From September, 14th the SCA (Strong Customer Authentication) will be compulsory. What changes will it bring and how should businesses deal with them?
Among the changes introduced by the Second Payment Services Directive (PSD2), those relating to security will undoubtedly have a special relevance and impact on the environment. Therefore, it is important to understand which the new requirements are, what impact will they have and how the different actors can adapt, before it comes into force on September 14th, to find opportunities beyond threats.
These security changes take the form of Strong Customer Authentication (SCA), which requires user authentication or identification through a minimum of two factors for actions involving access to an online payment account, the initiation of electronic payment transactions or any other operations where there may be a risk of fraud through a remote channel. These factors can be of three types: something the person knows (a password or PIN), something the person has (a card or mobile phone), or something the person is (a biometric element such as fingerprint or iris).
However, strong authentication does not apply in the case of anonymous prepaid card payments, payments previously authorised by the customer to a merchant (at which time there must be double authentication) and carried out later, Mail Order or Telephone Order transactions and “One Leg” transactions (originating in or destined for a country outside the European Union).
Within the cases in which the SCA is applied, there are different exemptions that allow the avoidance of authentication in online transactions for specific cases:
- Low-value Payments made for an amount of less than €30 will be considered low value and may therefore be exempt from authentication. However, the SCA must be applied whenever there are 5 payments since the last time the user was authenticated, or when the sum of the value of the different payments made exceeds 100€.
- Low-risk Performing a Transactional Risk Analysis (RTA) by the acquirer will allow exemption on a payment through Risk Based Authentication (RBA) when the established limits are complied:
- A fraud level of 0.13% for transactions below €100.
- A fraud level of 0.06% for transactions below €250.
- A fraud level of 0.01% for transactions below €500.
- This exemption may be applied to recurring payments, as long as they are for the same amount and directed to the same business. The first transaction must be authenticated as well as any modification on the amount, beneficiary, etc.
- Whitelist (WL). Customers will be able to add their trusted merchants to a whitelist, which their bank or PSP must manage and update. To add, remove merchants, or make changes to this list, the user must authenticate. Once a merchant has been added to the list, this authentication can be avoided in subsequent operations.
These new security requirements will introduce changes over the shopping experience at the chechout. Businesses should therefore be prepared, on the one hand, to allow double authentication by generating the minimum friction for the user and, on the other hand, to try to make the maximum exemptions applicable. In this way they will be able to differentiate themselves through the user experience, while ensuring maximum security for their customers.
To achieve this, merchants need to integrate EMV 3-D Secure, a global standard that will help authenticate transactions and transmit information. The exchange of data between the merchant and the card issuer will facilitate risk-based authentication (RBA), reducing friction for the user, minimizing transactions that require user authentication and, ultimately, improving the consumer experience in the checkout process.
On the other hand, online stores will be able to notify their customers so that they can add the shop to the white list managed by their bank, so that after the SCA implementation deadline on September 14th, they will be ready and able to apply this exemption.
From Sipay Plus, a Spanish company specialized in payment solutions, they consider that “merchants must anticipate changes at the time of payment, supported by issuers, acquirers, brands and payment service providers (PSPs), who will play different roles in the process of innovation and adaptation to the new PSD2 regulations”.