2019.

In addition to supporting new authentication methods like 3DS 2.0 we believe successful handling of exemptions will become a key component for building a first-class payments experience that minimises friction.

Judopay is making the required changes to ensure our solutions are SCA compliant, including updating our mobile SDKs and creating a Javascript to be added to web pages to send the additional information for web payments.

This helps to make the transition as seamless as possible for our merchants, and if you already use 3DS the update to 2.0 will be straightforward.

However, note that if you don’t currently use 3DS, some development work will be required by you before the September deadline, so please factor this into your plans for the next few months.

We will be working closely with our merchants and partners over the coming months to ensure we are all ready for the deadline, and will provide further detail on development specifics soon.

‍

Exemptions

Under the new regulation, specific types of low-risk payments may be exempted. The most relevant exemptions are :

• Low Risk Transactions – where real-time risk analysis determines whether to apply SCA to a transaction.
• Payments below €30 – an exemption that can be used for payment of a low amount.
• Fixed amount subscriptions – this exemption can apply when the customer makes a series of recurring payments for the same amount, to the same business.
• Merchant initiated transactions – although requirements for how merchant-initiated transactions will work in practice are still being finalised, payments made with saved cards when the customer is not present in the checkout flow may fall outside the scope of SCA.
• Trusted beneficiaries – where a customer registers or whitelists a business they trust to avoid having to authenticate future purchases.
• Sales over the phone (MOTO) – card details collected over the phone fall outside the scope of SCA and do not require authentication.
• Corporate card payments – payments that are made with a corporate card (e.g. for employee travel expenses) and held directly with an online travel agent, as well as virtual card number corporate payments are also exempt.

‍

While exemptions will be very useful, it is the cardholder’s issuer that will decide whether or not to accept an exemption. Issuers will return new decline codes for payments that failed due to missing authentication, and these payments will then have to be resubmitted to the customer with an SCA request.