You may have heard through the grapevine of some upcoming changes to the way we – and potentially our customers - pay for goods online. These changes could affect us all as both businesses and consumers, so it’s important you’re fully aware of what’s to come.
These changes have come in as part of what’s known as PSD2 (second Payment Services Directive) and will be applicable from 14th September 2019. From this date onwards, on occasions there could be an additional security step when something is paid for online by card.
In this article we’ll dig deeper into what PSD2 is, what the new requirements are (known as SCA) and - most importantly - break down the tech-jargon into bitesize chunks to help your business get fully up to speed and prepared for the new regulations.
What is PSD2?
PDS2 is the second phase of what’s known as the ‘Payment Services Directive’ (PSD), which was set up by the European Union (EU) back in 2007 to regulate payment services and their providers.
To find out about PSD2 in more detail, check out this useful guide that Barclaycard have put together.
New requirements: Strong Customer Authentication (SCA)
We know what you’re thinking. This sounds way too complex and a bit intimidating, right? But bear with us – let’s break this down and decipher what SCA actually means.
Put simply, Strong Customer Authentication (SCA) is a new requirement that’s being put in place to regulate online payments, make them more secure and reduce fraud. So, all positive and reassuring stuff here. And - considering that fraud alone is costing EU businesses €2 billion per month – this new regulation is hardly surprising.
At the moment, most online payments are authenticated by a system called 3D Secure - an extra security step after card details are entered. 3D Secure sometimes prompts you to supply additional information – e.g. characters from your online banking password or a one-time-code that is sent to your phone.
But, from the 14th September when SCA kicks in, we could notice that there’s an additional step when we pay for something online. And your customers could too, especially if you offer a subscription service using a credit card, for example.
This is because 3D Secure is being upgraded to 3D Secure 2 – an updated version that meets the new security requirements of SCA.
When SCA comes in, you could be asked for two of the following three factors to authorise an online card payment:
- Something you know
E.g. password, mother’s maiden name, personal identification number (PIN)
- Something you have
e.g. Mobile phone, token, badges, smart card (credit card with chip)
- Something you are
Biometric features e.g. Fingerprint, DNA signature, facial recognition
So, for example, your mobile phone may ask for your fingerprint and a one-time-code being sent to you via SMS, too. Both of these will need to be fulfilled in order for the payment to be authorised.
You’ll then have 21 days to authorise this payment via these two methods. If these 21 days run out and these elements haven’t been supplied, the bank is likely to decline the payment as a result.
When will Strong Customer Authentication be needed?
- SCA will apply to all online payments within Europe that have been initiated by customers, as long as the bank itself is based in the EU. This means it will apply to most card payments and potentially all bank transfers, too.
- Direct debits will not require SCA – these are considered to be initiated by the merchant rather than the customer so will not need authorising.
- The new regulation doesn’t apply to in-person payments, but could apply if you use contactless.
- Typically, SCA may not be required for smaller transactions, but this is totally up to your bank to decide.
- Recurring payments to the same business (where the amount is fixed) may be made exempt from SCA (as detailed below), but the first payment is likely to require authorisation. Again, this is your bank’s decision.
SCA and trusted beneficiaries
Once a payment to a business has been authorised, you may have the option to mark the business as trusted so that you don’t have to authorise any future payments. Any white-listed businesses will be added to a list of “trusted beneficiaries” within your bank account or service provider. You – and potentially your customers – are likely to find this particularly useful for subscription payments.
We hope this article helps you and your business understand what the new SCA regulations entail and what to expect when the time comes.
While (unfortunately) we remain unsure of exactly how much it’s going to affect us as both consumers and businesses, it’s up to us to make sure we’re educated about the SCA regulation, fully prepared and ahead of the game.