Are High-Security Checks Worth It?

by Florian Tanant
The EU’s SCA requirements can be worrying for businesses.
The European Union created the PSD2 regulation, to further promote positive competition and innovation within the payments industry as well as further secure transactions.
We’ll go over what your risk management team should keep an eye on, how the different elements work including 3DS2 and how SEON can support you in ensuring compliance.
The latest directive from the European Union. This Second Payment Service Directive forces banks to share their collected user data. If you, as a customer, authorize data sharing, third-party services can use it for a variety of services and financial products.
The directive also pushes for Payment Initiation Services (PIS). These online services can access a user’s payment account to initiate payment directly, as long as authentication is checked and consent is given.
Short for strong customer authentication, SCA is a requirement under the European Union’s PSD2 that seeks to improve the security of online payments by ensuring the cardholder identifies themselves by at least two types of authentication.
In simple terms, this means that when the customer wants to buy something online, they will be asked by the issuer bank for more information: Not just to input their card number (something they own) but to type an additional PIN or password (something they know), fingerprint (something they are) or even an additional one-time password from an authentication application or sent to their mobile device (something they own). Thus, in total, there will be two factors that authenticate their identity.
However, SCA is not always needed per PSD2. Where the customer is known and has identified themselves in other manners – e.g. by logging into a verified account using a password – SCA measures such as 3-D Secure can be circumvented without compliance concerns. This reduces some friction and encourages customers to form closer ties with certain businesses they return to often.
Partner with SEON and stay compliant to the Payment Services Directive 2 (PSD2). Learn more today with SEON.
Book a Demo
“Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions.”
All online payments made by customers in the EU need to be secured through the appropriate technology. In PSD2, it is referred to as strong customer authentication (SCA).
Article 2(1) of the PSD2 clearly stipulates that: “payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorized or fraudulent payment transactions”.
The minimum requirements for payment transaction analysis are further explained in Article 2(2). These include:
Financial products and services vary greatly across Europe, both in quality and price. The EU’s PSD2 directive aims to reduce domestic frameworks and harmonize local regulations. This helps third party financial services scale across the continent, fosters international ecommerce, and attracts new ventures wishing to tap into a larger, unified market.
PSD2 SCA in particular aims to build trust among consumers when it comes to paying with their cards online, over the phone and in person – as well as, of course, to protect cardholders and banks from data breaches, counterfeiting, and other cyber threats.
The PSD2 also simplifies the current payment chain. PIS cut down on middlemen by potentially removing bank card companies, acquirers and payment gateways, allowing banks to deal directly with merchants. It will significantly reduce transaction costs.
We should mention that the EU is currently in the process of creating the new version of PSD2, dubbed PSD3, following consultations in the summer of 2022. PSD3 will look to expand on PSD2, bringing it up to date and taking additional considerations into account.
There is no known implementation timeline at the time of writing, although it is going to be a lengthy process. Ultimately, PSD3 is not likely to be fully enforced before 2026.
To pass through strong customer authentication (SCA), a shopper will have to provide more than their card or card number. This normally takes the form of these steps when the payment is online:
Many in-person payments already involve two factors: Having the card as well as knowing its PIN. Contactless payments are often exempt. However, even for contactless low-value payments, a cardholder will be prompted to insert their card and input their PIN occasionally.
In the respective legislation, the EU’s competent bodies have defined that certain types of transactions are PSD2 exempt. In general terms, they can occur when the risk is low, be it because of pre-established trust or low risk.
It is important to note that PSD2 exemptions we list below are not absolute and can be subject to limitations and conditions. They can also vary depending on the country.
PSD2 exemptions defined by the EU include:
3-D Secure is the standard designed by EMVCo and major credit card schemes. 3-D Secure 1.0 usually required a static token (like a password) to complete a card payment, but 3-D Secure 2.0 increases the number of data point checks to improve payment security.
The previous version was notoriously clunky. US merchants reported decreased conversion rates of up to 45% because of the friction it creates for users. So yes, it might help reduce chargeback fraud, but also overall profits.
The 2.0 version will enable a more frictionless payment method by enabling dynamic 2FA which provides multiple data points from the merchant to the issuer. So these data points can reduce fraud for PSD2-based payments while meeting requirements.
However, contrary to popular belief, 3-D Secure is not mandatory to pass the SCA requirements. Firstly, there are a number of exemptions (low-value or low-risk transactions, subscriptions, whitelisted merchants, etc..).
Secondly, the right fraud authentication tool can help you achieve the same – if not more – than 3-D Secure to meet PSD2 authentication standards without going into manual reviews.
Below is our breakdown of the SCA requirements, and how a risk management tool like SEON can meet them.
SEON’s industry-agnostic, modular solutions can help merchants meet PSD2 SCA in various ways. Namely, by utilizing our software, you will be able to:
Partner with SEON to reduce fraud with real-time data enrichment, clearbox machine learning, and advanced APIs – while staying compliant.
Book a Demo
PSD2 is a strongly consumer-focused directive from the European Union. Everyone, on paper, should benefit from decreased transaction fees, reduced payment friction, and increased authentication security.
However, this security point may be challenging for Risk Ops teams in the same way the GDPR and fraud detection appear at odds with each other.
It might require you to train fraud managers, who might feel they have to jump through hoops to help remain their organizations compliant. Luckily, at SEON, we firmly believe implementing our series of fraud authentication tools can cover all those legal requirements, while future-proofing your business.
Deadlines for PSD2 SCA for online merchants depend on their country. For example, in Spain, all transactions had to be SCA compliant by March 1, 2021, and in Belgium by May 18, 2021. In the UK, the country’s FCA extended the implementation deadline, which eventually passed on March 14, 2022.
These EU regulations specify that for all card-not-present payments that exceed a minimum of €30 should be authenticated using at least two factors. For instance, a factor can be a password or a fingerprint. This method of providing strong customer authentication is often known as 2FA or MFA.
Sources
Showing all with `` tag
Click here
Communication Specialist | Florian helps tech startups and global leaders organise their thoughts, find their voices, and connect with customers worldwide.
The top stories of the month delivered straight to your inbox