Europe’s second, or revised, Payment Services Directive (PSD2) will change how banking is done in the EU by opening up the financial services industry to more competition. However, while PSD2 creates the opportunity to access new markets, it also imposes strict regulations to ensure that anyone handling consumer information or transferring payment data is doing it safely.
Under PSD2, all transactions where both the acquiring and issuing banks are based in the European Economic Area (EEA) – in other words, whenever an EU consumer is buying from an EU business – will have to meet a key requirement known as Strong Consumer Authentication (SCA). Merchants have been asking us about SCA, which goes into effect on September 14th of this year, so we wanted to clarify the regulation and share our plans for how Segpay and all of our merchants will be in compliance prior to the deadline.
What is SCA anyway?
SCA mandates an extra layer of security for consumer-initiated transactions, helping reduce fraud and chargebacks. Specifically, SCA calls for “multi-factor authentication” – something Segpay has long offered merchants through 3-D Secure (3DS). It turns out that the recently-released 3DS version 2.0 includes all of the enhanced security features necessary to meet SCA requirements, while shifting fraud liability from merchants to issuing banks. Segpay merchants will have access to 3DS 2.0 prior to the September 14th deadline, at which time Segpay’s policies will be updated to require all consumer-initiated transactions between EEA consumers and businesses use 3DS 2.0.
Which types of transactions apply?
This means all signups, instant conversions and one-click sales will run through the new 3DS. Rebills and trial-to-full-membership conversions – both considered merchant-initiated transactions – are exempt from SCA and therefore won’t require the multi-factor authentication of 3DS. The same applies to “one leg out” transactions, in which either the merchant or consumer is not located in the EEA. We’ll still recommend leveraging 3DS in these cases for the liability shift – and we’ll require it for merchants with high chargeback rates – however it won’t be necessary for PSD2 compliance.
Because the PSD2 lawmakers understood that consumers should have as frictonless an experience as possible, SCA allows issuing banks to bypass 3DS authentication under certain conditions; for example a low-value purchase, a merchant who has been whitelisted by a consumer, and in specific cases where analysis deems a transaction to be of low risk.
What does this mean for merchants?
The good news is, Segpay merchants won’t experience much of a change. As mentioned, 3DS (version 1) is already in place. Version 2 will be even more secure with a more streamlined flow – for example, any manual authentication happens inline now, rather than on a separate page. For the vast majority of transactions, 3DS will operate totally in the background, out of the consumers’ view. If merchants notice any change, it should be a decrease in fraud and chargebacks with minimal to no impact on their business, while fulfilling the requirements for PSD2 compliance.