GPS for non-readers:
- PSD2 = Second Payment Services Directive, coming into force 14th September 2019 from the EU.
- SCA = Strong Customer Authentication, part of PSD2 legislation.
- SCA is supposed to only impact a transaction that is wholly in the EU i.e. the issuing bank and acquiring bank are EU based.
- The issuing (bank of the payer) bank does the security check.
- Software providers need to ensure the processors that they use or they themselves have built-in 3D Secure 2 compatibility.
- Merchants should only use software vendors or processors that comply with the SCA rules and PSD2.
- Merchants need to realise that there will be extra friction at checkout for their customers even with 3D Secure 2 firmly in place.
- Recurring payments have to be authenticated on the first payment.
- Authorize.net have informed us that they will not support PSD2 and EU merchants need to shift (probably to CyberSource).
Give me some definition
PSD2 and more specifically for this article, SCA is around the corner, with few companies and people even aware of why it matters and what it stands for. The Payment Services Directive is from the EU and comes into effect on the 14th September 2019, this puts the Strong Card Authentication practices in motion. With September looming there has begun a certain panic, not only amongst those companies in Europe who need to accept card payments online but also those who provide the processing in the first place.
There a number of payment providers who will not be able to support an ideal SCA process or even support it all in time for September, this is somewhat understandable since they haven’t had long to work with the release from the card schemes.
We were just told by Authorize.net and Visa that they would not be supporting the required 3D Secure (SCA) process at all. Meaning we need to integrate another payment gateway and move our merchants across to it! And SagePay, a UK based gateway, will not have their 3D Secure version 2 product ready until September, we’ll be compiling a list of providers with release dates and letting you know the developments. This, of course, has knock-on effects for us, more on what we’re doing later…
This gives you an idea of how last minute the implementation is going to have to be especially if we are not going to disrupt buyer checkout.
How does SCA work?
The goal of SCA is to reduce fraud and make online payments more secure; on the 14th September 2019 banks will decline payments that require SCA and don’t meet the criteria. SCA requires authentication to use at least two of the following three elements.
Something the customer knows
Something the customer has
Something the customer is
This is for “customer-initiated” online payments within Europe (and yes after Brexit), this means card payments and bank transfers that are not initiated by the payee must adhere to the SCA rules. With some potential exceptions, one is “low-risk transactions” where the payment provider can do a risk assessment if their’s or the bank’s overall fraud rates for card payments do not exceed certain thresholds; or the value of the transaction is lower than €30, but not if the total sum of the 5 previously exempt transactions is greater than €100 (!). Since these risk assessments require banks to count transactions or do some logical work on every transaction we imagine that most providers will implement the checks regardless, since that could be simpler, but who knows!
So what are these checks or how is SCA technically going to be enforced, well most of us have probably interacted with the 3D secure process, that horrible non-mobile friendly passcode that you set up whilst buying something online one evening after a few gins – yeh that thing. Well don’t fear version 2 is coming and two is always better than one, right..? 3D Secure 2 will likely be the main weapon to fall in line with the SCA protocol for card transactions; this version introduces a better user experience that will help minimise some of the friction that authentication would add to the checkout conversion. BUT just to be clear for those companies that won’t be able to release 3D Secure 2 in time they will have to rely on version 1 to fulfil the SCA requirements, the knock-on effect being a greater ‘friction’ in the checkout experience and potentially fewer conversions. SagePay, for example, won’t be releasing their version 2 until September 2019. And Stripe will be rolling out a new API to deal with it, so there is a lot of change and it’s coming late in the day.
Over 100 customer data points will be passed to the bank when a transaction is requested.
Exceptions to the SCA rules are for MOTO (phone sales) and potentially some corporate card transactions where the card has virtual card numbers and is used for a specific employee for specific things and is considered “lodged” with an agent.
Recurring payment nightmare
Beyond one-off buys, our purchase habits are increasingly becoming subscription based both for personal and corporate use, these types of recurring payments will also be impacted by the SCA rules. For recurring payments that are for the same amount and to the same vendor each time these can be exempt from the authentication after the initial payment has been set up and authenticated. Variable subscription payments or requested with a saved card when the customer is not present will likely fall to the bank to risk assess and probably present 3D Secure, which for some merchants is going to be a problem. The way around this for the merchant is to get the card authenticated (agreement with the customer) when being used for the first payment, how this works in practice is still being finalised, but what merchants need to know and keep their eyes out for is the term “merchant-initiated-transactions.”
3D Secure 2 is better!
Version 2 is not just going to be prettier but it will also send more data to the cardholder’s bank and this is actually where the reduction in friction begins. Up until now sending more transaction data to the bank has meant that cheaper rates are available with some processors, but we haven’t seen that this will be the case or at least no one’s telling the merchants that it should be, moving forward. For the end customer, even if there is some friction at the checkout it will likely be in the form of having to use a fingerprint or facial recognition if they’re using their phone, otherwise the 3D secure will present itself in a modal popover for desktop users. Of course, if you’re using Apple Pay or Google Pay then these payment flows already incorporate the biometric or password protection required, this may result in more demand for these checkout/payment methods to be available in platforms by the processors and merchants alike.
70% decrease in cart abandonment (vs. 3DS 1.0)
85% reduction in transaction time (vs. 3DS 1.0)*
It’s important to note that if a version 2 authentication is not possible then the process will fall back to version 1 and the subsequent flows. Both versions will have to run in parallel for a period of time until version 1 can be deprecated with all parties using version 2 happily.
So that’s the compliance piece in regard to SCA, but what about the opportunity..?
Light at the end of the tunnel
On the flip side of all these acronyms and mild panic is the sweet lady of opportunity, let’s call her Eva just to continue the acronym mess. Eva presents herself in a number of ways and it’s worth stating the point that PSD2 is intending to standardise and open up the opportunities that digital payments present, along with creating greater levels of trust for sellers and buyers. Driving security up and fraud down. So hopefully consumers will buy more stuff online and merchants will lose less in fraud and chargebacks (and sell more stuff).
The future opportunity exists around the extra levels of data passed to banks and how banks make that information available. Any regulated third-party under PDS2 with consent can access a consumer’s bank account offering businesses access to new data. It’s yet to be seen what this might materialise into but one can image that consumers could be presented more personalised experiences and more appropriate payment options.
So for buyers fraud is reduced, trust is increased. For merchants, chargebacks can be passed on to the bank reducing cost and potentially more transactions convert due to increased data and trust.
What on earth are WE doing about it?
How are we preparing for SCA? Firstly we’re talking to the payment providers and educating ourselves on PSD2 and SCA requirements, secondly, we’re planning how this will impact our technology and customers. And finally, we’re reaching out to our customers to inform them of the regulation, how it might impact them and what they need to do if there is going to be a hurdle imposed for them. For example, Authorize.net are not going to be ready for SCA and 3D Secure 2 so we’re relaying the suggestion from Visa to shift to the Cybersource gateway.
In terms of how SCA and 3D Secure 2 will look on our components and flow, this is still partially up in the air since it is dependent on the banks and the gateways rolling out their version of 3D Secure 2. We’re working through the gateways that already have this in place and incorporating it into our checkout process. We will be passing extra data points in our integrations with payment providers and other data points will come from the browser, device and gateway to the bank to make a decision on whether 3D Secure is required and payment can be honoured. For hosted checkout processes, we will continue to redirect to the hosted page where the payment provider will take care of the checkout flow as they do now.
For checkout flows on devices where biometric data can be collected, the browser will redirect to a banking app so that the biometric data can be passed. Whereas on desktop, other forms of identification will be required or not needed if the data points and trust are already in place. This is key to understand when it comes to building checkouts and understanding what’s going to happen with the end user.
The main thing that we believe we need to make some of our customers aware of is, what will happen to saved cards, especially for those merchants who processing a recurring payment on behalf of their customer; the outcome is that on the 14 September these cards will most likely need to be authenticated before another transaction can take place, although some have stated that previously set up recurring payments will be honoured, it remains to be seen, just be ready for the worst case scenario.
Finally, we’ll be releasing news and document the affected gateways and how we solved the SCA required authentication flows. PSD2 comes into play 14th September 2019 and just like a lot of heavy regulation only time will tell how the practicalities fall out, but indeed the impetus and purpose is good for business and consumers alike.
*(Frictionless Experience with Verified by Visa, Visa, 2018)