I like how Revolut put it back in 2018: “In case you’ve been living under a rock, this is about to kick off!” The “this” they referred to is Payment Services Directive 2 (PSD2). It has already changed the banking game in Europe and around the world, introducing new fintech players that can now access the open banking API. We’ve discussed previously how the open banking revolution has recently begun in Brazil too. The Strong Customer Authentication (SCA) element of PSD2 has yet to be fully implemented, but alas, the extended deadlines approach! Yes, there is more than one deadline, and they vary by country (see below). I have worked in payments for several years and I’m excited by the innovations in the industry but I also feel for the merchants who have to keep rejected transactions low during a period of transition. So I will update this blog post every other week during this implementation phase.
What are the PSD2 SCA exemptions?
SCA applies to all accounts where the holder can place and withdraw funds without any additional intervention or agreement of their payment service provider (such as a current account). All electronic payments are subject to SCA. Exemptions include payments for online transactions below €30, as well as contactless payments at points of sale for amounts €50 and below. If there are several contactless payments of €50 and below in a row, then SCA should be performed when the cumulative total is €150 or during the 5th subsequent payment. There is another exemption for corporate payments. Most corporations make payments in batches rather than one by one. Security mechanisms for these types of transactions can be as effective as SCA. Examples are payments made through central travel accounts, lodged cards, virtual cards, and secure corporate cards.
Low Risk / Transaction Risk Analysis (TRA): Issuing banks can consider transactions as low risk based on the average fraud levels of the card issuer, or of the acquirer processing the transaction, or both. But this will not be in the merchants hands only but it will also depend on the overall chargeback rate of their Payment Provider or Acquirer on a platform level. Whitelisted Merchants or Trusted Beneficiaries: After a strongly authenticated payment session, shoppers can add the merchant to a whitelist for the issuer, but double check to see the issuer supports whitelisting. But realistically this is not an option yet as it would require banks to implement such a feature within their online banking panel. Strong customer authentication will only be required for payments when both the cardholder and merchant bank are within the EEA, but this will still have indirect consequences for non-EEA payments. There’s a chance that some EEA-based issuing banks will apply the SCA requirement to all payments even if the merchant’s bank is outside the EEA. This means non-EEA sellers could see more payments being challenged starting in December.
A takeaway: work on reducing those fraud rates
Under PSD2, if your acquirer’s fraud rate is below 13 basis points (bps) there’s no requirement for a challenge of transactions of up to €100. But if the fraud rate is below 6bps that ceiling rises to €250 (if you want to reduce your fraud rates, Nethone Guard can certainly help). Theoretically this could go up to amounts of € 500 or more but it will again be different from acquirer to acquirer and it would require chargeback rates below 10bps.
Out-of-scope transactions not covered by the PSD2 directive
Out-of-scope transactions are transactions not covered by the PSD2 mandate. The issuing bank will not apply SCA unless you specifically ask for 3D Secure in your payment request.
Out-of-scope transactions include:
Interregional transactions: Payments where the card was issued outside of Europe or where the country you are acquiring from is outside of Europe. Some European issuing banks are expected to require SCA anyway even if a payment is acquired outside of Europe. So using a foreign acquirer will not be the solution, of course also considering the schemes’ location rules.
Merchant-Initiated Transactions (MIT) and Direct Debits: A payment or a series of payments with fixed or variable amounts that the merchant performs without direct involvement of the shopper. Examples are subscriptions, automatic account top-ups, and installments. The initial transaction should have gone through SCA and the shopper should have agreed to the terms and conditions of the succeeding MITs.
Mail Order and Telephone Orders (MOTO): MOTO transactions are not considered to be electronic payments, so these are out of the scope of the regulation.
Anonymous cards: These types of cards can only be identified by the issuing bank, such as anonymous prepaid cards.
When will strong customer authentication (SCA) become mandatory?
It varies by country! Here is a list of current implementation dates.
Consequences of not being PSD2 SCA compliant
PSD2 is actually directed at banks, not merchants. This means that issuing banks that approve non-compliant transactions will be penalized. Of course merchants should ensure that their transactions are compliant to avoid the risk of issuing banks refusing their transactions.
The time is now to Focus on building a plan of implementation, testing and iterative releases
Merchants should focus on building a phased plan of implementation, A/B testing and iterative releases in order to ensure that the introduction of SCA causes minimal disruption to their purchase flows. I talk to merchants and payment providers every day, so I know that PSD2/SCA implementation is a challenge! If you have any questions about the process, please feel free to reach out via Linkedin.
To wrap up today’s post, let’s see how many PDS2 and SCA acronyms we can fit into one update:
PSD2 and SCA are about to launch in most EU and EEA countries by the end of Q4 2020. With an open banking API, PSD2 helped lay the groundwork for exciting new fintechs operating as AISPs and PISPs. Like GDPR, PSD2 will impact businesses outside the EU if it provides payment services in the EEA; non-EEA sellers could see more payments being challenged starting in December. For out-of-scope transactions, issuing banks will not apply SCA unless you specifically request 3DS in your payment request. Out-of-scope transactions include MIT and MOTO.