PSD 2 implications on online payments and shopping carts integrations
In this blog post we will look into the details and new regulations that are imposed by PSD2 on online payments and merchants with regards to Secure Customer Authentication. We are fully aware that this post does not cover all the changes introduced by PSD ", it focuses merely on the changes introduced for merchants due to Secure Customer Authentication.
PSD2, the second Payment Services Directive
This revision, known as PSD2, will have a significant impact on online payments made on e-commerce platforms and shopping carts as it will introduce a mandate for Secure Customer Authentication. Its primary goal is to increase the level of security for online payments.
PSD2 will apply to online payments within the European Economic Area (EEA) with both the cardholder’s bank and the payment provider based in Europe.
Therefore, it is important that you as a merchant are aware of what changes PSD2 involves and how you need to comply with those changes. Find out below what exactly is meant by the term secure customer authentication.
Make online payments even more secure using Strong Customer Authentication (SCA)
One of the biggest challenges for online businesses is to combat fraud given its negative impact on customer confidence in using online services and the high cost of processing fraudulent transactions. Therefore, one major goal of the new regulation is to make online payments more secure. One of the methods particularly effective to maintain a high level of security is to use multi-factor authentication. Authentication consists in verifying the identity of customers during transactions in order to:
- Avoid online fraud.
- Reduce the cost of processing fraudulent transaction.
- Comply with international regulations such as PCI-DSS and PSD2.
The European Union is introducing as part of the second Payment Services Directive (PSD2) a new regulation called Strong Customer Authentication (SCA) which requires a stricter authentication process for online transactions. Strong Customer Authentication is defined as an authentication based on the use of two or more of the following elements:
Strong Customer Authentication will apply to customer-initiated online payments within Europe. From September 14th, 2019, Strong Customer Authentication will be a mandatory requirement to verify and authenticate payments. Two factor authentication will be required at the time of the transaction. For credit card transactions this means that the standards of PSD2 will have to be implemented in the new authentication protocol 3DS 2.0. Recurring direct debits are considered merchant-initiated and will not require SCA.
Exemptions to Strong Customer Authentication
Although the new regulation will apply to the majority of online payments, there will be exceptions for specific types of payments:
- Low value transaction: Transactions under 30 euros will be exempt from Strong Customer Authentication unless the payment method provider or the card holder’s bank detects more than five exempted transactions or exempted transactions reaching a total amount of 100 euros.
- Low risk transactions: Low risk transactions will also be exempt from SCA. A payment will be considered as low risk based on the fraud rate assessment made by the card issuer and the provider processing the payment.
- Subscription / recurring transactions: This exemption will also apply to subscription / recurring transactions with a fixed amount. SCA will only apply to the initial transaction. As long as the amount does not change, SCA will not be required for subsequent payments. Recurring transactions with variable amount and merchant-initiated are also exempt from SCA requirements.
- Whitelisted beneficiaries: Customers may be allowed by their bank to whitelist businesses where they shop regularly as ‘trusted beneficiaries’. SCA will in that case only required for the first purchase but not for the subsequent purchases. Not all issuing banks support this feature currently but it should be more and more implemented during 2019.
- Corporate cards: Payments made by corporate cards will not apply to SCA requirements. Exemption will be possible only if requested by the the card holder’s bank as neither the business or the payment method provider will be able to detect whether the card used is a corporate card or not.
- MOTO transactions: Mail Order and Telephone Orders (MOTO) will be exempt from SCA as they are not considered as electronic payments.
- Inter-regional transactions: In case of transactions where the card issuer or acquirer is not based in Europe, SCA will also not apply.
What is new in 3D Secure 2.0
Although 3D Secure 1.0 protects you from fraud, it requires your customers to leave your shop to complete additional steps during the payment process which may affect their purchase experience. With 3D Secure 2.0, you will be able to integrate the authentication process within your shop without redirection, thanks to an embedded iframe.
Find out why 3D Secure 2.0 will help you to increase your conversion:
3D Secure 2.0 will use frictionless authentication which consists in allowing merchants to verify a transaction with customer’s issuing bank without the customer having to provide a pin or being redirected to the 3D Secure page.
Payment data such as billing and shipping address entered by the customers in the checkout of the shop as well as digital footprint such as IP address or Machine address used will be securely transmitted in the background to the cardholder's issuing bank with no perceivable change in the checkout flow for the customers. The bank will then make the risk assessment and complete or deny the authentication based on the data provided. If the data exchanged in the background is sufficient to verify the transaction, validation will then be processed via the frictionless flow without the customer having to follow any additional authentication step.
In case the bank requires additional data, the transaction will go through the challenge authentication flow: The customer will be prompted to provide additional information for the authentication
(e.g. 2-factor authentication code sent by email/sms or biometric fingerprint or face recognition used in the issuing bank app).
Better user experience
3D Secure 2.0 greatly simplifies the payment authentication process for customers. During checkout, customers will either go through the authentication process without having to do anything (frictionless flow) or have their payment authenticated without being redirected to an external page for 3D Secure authentication (Challenge flow embed directly in the checkout flow).
Thanks to new mobile SDKs, it will be quick and easy for customers to go through the authentication process using their mobile banking app. In case of transactions made from a mobile device and if the customer has his bank app installed on his device, the SDK will detect this and automatically open the app for the customer to authenticate his payment using a 2-factor password, fingerprint or facial recognition
Summary: What PSD2 means for sellxed customers
To achieve this new level of security, more data must be sent to the payment providers so that the issuing banks can carry out an appropriate risk analysis. For this purpose, issuing banks can use the data transmitted via the frictionless authentication.
We strongly believe that beyond the security gain, this will bring a better conversion rate in online shops: Contrary to 3DS 1.0 that requires your customers to leave your shop to complete additional steps during the payment process, the new verification process allows invisible authentication based on the different data transmitted.
As we are working daily to bring the latest technology into the modules and comply with new regulations, it is important for you as a merchant to update our modules constantly. If you are on a subscription with sellxed, it makes sense to renew your maintenance support and regularly download the newest version to improve conversion rate in your shop.
The latest version of all our sellxed modules are fully compliant and ready for the new PSD2 Directive, allowing you to smoothly transition from 3D Secure 1.0 to 3D Secure 2.0 and offer to your customers a more secure and pleasant purchasing experience. The new changes do not require any changes to your implementation. You simply need to update the module to the latest version that you can find your sellxed account.
Important: Our plugins don't support 3D Secure 2.0 in the Server Authorization method.