With the revised Payment Services Directive (PSD2) now in effect, the industry has its sights set on the next deadline: Strong Customer Authentication. Known as SCA, this set of requirements aims to improve the security of transactions for merchants and customers alike.
What is SCA?
As mentioned in our previous blog post, Strong Customer Authentication is part of PSD2 regulations mandating that many transactions need to be carried out more securely using two of three forms of customer authentication outlined in the Regulatory Technical Specifications (RTS). This means that merchants will need to provide card issuers with two independent authentication factors from its’ customers for the transaction to be approved.
The three authentication factors laid out in the RTS are:
Knowledge: Something you know, typically a password or PIN.
Possession: Something you have, such as a device or credit card.
Inherence: Something you are physically, typically a fingerprint or other biometric.
Issuers will vary on whether they support all three authentication factors, and which methods they use for each factor.
Merchants and other players in the payments space are assessing what changes they need to make to be ready by the date of enforcement, September 14, 2019.
Which merchants are affected?
While merchants are not directly responsible for meeting SCA requirements, a responsibility that falls on acquirers and issuers based in the European Economic Area (EEA), which includes all 28 member countries of the European Union (EU) plus Norway, Iceland and Liechtenstein, they could see an impact to their authorization rates on some transactions should they opt not to adhere to the regulation when it applies.
When does SCA apply?
SCA is currently only required when both the acquirer and the issuer are located within the EEA. This means that merchants who contract with an acquirer licensed in the EEA will likely see an increase in declines on transactions processed on credit cards issued in the EEA region if SCA requirements are not met. This should not be the case on transactions processed on a non-EEA issued card, however, nor would it apply to merchants contracting with acquirers licensed outside the EEA, regardless of whether the card is issued in the EEA region.
Exceptions to every rule
The spirit of PSD2 is to foster competition and consumer protection within the EU payments landscape, and given this objective, the RTS has defined some exemptions to the general requirement of SCA for every transaction.
Before diving into the explanations of each exemption, we want to advise that, while these exemptions are available for consideration, it is ultimately the issuer’s decision on whether they will accept the exemption, and in some cases, they may not have the infrastructure in place to support all of the exemptions. Some exemptions will be more widely accepted than others market-by-market depending on the adoption of the issuers in those countries, but Braintree will be working to optimize the utilization of all available exemptions across the EEA.
Additionally, even if an exemption is declined and SCA is required, we are working to take full advantage of the 3DS 2.0 protocol to minimize the impact to cardholders during the checkout experience while simultaneously providing additional fraud protection to our merchants in the process. More on that after we learn about the official exemptions listed in the RTS:
Consumers can add businesses they trust to a list of trusted beneficiaries held by the issuing bank. SCA is required to add a merchant to a cardholder’s list, so that payments to the merchant will not require SCA until the cardholder removes that merchant from his or her trusted beneficiary list.
It is still unclear how banks will manage their cardholders' beneficiary lists or even how many banks will choose to offer this, particularly in the early months following the SCA enforcement deadline. Braintree will continue to stay close to developments related to this exemption to ensure that merchants and cardholders alike can take advantage of this exemption when technical solutions becomes available.
Low-value transactions are considered those that total less than €30 each, but no more than five transactions on a payment instrument in a row can forego SCA based on this exemption, and SCA is required if the customer’s total payments exceed €100 since the last time SCA was applied. Since the information needed to validate these stipulations is only available to the issuing bank, merchants will still need to confirm if SCA is required on all transactions that might fall into this exemption category and not any of the others described below.
Merchants offering a subscription billing model will be able to take advantage of the recurring transactions exemption, but only after applying SCA to the first transaction, and only if the amount and recipient of the payment are the same. If the payment amount or recipient changes, SCA would need to be performed again to re-establish the exemption for the new amount and/or payee, after which payments to the former payee would no longer be authorized.
For merchants offering subscriptions with a varying payment amount, SCA will be required unless another exemption can be applied, such the Trusted Beneficiary exemption.
Transaction risk analysis for low-risk transactions
This exemption will allow an acquirer to request approval from issuing banks to avoid applying SCA as part of the transaction call up to certain limits based on the acquirer’s overall fraud rate calculated on a rolling quarterly basis (90 days). This applies to all transactions and all merchants if the transaction is deemed low risk during the acquirer’s real-time risk assessment, but the final decision on whether the exemption can be claimed on the transaction rests with the issuer on a case-by-case basis as part of the issuing bank’s own risk analysis. The lower the acquirer’s overall fraud rate, the higher the limit of low-risk transactions that can be claimed as exempt, as shown here:
Secure corporate payments
In some cases, corporate payments rely on other security methods that would then exempt the transactions from SCA. These include corporate card payments made through secure processes and protocols, as well as lodged corporate cards, which are used for employee travel and managed directly by a travel agent. Corporate cards that are not processed using these additional security methods, such as traditional employee corporate purchase cards (P-cards), will still be subject to SCA.
Exemptions not supported by Braintree
The RTS list a few more exemptions, but these apply to transaction types not supported by Braintree. That said, we still want to provide a list of all exemptions as a reference for our merchants in the event some of you might be able to take advantage of one or more of these using a different PSP:
Access account information consisting of a balance, or prior transactions made in the past 90 days.
Transactions made at unattended terminals for transportation and parking fees.
Credit transfers between accounts held by the same person.
Contactless payments made at point of sale with similar limitations to the low-value transaction exemption: the individual transaction amount is less than €50 and the customer must have also initiated five or fewer transactions, or the customer’s total payments have not exceed €150, since the last time SCA was applied.
The Braintree solution: 3D Secure 2.0
Since issuing banks are the parties required to ensure that a transaction is SCA compliant, Braintree will be positioning 3D Secure 2.0 (3DS 2.0) as the solution for our merchants. Not only will 3DS 2.0 provide a simple way to authenticate transactions with a no- to low-friction checkout experience for cardholders, merchants will be able to take advantage of the liability-shift benefit offered as part of the 3DS 2.0 solution and avoid costs associated with chargebacks categorized as fraud.
We recommend you read our 3DS 2.0 blog post to learn about the updates, benefits, and enhancements that will be coming, including using data to confirm cardholder identity in the background of a transaction in lieu of the pop-up redirect and request for static password flow of 3DS 1.0.
What do affected merchants need to do now?
According to SCA deadlines, no immediate action is required. 3DS 2.0 can be utilized beginning April 2019 and the deadline for SCA compliance is September 2019.
That said, there are some things merchants can do now to prepare for SCA by getting 3DS 2.0-ready. These steps include:
Ensuring all required fields are being captured in checkout flow.
Prioritizing your development resources to upgrade to the latest version of Braintree's SDK, which should be available in the fourth quarter of this year.
Braintree has always strived to simplify payments while balancing security and convenience for both our merchants and their customers, and SCA is no different. Stay tuned for more updates as we continue to develop a streamlined solution to support our European merchants navigating the changes of SCA.