The new European regulation on PSD2/SCA payment services is just coming up. PSD2/SCA is a significant change in the rules governing online payments. We will find greater security, but in the process there will be increasing friction or difficulties in managing those payment flows that now operate very easily. So it affects you, it affects us, so let’s get to work!
From AvaiBook we are working to adjust our systems to the new regulations and offer you all the information you need in a clear and easy to understand way. This is the first part of a series that explains in depth what this new regulation consists of, so keep an eye out for the following publications. For now, in today’s post, we will get to know the basics.
What is PSD2 and SCA?
PSD2 refers to the Payment Service Directive 2, a European directive in force covering a wide range of regulations relating to payment services.
One of the regulations that will have the greatest impact on e-commerce is the SCA (Strong Customer Authentication). This requires all European online shopping transactions to be authenticated, in other words, to be processed as “3D Secure strong”.
The main objective of this regulation is to improve the security of purchases made over the Internet. However, it will also bring other effects, such as increased friction in payments, a loss in conversion, and certain changes in the operation of all environments that have online payments.
Hereinafter we will refer to PSD2 or SCA interchangeably, although SCA is a part of PSD2, to make it easier to understand.
Scope and date of application
PSD2/SCA applies to online payments where both the payer and the “receiver” (merchant) are within the European Economic Area (EEA). This directive has to be implemented by the Central Banks of each EEA country. And there are different implementation plans in certain member countries, although in most, including Spain, Italy and Portugal, the date of application will be 1 st January of 2021. However, we know that in France and Germany it will be on 14 and 15 March respectively, and in the UK on 14 September 2021.
What is “3D Secure reinforced”?
The SCA will mainly affect the way in which buyers (payers) will be authenticated, as it requires all European eCommerce transactions to be authenticated with two of these three factors:
This forces the payments industry to develop and implement a new version of 3D Secure, the so-called “3D Secure 2”, which complies with the SCA by ensuring this “strong authentication”.
In this way, and explained as simply and succinctly as possible, from 1st January 2021 the regulations governing online payments will change. These rules require stronger authentication (SCA), is by using 3DSecure 2, for online payments within the EEA. Certain exceptions are provided for “non-presential” payments.
Authenticated or Unauthenticated Payment Concepts You Should Know
- An unauthenticated payment, without “3D Secure”, is an online payment made only by typing in the card details (card number, expiry date, CVC/CVV) or even without this step because the system had these details previously saved. It is most commonly used for programmed or “non-presential” charges, such as subscription fees or reservation payments through certain platforms. It is the fastest, easiest and most highly convertible type of payment, as it generates the least friction for the payer. However, it is also considered the most dangerous, as it does not have additional checks. This means that anyone could use the card in the event of theft.
- An authenticated payment, or “3D Secure”, is an online payment that requires additional authentication in addition to the card’s own data. The method varies depending on each bank, and can range from an SMS to your mobile phone to a key, specific coordinate or token generated with a mobile app. It is slower and generates worse conversion as it requires more steps and experiences greater friction – the user does not remember the password or does not have the coordinate card on him at the time, for example. It is safer, however, although it does not allow payments to be scheduled or issued in a non-presential manner.
- A payment authenticated in a reinforced form, or “3D Secure 2”, aims to comply with the same characteristics as the authenticated payment, although providing greater security through more solid verification methods. Card issuers in the EEA environment are already adapting their technical systems to be able to support them before the cut-off date, so it is likely that you have already received some notification in this regard.
They are NOT subject to SCA:
- Payments made for cards issued outside the European Economic Area (+UK)
- MOTORCYCLE: Operations in which payment has been initiated by telephone or mail.
- COR: Payments made by Prepaid Anonymous Cards.
- MIT (Merchant Initiated Transactions): transactions initiated only by the merchant (the payer is “absent” from the payment process) and, as long as there is a pre-existing agreement between the merchant and the buyer. An SCA authentication is required on the initial payment, on the first purchase.
Some of these exemptions will influence the customary use adaptations we make in the tourism field; remember them because you will surely hear about them later.
- The SCA will apply to all environments (eCommerce, tokenization, transfers…) of any payment system (cards, financial accounts, XPay…) that are made within the European Economic Area (EEA).
- B2B cards and Prepaid Virtual Cards, such as those sometimes used in Booking.com and Expedia, are excluded from the PSD2/SCA by the COR exception.
- Face-to-face payments are not affected by the PSD2/SCA as they are not considered online payments. However, they must meet the requirement of being completely face-to-face, with a physical TPA. If the card details were captured in an online sale and are subsequently used, it is considered an online transaction and therefore affected by PSD2/SCA.