Strong Customer Authentication
The payments landscape is constantly evolving. In 2006 (on Valentines Day), UK Chip&PIN changeover was complete. In 2007, contactless credit cards started to become available. 2009, contactless debit cards. 2012, contactless really starts to take off. 2015 ApplePay was launched. 2017 Samsung Pay. It’s an industry that never sits still. Always reviewing whether the best practice is being provided for its customers. Strong Customer Authentication (or SCA for short) is the latest addition to this evolution.
Why is SCA a good thing?
Fundamentally SCA is being introduced to help reduce business exposure to fraud and make consumers’ transactions more secure.
And SCA is part of PSD, what on earth is that?
PSD is the Payment Service Directive.
PSD1 was the first payment service directive. This was brought in to amongst other things increase competition and encourage non-banks to join the market.
It worked: since PSD1 was introduced, new players have appeared with new services, giving more choice for online payments.
However, these were not regulated at EU level, so PSD2 has been drafted as a new form of regulation to bring these firms into regulation.
PSD2 aims to increase market efficiency, consumer protection, competition, and security. The security section is driven by SCA, Strong Customer Authentication.
What does SCA mean for my business?
In order to accept payment once SCA goes live on 14th September 2019, you will need to build additional authentication into your checkout flow.
You will need to offer two of the three following options:
- Something the customer KNOWS, like a password
- Something the customer HAS, like a phone
- Something the customer IS, like a fingerprint
Does SCA apply to everyone?
SCA applies when a customer (using either an individual or corporate card) makes an electronic payment, whether that be online or in-store.
However, there are some exemptions:
- When that customer is buying a good or service over the telephone or by mail order
- When any part of the transaction takes place outside of the EU, such as if one bank account is outside the EU. For example, Uber could route all future payments to their American bank account and therefore avoid the need to instigate SCA
- Not required at contactless point of sales, subject to certain values and/or volumes
- Not required at unattended transport/parking terminals
- Not required where the payee is on a list of ‘trusted beneficiaries’
- Not required if the transaction is one of a series of transactions made from the same payee for the same amount, i.e. a recurring subscription payments
- Not required when a consumer is sending a credit transfer to themselves, where both accounts are held by the same payment service provider (like Judopay)
- Not required for low-value transactions, subject to certain values and volumes
- Not required where a Payment Service Provider (PSP) analyses the risk associated with a transaction and deems it to be low risk.
Seems like PSPs have a lot of power here! How do I get exemption via my PSP, like Judopay?
To achieve the exemption for a transaction via your PSP, businesses must provide multiple data points to your PSP for every transaction, such as phone numbers, email address and transaction details to familiarise your PSP with that type of transaction.
Alternatively, you could allow your customers to add your business to their whitelist. However, note that this cannot be requested by your business; it must be actioned based on the consumer’s decision.
Finally, SCA has been introduced to reduce fraud, therefore the better your fraud rules are from your PSP the less arduous your SCA requirements will be for your customers. Make sure you’re getting the best possible fraud solution from your PSP.
In practice, what will the impact be on my business?
At the moment, 2% of online transactions go through additional authentication checks. Going forward, this is likely to rise to 30%. This is going to have a large impact on all businesses.
Businesses unable to facilitate two-factor authentication will be unable to take payments (except for exempt transactions) after September 14th 2019.
The easiest solution for your business is to ensure you are using 3D Secure 1.0 (3DS) now. For the consumer, that takes the form of a pop up from their bank during a transaction, such as:
Before 14th September, this will be updated by the banks to give a two-factor authentication process automatically. If you have 3DS 1.0 already as part of your payment process, you will be able to take all payments after 14th September.
If not, and you are with Judopay, you must use this documentation to add 3DS 1.0 to your checkout process.
So 3DS 1.0 means I can take payments, but is it the best experience for my customer?
3DS 1.0 only supports one-time passwords, it doesn’t (for example) support biometric authentication.
A biometric device is a security identification and authentication device. Such devices use automated methods of verifying or recognising the identity of a living person based on a physiological or behavioral characteristic. These characteristics include fingerprints, facial images, iris, and voice recognition.
Instead, you should use 3DS 2.0. This has more functionality and therefore provides a slicker customer experience.
What is 3D Secure 2.0?
3D Secure 2.0 (3DS 2.0) is the latest update to 3DS, adding a new, stronger standard for customer authentication. It is good news for your business, particularly as it shifts the liability for fraudulent transactions from the merchant to the issuing bank.
It also addresses many of the current shortcomings of 1.0, offering:
- Better user experience for your customers
- Optimisation for all devices and screen sizes including mobile, tablets and laptops
- Biometric authentication
Liability shift, you say?
Yes, if you use 3DS 1 or 2.0 your liability for fraudulent transactions authenticated by 3DS shifts from your business to the issuer.
Note that recurring payments are not eligible as the liability shift only applies to the initial transaction that has been authenticated by 3DS.
This is because only the first transaction is customer initiated. After this point, money is automatically taken from the customer’s account.
For example, when you set up your Spotify account, you will be required to authenticated with 3DS, but subsequently funds will be automatically taken from your account. The first transaction is eligible for liability shift, subsequent transactions are recurring payments.
Why is the issuer so involved?
SCA moves some responsibility from businesses to issuers. The issuer decides whether the transaction requires additional authentication, therefore the issuer takes liability for fraudulent SCA initiated transactions.
Issuers have the option to ‘challenge’ a transaction: request additional information from the consumer.
Or create a ‘frictionless’ transaction: the consumer doesn’t have to go through 3DS because the information supplied by the business being purchased from is satisfactory.
Or, create a ‘soft decline’: the issuer does not fully decline a transaction but responds with a request to push the customer through 3D Secure 2.0 authentication. This will be introduced in the later versions of 3D Secure 2.0.
Do my customers need to go through 3D Secure when paying with Apple Pay or Google Pay?
No, both are already SCA compliant by supporting payment flows with in-built authentication (biometric or password). For example, when a customer initiates an Apple Pay payment, they are prompted to authenticate using their fingerprint or iris scan (faceID).
How is Judopay going to help me?
First, we’re always around for any questions. Contact us via firstname.lastname@example.org or 0203 503 0600.
SCA is at its simplest when you’re taking a known transaction amount from a known consumer to a known supplier.
As soon as those details blur, the implementation of SCA can become complicated. For example, if your business is a hotel that takes cancellation fees, should you have consumers authenticate at booking to ensure you can take the cancellation fee in the event of a no show? What if they are booking on a personal card but paying on a corporate card at the premises?
Whilst guidance on this has to come from the regulators, we’re already working closely with our clients to clarify these details for them. If you would like any advice on any unique scenario, please get in touch with our experts.
0203 503 0600
Second, we will provide you with the tools to integrate 3DS 1.0 in the first instance and to upgrade to 3DS 2.0 when it’s ready. We’ll keep you up to date the whole way through.
Third, SCA focuses on fraud prevention. The better your fraud tools are, the more of your transactions will be able to pass through without needing authentication. We partner with the best fraud prevention agencies in the industry. Get in touch to find out how we can reduce your fraud and enhance your customer experience.
Fourth, Apple Pay and Google Pay do not require any further authentication checks. Work with Judopay to integrate these payment methods into your payment flow.