The terms PSD2, SCA and 3D Secure 2 have been bandied around for the last couple of years, and for good reason. They are part of the terminology surrounding the new merchant rules which have been gradually entering into force across the EU since 13th January 2018.
Since then, much has happened to confuse timescales, deadlines, rules and protocols. Many merchants are still left scratching their heads as to what needs to be done and by when.
We thought we’d clear a few things up. But first, let’s take a look at the lingo:
This is an abbreviation of the ‘Second Payment Services Directive’.
PSD2’s overarching goal is to encourage an open banking market, with faster, safer, and more transparent payments.
In part, it will achieve this by:
- Enabling third parties, such as payment providers and fintech companies to directly access consumer bank data via secure APIs (with the consumer’s consent)
- Using SCA to protect both consumers and merchants from fraud
This is the short form of Strong Customer Authentication. It is the method of authentication mandated by PSD2, which will require EU consumers to authenticate themselves with at least two of the following types of information:
- Something they know (a password, PIN, or a secret fact)
- Something they own (their mobile phone, a wearable device, or a token)
- Something they are (their fingerprint, facial features, or voice patterns)
Importantly, SCA isn’t required if:
- A customer has whitelisted a trusted online seller
- The transaction is a subscription or recurring billing for the same amount with the same online seller
- The transaction is under €30
- A payments provider uses transaction risk analysis (TRA) to deem whether a transaction can be classed as a low-risk payment – you can read more about this exemption here.
In short, the idea behind SCA is that it enables merchants, acquirers, and issuers to a) clearly identify shoppers in real time and b) ensure that payments are authorised.
By adding in extra security measures, SCA makes online payments more secure and reduces overall fraud levels.
For e-commerce transactions, SCA is mostly fulfilled with 3D Secure 2. However, popular alternative payment methods (APMs), Apple Pay and Google Pay, both qualify as SCA-compliant solutions – you can speak to our payments team about adding these APMs to your checkout.
3D Secure 2:
This is the new and improved 3D Secure – an authentication protocol supported by most card schemes in the world. Since 3D Secure 2 is compliant with SCA, many merchants are embedding the protocol into their checkouts as an easy way to meet the regulatory requirements.
What happened to 3D Secure 1?
Even before PSD2, the card schemes realised that 3D Secure (3D Secure 1) as we knew it needed improvement. Consumers simply didn’t like the 3D Secure 1 experience – they’d abandon their shopping cart rather than go through an additional layer of security.
This resulted in lower conversion rates and lost revenue for businesses, which caused many merchants to drop 3D Secure from their checkout flow.
As such, the card schemes created an updated version of the 3D Secure protocol – 3D Secure 2.
3D Secure 2 has improved authentication methods, seamlessly integrates into the checkout process, and has a lower impact on conversions.
The new protocol also better supports mobile payments and employs new authentication methods, such as biometrics which are supported by today’s smartphones, tablets, and computers. And, with most of the checks happening behind the scenes, the checkout experience is quicker and smoother for the customer.
The new timeline
The SCA requirement came into force on 14th September 2019. However, with the approval of the European Banking Authority, several EEA countries announced that their implementation would be temporarily delayed or phased. A new deadline of 31st December 2020 was then set. By this date, everyone operating in the EU/EEA region must be SCA-compliant.
Further delays then came when the FCA announced that those in the UK would have extra time “where there is evidence that they have taken the necessary steps to comply”. Those in this region were given until 14th March 2021 as a final deadline date.
…And then COVID-19 struck.
In response to the pandemic, the FCA extended the deadline once more – now to 14th September 2021. By giving UK merchants an additional six months to comply, it hopes to “minimise potential disruption to consumers and merchants”.
Don’t throw caution to the wind
While the UK has around nine extra months to get SCA-ready, UK businesses who accept European card payments should still work towards the earlier deadline of 31st December 2020. This will prevent against any transactions being blocked by EEA/EU issuers who will be required to decline non-compliant transactions after this date.
To make compliance easy for our merchants, we have added our smart optimisation engine, Smart 3D Secure, into our transaction flow.
The Credorax Smart 3D Secure offering advises merchants on how to implement SCA on a transaction level to avoid conversion drops.
It is an AI-based flexible decision layer that analyses each transaction in real-time and decides on the best 3D Secure routing, including performing risk assessment to track for fraud and managing any exempt transactions.
After integrating to the solution, merchants will enjoy a better customer checkout experience that assesses each transaction for you as soon as the customer clicks pay. This will not only keep you SCA-compliant, but it will also work in tune with your business needs.
To find out how Credorax can help with your 3D Secure compliance, contact our payment experts: firstname.lastname@example.org.