PSD2: What will Strong Customer Authentication mean for ecommerce?

In this article we’ll look at what PSD2 is and how Strong Customer Authentication (SCA) fits into the equation. Also, if you are currently running an ecommerce website we’ll let you know what this regulation means for your business.

PSD2: What will Strong Customer Authentication mean for ecommerce?

What is PSD2?

PSD2 (EU Payment Services Directive) took effect in January 2018 and is a follow-up to the original PSD regulations that were outlined some time ago.

What PSD2 looks at specifically is the introduction of additional layers of security authentication for ecommerce transactions.

 

What is Strong Customer Authentication (SCA)?

SCA is a new European requirement introduced to make online transactions from ecommerce websites more secure.

Think how easy it is to buy from websites like Amazon; if you have an account it’s almost frighteningly easy to add some products to your basket and then buy everything in just one tap on your phone.

The introduction of SCA will mean that online transactions over the value of €30 will require authentication of some form, whether that’s a password, a passphrase, a pin, a sequence (on a phone) or a secret fact, therefore making it harder for fraudsters if someone steals your phone and tries to make purchases online

 

3D Secure

Along with this new regulation 3D Secure 2.0 is also being introduced.

Currently, an authentication tool, called 3D Secure 1.0, is used by payment gateway providers (like SagePay, WorldPay etc) to verify card transactions.

You’ll be familiar with this; when you make a payment online you get redirected to a new page to input a code – this is 3D Secure 1.0 making sure you are who you say you are.

3D Secure 2.0 will make it easier to collect this information at the time of the transaction.

 

How will SCA work in practice

Authentication is based on ‘something you know’, ‘something you own’ or ‘something you are’. As mentioned above this could be:

Something you own
    • A password
    • A passphrase
    • A pin
    • A sequence (e.g. swiping a pattern on your phone)
    • Or a secret fact
Something you are
  • Fingerprint
  • Facial recognition
  • Voice recognition
  • Maybe even retina scanning in the future (pretty Star Trek right?!)

So, instead of just relying on a password, customers will be able to combine something they know (from the list above) with something they own (see below);

  • Mobile phone
  • Wearable device
  • Smart card
  • Token
  • Badge

With 3D Secure 1.0 the banks could only really challenge users to prove they were who they said they were with a prompt for a password, but with this introduction, it will mean another layer of authentication; two-factor authentication.

 

Does this apply to all online transactions?

No – there are exemptions.

It won’t apply to:

Low value transactions (under €30)

If your customer is buying under €30 worth of products, then they won’t need to use SCA. However, it’s worth noting, that if the total amount attempted on the card without SCA is higher than €100 (or every 5 transactions), then SCA will be required.

Recurring subscriptions

Subscription payments of a fixed amount will be exempt, but the initial transaction (if over €30) will be subject to SCA. If you increase your subscription costs though 3D Secure will be required.

The other caveat seems to be for businesses whose product value changes over time (perhaps based on usage). These kinds of transactions are also exempt from PSD2 and SCA requirements.

Whitelists

On the subject of giving customers more control, they will be able to add a list of trusted businesses to their whitelist. So, if they regularly shop with you and are confident making purchases they can whitelist your ecommerce shop to avoid SCA.

Orders over the phone

Phone orders will also be exempt as they are not considered to be electronic payments

 

What are the key dates?

On the 14th September 2019 PSD2’s SCA requirements come into effect in Europe and this is when, as an ecommerce business, you will need to comply by.

Further down the line, in 2020, 3D Secure 2.0 will launch worldwide and the predictions seem to be that by the end of 2020 most banks will accept 3D Secure 2.0 and 3DS 1.0 will be phased out.

 

An improved user journey & experience

As I’m sure you’ve experienced, 3DS 1.0 is a bit clunky, especially on mobile. Once you’ve made payment you get redirected to a screen from your bank to enter another password and often on mobile you’ve got to pinch and zoom to move around this screen. The whole experience isn’t great.

3DS 2.0 will make this experience smoother, with your customers being able to quickly authentication with a fingerprint for example without the need for this clunky redirection.

 

What does PSD2 and SCA mean for your ecommerce business?

You’ll need to contact your web developer to make sure they have factored in time to get your business prepared.

If you are running a Woocommerce online shop, then the card provider (SagePay for example) will likely release an update for their gateway plugin which will comply with these regulations.

Your web developer will then need to update your gateway and test it to make sure it’s working as it should be.

If you have any questions or if you are running a Woocommerce ecommerce website, please do get in touch to see how we can help you comply.

Further reading:

Would you like to be notified each time we post new digital media?