SCA & PSD2: Frequently Asked Questions (FAQ)

Payvision_PSD2 Making complicated security regulations straightforward

SCA Compliance

Do you have questions on how to prepare for PSD2 SCA compliance using 3D Secure? We’ve got all the answers right here. Read on to learn all the important details your business needs to comply with the updated rules.

Note: These guidelines we’ve put together are meant to supplement existing regulatory guidance from official domestic authorities and card scheme regulations. They should not replace actual legal advice.

General Questions

1. What is strong customer authentication (SCA)?

The 2nd Payment Services Directive (PSD2) was introduced as a new regulation by the European Banking Authority to reduce fraud and improve online payment security. The regulation mandates that all remote payments in the European Economic Area (EEA) be strongly authenticated. These requirements, known as Strong Customer Authentication (SCA) will be enforced by January 1st, 2021.

Previously, people could transact online by inputting their card CVC and a verification code, but SCA will now require more information from anyone making an online payment in order to authorize a transaction.

Learn more background on PSD2 and SCA here.

 

2. How will SCA affect my business?

To accept payments and comply with SCA requirements, you need to create a checkout process that authenticates payments using at least two of the three elements below:

Something the customer knows

e.g., password, PIN, or passphrase

Something the customer possesses

e.g., mobile phone or hardware token

Something the customer inherently is

e.g., voice ID or fingerprint

 

Essentially, a customer will be allowed to complete their payment only when they’re able to provide at least two of these forms of authentication.

 

3. What’s the difference between 3DS2 and 3DS1?

3DS2 is the new and improved authentication protocol for online card payments that offers more secure authentication mechanisms, data-driven risk management and customization for transactions initiated from mobile apps.

Previously, card schemes only used 3DS1 to verify transactions. Now, you must support 3DS2 in order to comply with SCA requirements.

The main difference is that SCA adds another layer of security to transactions, with more dynamic points to verify user identities. 3DS2 creates smoother payment experiences for customers and limits potential negative impact on conversions.

 

4. What do business need to do to become SCA compliant?

The European Commission has issued several guidelines and recommendations for businesses to accurately get on board with 3DS2. This means:

  • Implementing 3D Secure before September 14th, 2019 if your transactions fall within the EU PSD2 SCA guidelines.
  • You are advised (and in some cases, required) to submit additional data points to support the risk assessments performed by card issuers in case of 3D
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data points with third.

5. When will SCA/3SD2 be enforced?

The official SCA mandate requirements became officially effective on 14 September 2019, with the deadline for full enforcement set at 31 December 2020. This means from January 1 2021, all transactions in scope need to comply with SCA. Learn more from the European Banking Authority’s announcement here.

Most European regulators have agreed to this deadline, with the exception of the UK’s regulator, which has revised the region’s enforcement date to 14 September 2021.

Not sure what applies to your business? Contact your Payvision Account Manager for the most up-to-date information.

 

6. What’s going to happen between now and the enforcement deadline?

In preparation for January 1, 2021, some issuers have already begun selectively declining transactions that are deemed “medium to high risk” since September 2020. This means you can soon expect to see an increasing number of soft declines due to lack of SCA compliance. Becoming SCA-ready now could allow you to boost conversions and increase your authorization rates!

 

7. What happens if I don't comply?

Failing to comply with SCA requirements will lead to issuers declining in-scope transactions for lack of SCA. Such declines are specifically termed “Soft Declines due to lack of SCA” and can be recovered by re-attempting the payment with an SCA applied transaction.

Soft declines have the potential to severely impact customer experience and lower authorization rates. We strongly urge you to implement SCA as soon as possible to avoid any negative consequences that could result from non-compliance.

 

8. What transactions are out of scope?  

For merchants with an acquirer that is based in the EEA, certain transaction types are out-of-scope of PSD2.0 or SCA requirements. These include:

  • Inter-regional transactions: where payments include using a card that was issued outside of Europe, or where the country you are acquiring from is outside of Europe.
  • Merchant-Initiated Transactions (MIT) and Direct Debits: these are a payment, or a series of payments with fixed or variable amounts that a merchant performs without the direct involvement of the customer. To ensure that your transaction is accurately classified as MIT, check out our MIT page. 
  • Mail Order and Telephone Orders (MOTO): by definition, MOTO transactions are not considered as electronic payments, and are hence out of scope.
  • Anonymous cards: This includes cards that can only be identified by the issuing bank, e.g. anonymous prepaid cards.

9. Are there any exemptions for SCA compliance?

There are a few provisions for certain transactions to be exempt from SCA on a case-by-case basis, which Payvision technically supports:

  • Low Value: transactions under €30 are exempt from SCA, however an issuer must challenge every 6th low transaction or after a cumulative limit of €100.
  • Transaction Risk Analysis: for transactions that are passed as “low risk” by the Acquirer’s fraud assessment tool, with amounts under €500.
  • Trusted Beneficiary: for transactions that occur with a merchant that has been whitelisted by consumers as “safe”.
  • Corporate Payments: which are considered out-of-scope for 3DS2.0 (applicable to Mastercard only).
  • Delegated authentication: which allows an issuer to ‘delegate authority’ to a qualifying third party to perform SCA, for instance, a digital wallet provider (applicable to Visa only).

The use of exemption flags is restricted. To learn more about what you can use, please contact your Payvision Account Manager.

 

10. I have a travel/hospitality business. What do I have to do differently? 

Glad you asked! We’ve got all the information you need right here.

 

Technical integration questions

11. What is the impact of 3DS2 on Auth Rate and Acceptance? 

With 3DS2 in place, Auth Rates are expected to rise given that Issuers will have more information to determine if the transaction attempt is valid.

For the best tips on how to help optimize your 3DS2 integration to limit any drops in acceptance rates, please contact your Payvision Account Manager and Integration Team.

 

12. Do I need to upgrade my integration?

Yes! All integrations require an upgrade in order to support new additional data fields and the 3DS2 flow.

 

13. What is the process to go-live?

You’ll need to first complete a few certification tests in an environment we’ll provide before your production account can be enabled to process 3DS2. These certification tests may differ depending on your industry and type of integration, so please contact our Tech Integration team to learn what specific cases you need to complete.

 

14. What happens if the Issuer / card does not support 3DS2?

We’ll automatically detect which version of 3DS the card was previously enrolled in, and send through the highest supported version possible.

 

15. Is there anything that needs to be implemented for recurring transactions? 

Yes! We’ve got all the information you need to know right here.

 

Help Questions

16. I need extra advice on how to implement 3DS 2.0, what can I do?   

Don’t worry, We’re here to help! If you’ve got a question we haven’t already covered, or just need some extra help implementing 3DS2, please reach out to your Payvision Account Manager, or the Payvision support team via support@payvision.com.

Donny-2

Do you need more information?

Please reach out to your dedicated Account Manager, or the Payvision support team via support@payvision.com