What is PSD2 & SCA?

How your customers will be affected by the next leap forward in payment security

Delayed 18 Months - Coming into Enforcement Early 2021

Want to find out how you’ll really be affected?

What is PSD2?

The second Payment Services Directive (PSD2) is an EU Directive considered to be a game-changer for banking and online retail. It’s goal will be to increase transparency and consumer trust.

In summary, it will allow customers to approve third-party providers to manage their finances, analyse spending, make Peer-to-Peer (P2P) transfers and more, all through their existing bank account. New, innovative financial service providers could appear in the market as banks allow easy integration to their system (referred to as Open Banking). This is great news for customers as they will have a wider choice of finance providers and a huge variety of ways to pay for goods and services.

Who Does It Apply To?

It applies to organizations who have an acquirer or Payment Services Provider processing their payments within the European Union (EU) or European Economic Area (EEA).

Brexit is not expected to change how PSD2 is introduced to the UK.

It’s essential for organizations within the UK and EEA to be aware of how their customers will be affected.

PSD2_European_Economic_Area_members2

What is SCA?

Part of PSD2 is to reduce fraud and improve security, this will be done by introducing Strong Consumer Authentication (SCA) for some online electronic card payments. It is scheduled to come into force by Early 2021.

Card issuers (typically banks) will require customers to take additional steps to prove their identity during a payment, and can stop working with acquirers, PSPs and organizations (Merchants) who don’t adopt this new layer of security. 

How Do I Comply with SCA with Multi-Factor Authentication (MFA)?

The easiest way for merchants and organizations to comply with SCA is to use 3DS 2.0 (or 3DS v2), the next evolution of 3D Secure.

Certain transactions will require customers to provide two types of information when making a payment.

These include:

  • Something you have (E.g. A payment card, mobile phone or security code generator)
  • Something you know (E.g. a Password or PIN)
  • Something you are (E.g. Biometric or a fingerprint)

SCA will drastically improve security, but could frustrate a lot of customers looking for quick and convenient purchases online, especially those who have not encountered existing verification steps like 3D Secure before.

However, the experience of using a smartphone fingerprint reader or SMS code to verify a payment isn’t a completely new experience for many online shoppers. It will soon become the norm for online card payments.

An Example of Multi-Factor Authentication (MFA)

Steve is shopping online using his smartphone, he’s buying an item worth £45.

After entering his credit card details at the checkout stage, SCA requires him to verify his identify. He can either provide his mobile number and receive a security passcode via SMS or using his smartphone fingerprint reader to complete the payment.

If he wants to make shopping quicker in future he can save (tokenise) his card with the organization or add them to a trusted payee list.

PSD2_SCA_Phone_Authentication_Secure_Code

Will It Affect All My Transactions?

Good news! No it won’t. As there are some exemptions to SCA you may not be affected at all.

These include:

  • Low value transactions
    Transactions less than €30 will not require SCA.
  • Mail Order / Telephone Order (MOTO) Transactions
    If your customers pay over the phone and you don’t ask them to read out their card details, it will not require SCA.
    However, if your agent is using your customer-facing online payment screen to complete a payment, SCA will be required. You should consider an Agent Assisted Payments service.
  • Trusted Organizations
    Customers can whitelist your organization with their banks, ideal for those making repeated purchases and regular payments.
  • Low risk transactions
    Transactions deemed as low risk when ran through a real-time risk assessment by your acquirer or PSP (also known as a Transaction Risk Analysis or TRA).
  • Recurring Payments or Merchant Initiated Transactions (MIT)
    For customers who have signed up to repeat or recurring payments, SCA is only required on the first transaction. Essentially a customer is giving permission for an organization or merchant to take future payments of a set amount on a set date.

Delayed 18 Months - Coming into Enforcement Early 2021

Want to find out how you’ll really be affected?

How Will My Customers Be Affected?

Here are the ways PSD2 and SCA may affect your organization and your customers:

Possibly

If you take card payments over the phone (either via an automated IVR or with an agent) you won’t be affected, as long as your agents aren’t using a customer facing web payments page to process an order.

Not all over-the-phone payment solutions are equal. If you are asking your customers to read out card details to an agent then not only are you posing a serious security risk to your customers, but your entire organization.

The best solution is to use an Agent Assisted Payments service so customers can enter their card details securely on their keypad, allowing agents to stay on the call with the customer and follow the transaction, without seeing any sensitive card details.

Need a secure over-the-phone payments service? 

AGENT ASSISTED PAYMENTS

Yes

If you ask your customers to pay online using a debit or credit card, you will see the biggest change. It’s important to assess your customer journey with SCA and the extra verification steps. You may see more customers calling your organization, wanting to pay over the phone, possibly frustrated with trying to complete their order online.

If you don’t have the facility to take payments over the phone securely, without asking for customers to read out their sensitive card details, it should be something you consider to avoid losing any sales revenue from frustrated shoppers.

Need a secure and compliant over-the-phone payments service? 

AGENT ASSISTED PAYMENTS

It depends

If your agents have a flexible service that provides a payment URL within a webchat app or social media messaging, like our Click-to-Pay service, SCA is required. The payment is processed on a secure web payments screen, compliant to the highest level of PCI-DSS, Level 1.

For webchat payment services that process within the webchat app or window, SCA isn’t required as it is considered a MOTO transaction. However, this method suggests that a payment is completed within the organization’s network, and the overall risk and security of the payment could be questioned.

Need a flexible pay-by-link solution for webchat? 

CLICK-TO-PAY

No

You won’t need to re-authenticate existing customers who have already saved or tokenised their card with your organization. However, if your customer changes their details such as name, address or adds a new card then SCA may be required.

Not sure what tokenization is? 

READ OUR TOKENIZATION GUIDE

What Are the Next Steps?

  1. Assess how your organization will be impacted.
    Look at how you take payments and how your customer experience could be affected by the extra steps introduced by SCA and 3DS v2.
  2. Discuss how your services will change with your Payment Services Provider (PSP).
    They will be responsible for enforcing the SCA part of PSD2 on relevant transactions by September 14th 2019. This could drastically alter how you collect payments and earn revenue.
  3. Consider offering additional payment channels
    For customers struggling to pay online you may want to provide alternative payment methods, such as secure over-the-phone payment solution or with a 24/7 automated payment line. Tokenization could also help alleviate a lot of friction for customers who make regular and repeated purchases, with a simple tick box advising the card issuer that your organization can be trusted for future payments.
  4. Get a free PSD2 assessment
    Key IVR will be fully compliant with the PSD2 directive by the required deadline. Our payment platform provides web, phone and SMS payment services to PCI-DSS Level 1 compliant level, and we’re trusted by hundreds of organizations with over $3.2bn processed annually. It’s our mission to reduce the risk of fraud and improve payment security for organizations, but we also appreciate that you want to make the buying process quick and easy for customers, with as little change as possible in order to be compliant.

Free PSD2 Assessment

It’s good to know what your options are, the last thing you want is to lose valuable revenue by not being prepared.

Find out how you’ll be affected in 2021 with a no-obligation PSD2 assessment. Discover how the EU directive could change you take payments and the impact on your business.

Alternatively, call +1 (929) 2070116 or email sales@keyivr.com.

PSD2_Assessment
keyivrLogoWhite
Key IVR are a privately owned business offering global automated PCI-DSS compliant payment services. We are a customer-service focused organisation and take care to manage and meet our clients' expectations.

LOCATIONS

UK: 8 Durham Lane, West Moor Park, Armthorpe, Doncaster DN3 3FE

USA: 8th Floor, 100 Church St, New York, NY 10007

Ireland: 8 Clanwilliam Square, Grand Canal Quay, Dublin 2, D02 PF75

Moldova: Melestiu St 16/2, Chișinău, Moldova