PSD2 Authentication:
UK Small Business Guide

What is PSD2?

The Revised Payment Services Directive (PSD2) is a set of regulations for payment services that operate in the European Union (EU) and the European Economic Area (EEA). PSD2 is a replacement and enhancement for the earlier PSD1 framework which came into force in 2007.

The initial EU Directive was introduced in 2007 and the revised version, PSD2, was passed in 2015. The requirements for online payments have come into force in stages from 2019 to 2022 due to delays in the implementation.

Strong Customer Authentication (SCA) is an important part of PSD2 and comes into effect for online transactions with a value over €50. This requires merchants and payment service providers (PSPs) to work with payment technology suppliers and card associations to provide SCA that is effective and convenient.

Why is PSD2 necessary?

The European online payments market has changed a lot since the first version of the directive was passed in 2007 — and PSD2 was introduced as a response to these developments. For example:

Rising online payment fraud

Card not present (CNP) fraud soared by 66% in 2011-2016, according to the European Central Bank (ECB), driving a 35% increase in overall fraud. Fraud of this type remains a significant concern as PSD2 is rolled out — It is estimated that online fraud cost UK retailers £262.3 million in 2020. 

Increased adoption of APIsThe growing adoption of Application Programming Interfaces (APIs), which enable different systems to communicate and exchange data, has seen the emergence of new financial business models such as fintech firms. This is making banking and payment systems more open but also creates the potential for new forms of financial security breaches.

Unregulated new business models

Growth and innovation in digital payments has enabled the emergence of new types of fintech businesses that have not been subject to clear regulations. PSD2 provides standards governing the way these new companies operate and provides them with a structure to access customers’ accounts using APIs.

The goals of PSD2

PSD2 has four main goals for the European payments market:

• Increase integration and efficiency
• Create a level playing field for payment service providers
• Increase payment security
• Protect consumers from payment fraud

To meet those goals, the regulations introduce three key changes for merchants and payment service providers:

• Strong customer authentication. Most online payments in the EEA require two-factor authentication that meets European Banking Authority (EBA) regulations.
• Payment provider licensing. All payment service providers must hold a payment license and receive authorisation from the EBA.
• Open bank data. Banks are required to provide access to their data to third parties to enable new players to launch innovative services.

What is SCA?

SCA has been referenced a couple of times now, so let’s discuss it in detail.

Strong Customer Authentication introduces extra layers of security to card not present transactions by default via the 3D Secure protocol. The protocol is based on a three-domain (3D) model, combining the financial authorisation process with online authentication across the acquirer domain (the merchant and bank), the card issuer domain and the interoperability domain (the card association’s infrastructure).

SCA requires banks to confirm a consumer’s identity at the checkout of most purchases using two out of three forms of identification. These are: 

• Knowledge: a piece of information the payer knows, such as a password, PIN, swiping path or an answer to a question
• Possession:  a device or app the payer has, such as a card reader, mobile phone, or other device that generates a one-time passcode
• Inherence: something the customer is, such as a fingerprint or voice recognition

The EBA is strict about what is acceptable for each form. User data sent via 3D Secure 2 is not accepted as compliant with SCA. But it is important for Transaction Risk Analysis (TRA) and enabling exemptions.

SCA enforcement

SCA came into effect for e-commerce transactions from 1 January 2021 in most of the EEA, having already come into effect for other electronic transactions. In the UK, the Financial Conduct Authority (FCA) gave the payments industry additional time, ramping up from January 2022 ahead of enforcement from 14 March 2022.

PSD2 requires SCA for all online and contactless transactions initiated by the customer where both the card issuer and the acquiring bank are located within the EEA. SCA is not required if only one of them is within the EEA. 

Recurring payments taken by direct debit are considered to be initiated by the merchant so SCA does not apply.

Face-to-face payments

Most face-to-face payments in the EEA require SCA. Chip & PIN transactions already comply as they meet the possession and knowledge requirements for authentication. Customers making contactless payments may be required to enter their PIN after they make a certain number of transactions or make a purchase exceeding a certain value. 

Online payments

Customers may need to confirm their identity through two-factor authentication during checkout. 3D Secure aims to make the verification process convenient for customers so that they do not abandon the process, while reducing the chance that they will have to take additional steps to provide identification. The latest version of 3D Secure is designed for seamless use on mobile devices.

E-commerce payments to merchants outside the EEA or using cards issued outside the EEA do not come under SCA regulation, and other transactions may be exempt. Some banks and payment processors can help merchants to flag transactions that do not require SCA.

Regulatory oversight

Banks and payment service providers are required by law to enforce PSD2. Online businesses that fail to meet the requirements risk losing transactions as non-authenticated payments will be rejected.

Failure to comply can result in severe penalties for payment service providers, as national regulators have the authority to impose hefty fines or even withdraw their licences. PSD2 does not specify standard fines and the size of fines can vary in different countries as they may be at different stages of implementing the regulations.

The following groups have a regulatory role:

• National regulators in EEA member states. Regulators have been given autonomy to interpret and impose PSD2 in different ways.
• European banks. Banks in the EEA will implement rules based on guidance from national regulators.
• Card associations. Card schemes provide banks with guidance on PSD2 implementation and technical solutions for cardholder authentication. Certain rules differ among schemes.
• Non-European banks. Although banks outside the scope of PSD2 are not required to comply, they may require 3D Secure authentication based on the card type or for high-risk transactions.

There may be changes to regulatory oversight in time. For example, some countries outside Europe are considering introducing their own SCA requirements.

How to authenticate payments

How can you ensure that your business authenticates payments in a way that complies with SCA?

While 3D Secure 2 is the most common method, there are other options that comply with SCA, including through payment initiation services such as those using Open Banking and mobile wallets like Apple Pay, Google Pay and Samsung Pay. Mobile wallets comply as they provide built-in authentication for a linked payment card, such as a password, PIN or biometric data. 

Common European payment methods such as iDEAL, Bancontact and Multibanco are also compliant.

Exemptions

The following types of payments may be exempt from SCA, which can reduce customer attrition during the checkout process:

• Payments of low value
• Recurring payments
• Customer’s trusted beneficiaries
• Secured corporate payments
• Low-risk payments

Payment service providers can request an exemption when they process a payment. The cardholder’s bank will then assess the transaction and either approve the exemption or request authentication.

Businesses should have a fallback process in place in case the card issuer rejects an exemption and the customer needs to provide details for authentication, especially if the customer is charged outside of an active checkout and they need to return to a website or app to complete the authentication.

When an exemption is used, fraud liability shifts to the payment provider. Payment providers with low fraud rates can exempt low-risk payments of between €100 and €500 depending on their fraud transaction rates. So payment providers need to ensure they have robust fraud protection in place.

Payment service providers in the EEA must submit evidence of their fraud transaction rates to their national regulator every 90 days.

Online merchants with low fraud rates can sign an agreement with their payment service provider to take on exemption risk. This can give merchants with effective fraud protection systems an advantage when negotiating services and fees with payment providers.

What is authentication enrichment and why should you do it?

Retailers can use authentication enrichment to add extra merchant and fraud data to an Authentication Request or AReq (a message to the card issuer requesting a payment authentication). This data gives the issuer more information on which to grant an exemption or apply a frictionless authentication.

Without the data, the issuer may be more likely to apply 3D Secure to all transactions, including those that would be eligible for an exemption.

With most customer-initiated transactions coming under PSD2 requirements, the rate of card not present transactions that are declined is expected to increase. While 3D Secure 2 helps to provide seamless verification of cardholders’ details, authentication enrichment is a useful tool to provide issuers with enriched data and limit the number of declined payments. 

Merchant Savvy can help your business comply with PSD2

If your business accepts card payments, it is crucial to ensure that your transaction processing complies with PSD2 regulations.

Merchant Savvy can help you ensure you’re using the right payment processor for your business needs while remaining PSD2 compliant. Contact us today to find out how.