PSD2 and SCA compliance for online marketplaces

Online transactions are not just about the exchange of goods and services. They’re about trust. The Payment Services Directive 2 (PSD2) and its corresponding Strong Customer Authentication (SCA) are European initiatives set forth to embolden this trust.

Since September 14th, 2019, marketplaces catering to European customers have encountered a shift. If you’re a marketplace owner, this regulation is significant. Non-compliance can lead to a substantial proportion of payment failures on your platform, potentially undermining trust and user experience.

The combination of PSD2 and SCA is a commitment to securing the digital transaction landscape. As marketplaces evolve and expand, understanding, adapting, and potentially championing such measures will not just be about compliance, but about establishing trust, credibility, and ensuring sustainable growth in the digital age.

What is PSD2?

The Payment Services Directive 2 (PSD2) is a directive instigated by the European Commission, fundamentally designed to reshape electronic transactions. Primarily, it mandates the application of Strong Customer Authentication (SCA) for all eCommerce or website-based transactions. If your business is located within or caters to the European Economic Area (EEA) and processes card payments, this directive is non-negotiable.

The inception of PSD2 stems from a commitment to escalate competition within the financial realm, champion robust consumer protection, and solidify a balanced playground for all payment service providers. But more than just establishing regulations, the PSD2 serves as a beacon of transparency, demanding unparalleled security measures in the form of two-factor authentication, and the vision of a harmoniously integrated European payments ecosystem.

While PSD2 might seem intricate, its core essence is simple: A digital transaction landscape that’s transparent, secure, and customer-centric. For businesses, it’s not just about adapting but evolving in tandem with a rapidly transforming eCommerce horizon.

What is Strong Customer Authentication (SCA)?

SCA is rooted in the framework of the Payment Services Directive 2 (PSD2). Its foundational mandate is the incorporation of an enhanced authentication protocol for online transactions, particularly those exceeding the €30 mark. But what does “enhanced” entail? It’s the meticulous combination of at least two of three distinct authentication factors, ensuring a multifaceted verification process.

The objective of introducing SCA is twofold. Firstly, it aims to curtail fraudulent activities by introducing an intricate layer of security, making it challenging for unauthorised entities to breach. Secondly, it is to instill greater confidence among consumers, ensuring them that their online transactions are shielded with the best protective measures.

The crux of SCA’s efficacy lies in its tri-factor authentication process. For a transaction to gain approval, the onus is on the cardholder to demonstrate their genuine ownership of the payment card. This necessitates the cardholder to validate their identity using a combination of at least two from the following three authentication pillars:

Knowledge

Information that only the cardholder would be privy to, such as a password or PIN.

Possession

Proof of owning a specific item linked to them, like a phone (where a one-time code might be sent) or the card itself.

Inherence

Biometric indicators, including but not limited to, fingerprints, facial recognition, or voice patterns.

Liability with SCA

Strong Customer Authentication (SCA) has revolutionised the realm of online transactions, not only in terms of security but also with respect to the responsibility associated with payment disputes. Central to this transformation is the concept of liability shift.

Marketplaces, especially in high-risk sectors or in regions like the US, often find themselves at the receiving end of double credit card disputes. This can manifest in scenarios where, a customer books and receives a service. Subsequently, the same customer disputes the payment with their credit card issuer, alleging they never authorised the transaction. Despite concrete proof from the marketplace confirming that the service was duly delivered, credit card issuers tend to favour their customers.

In the past, the burden of such disputes fell squarely on the marketplace. If the service provider refused to refund, the marketplace was left holding the bag. The financial implications and administrative hassle of such disputes have been daunting for many online platforms.

3D Secure (3DS) brings forth a much-needed shift in how these disputes are managed. The era of SCA, particularly with the advent of 3D Secure, offers a more balanced, fair, and secure environment for online marketplaces. While challenges persist, the liability shift provides a protective layer against unjust financial implications, allowing businesses to thrive in a more secure ecosystem.

What is 3D Secure (3DS)?

3D Secure (3DS) has been a cornerstone in online transaction security. EMV 3D Secure (EMV 3DS) represents the latest iteration of this protocol, tailored specifically for Strong Customer Authentication (SCA) in online payments. Its design not only helps in mitigating fraud and cart abandonment but also seamlessly integrates additional data to provide a more holistic security framework.

The rollout of 3D Secure 2, the enhanced version of the protocol introduced between 2019 and 2020, focuses on refining this process. One of its primary advantages is the improved user experience, designed to reduce friction during checkout—vital for maintaining high conversion rates in eCommerce.

While EMV 3DS stands as a robust tool for online payment security, there are other avenues that businesses can explore. Methods like Apple Pay or Google Pay are not only gaining popularity but are also inherently designed to meet SCA requirements. Their built-in authentication layers—be it biometric scans or passwords—offer a smooth, secure, and frictionless checkout experience for users.

How does 3D Secure authentication work?

At its core, the authentication process remains rooted in the foundational principles of 3D Secure. Once a transaction is initiated, the following steps typically ensue:

Redirect to bank’s verification portal

After checkout, the cardholder is navigated to their bank’s dedicated verification page.

Input additional verification data

This step often involves entering a unique, one-time code sent to the cardholder’s registered mobile number or using biometric authentication, like a fingerprint, if they’re accessing via a mobile banking app.

Bank’s approval or denial

Based on the provided data and its alignment with the bank’s records, the transaction is either approved or denied.

What are the exemptions to PSD2 and SCA?

While the Payment Services Directive 2 (PSD2) primarily stands as a defence of online transactional safety, not all transactions are bound by its Strong Customer Authentication (SCA) mandate. Here’s an exploration into the intricacies of these exemptions:

Low-value transactions

Remote electronic transactions up to €30 and contactless payments up to €50 are typically exempted from SCA. However, there’s a cap: SCA becomes mandatory after five consecutive low-value transactions or when the aggregate of these payments reaches €100 (€150 for contactless). This framework is based on guidelines from major card companies like Visa and Mastercard, and the onus of monitoring these thresholds falls on the card issuer.

Recurring payments

SCA predominantly applies to customer-initiated transactions. Transactions initiated by the merchant—often known as Merchant Initiated Transactions (MIT)—pose a unique challenge for SCA application. In scenarios of fixed recurring payments or varying amounts initiated by the customer, SCA is enforced during the initial card detail capture. Subsequent payments in the series are flagged with a unique identifier, ensuring that they’re recognised as SCA-validated. This process is predicated on following card scheme guidelines meticulously.

Transaction risk analysis (TRA)

This is where machine intelligence meets transactional discretion. Under TRA, card issuers or acquirers assess transactions for genuineness. If the algorithm deems a transaction to be authentic, it might exempt it from 3D Secure (3DS) or other SCA measures. However, this assessment isn’t final—the issuer retains the right to enforce SCA if deemed necessary. The TRA exemption operates on a nuanced scale with three thresholds: €100, €250, and €500.

Whitelisting/Trusted payee

Advanced versions of 3DS allow cardholders to ‘whitelist’ trusted businesses, effectively earmarking them as exempt from repeated SCA checks. However, this cardholder prerogative might still be overruled by their issuer if there are suspicions.

MOTO payments

Mail Order and Telephone Orders (MOTO) represent a unique transactional type where card details are gathered verbally or through written correspondence. These naturally sidestep the SCA mandate, but require stringent tagging to ensure accurate processing. The increasing trend of MOTO-related fraud necessitates heightened vigilance, underscored by advanced solutions like the award-winning SOTpay.

Corporate Payments

Payments facilitated through lodged cards—typically used in industries like travel—might also escape the SCA dragnet. Given their B2B nature and built-in fraud protection mechanisms, such payments often receive exemptions. Yet, direct communication with the Acquirer remains essential for clarity.

Outside the PSD2 scope

There are transactions that fundamentally remain outside the PSD2 umbrella:

Merchant Initiated Transactions (MIT)

These encompass varied payment types, from cancellation fees to irregular utility bill payments. The onus here is to enforce SCA during the maiden transaction that grants the merchant initiation rights.

Anonymous Payments

Payments via anonymous instruments, say gift cards, naturally remain beyond SCA’s purview.

Transport and parking

Automated transport and parking payments also bypass SCA.

One leg out

Transactions where one party operates outside the European Economic Area (EEA) might escape strict SCA enforcement. The approach here is ‘best-effort’ compliance.

MOTO transactions

Although exempted from SCA, the growing MOTO fraud landscape suggests leveraging advanced solutions like SOTpay to safeguard transactional sanctity.

PSD2, SCA, 3DS and the marketplace transaction flow

While adding layers of security enhances trust and diminishes fraud, it can also introduce friction points in the transaction flow. More steps can cause customers to abandon their carts or rethink their purchases.

The 3DS protocol, especially its earlier version, redirects users to third-party pages, often co-branded by the bank and the card company. Marketplaces have zero control over these interfaces, potentially leading to inconsistent user experiences.

Past implementations of the 3DS protocol received criticism, notably Visa’s 3D Secure 1. The sudden appearance of unfamiliar pop-up windows for authentication made many users wary, fearing potential scams. This reaction was exacerbated by well-publicised critiques from academia and industry pundits, pointing out the design flaws and security concerns.

3D Secure 2

Improved user experience

The second iteration of 3D Secure, aptly named 3D Secure 2, sought to address many of the concerns and pain points associated with its predecessor.

One of the most promising features of 3DS 2 is its ability to facilitate “frictionless authentication”. Payment providers can now send specific transaction details, like an email address or customer’s device information, to the issuing bank. If this information aligns with the bank’s records and passes their risk assessment, the additional authentication layer might not be invoked at all.

No longer relegated to unfamiliar web pages, 3DS 2 provides multiple avenues for verification. For instance, a bank’s mobile app could be used to authenticate transactions. A customer might receive a one-time code on their phone or use biometric authentication like fingerprint scanning. Companies like Stripe have indicated an optimistic outlook towards these novel methods, suggesting that many banks will likely adopt them.

3D Secure 2 liability shift

By using 3D Secure 2 alongside an authorisation request via the Card Payments API – which mandates customer authentication of the card for the transaction – merchants benefit significantly.

By utilising markko, merchants not only get the advantage of 3D Secure 2’s enhanced features out of the box, but they also benefit from the potential liability shift in the event of disputed payments. With the backing of the markko platform, the onus in such situations can shift from the merchant to the card issuer. This provides an additional layer of assurance, reducing the financial risks for our users.

How to make your marketplace compliant

In the face of the evolving payments landscape, marketplaces must be agile in adapting to newer security protocols. Strong Customer Authentication (SCA) and the 3D Secure (3DS) protocols are key to this transformation. Here’s a guide to ensure that your marketplace remains compliant:

Consult with your payment service provider

The first step is to familiarise yourself with your payment service provider’s (PSP) offerings and requirements. Many PSPs provide comprehensive articles and documentation that shed light on SCA compliance. If in doubt, always reach out to them for clarity.

Check your integration version

Different PSPs have various protocols for triggering 3D Secure. For instance, Stripe’s newer versions of Checkout and Payment Intents API automatically engage 3D Secure where necessary.

Upgrade to 3D Secure 2 (3DS 2)

Following the PSD2 directive, 3DS has seen a significant upgrade. 3DS 2 comes with enhanced features and is designed to be in line with SCA requirements. It’s essential to note that even if you’re currently on 3D Secure 1, most PSPs, like Stripe, advocate transitioning to 3DS 2, considering its robustness and compliance with SCA.

Conclusion

The PSD2 directive and its corresponding Strong Customer Authentication (SCA) mandate, the foundation for building trust in the eCommerce space has been firmly set. At the core of these initiatives is the pursuit of a transparent, secure, and customer-centric transactional ecosystem, one that actively counters fraudulent activities while instilling confidence among consumers.

As the intricacies of 3D Secure and its subsequent iterations come to light, it’s evident that the journey towards seamless online payment security is a collaborative effort, requiring marketplaces, payment service providers, and consumers to adapt and innovate.

For marketplace owners, this isn’t merely a regulatory compliance dance; it’s a strategic move towards building credibility, ensuring sustainable growth, and, most importantly, fortifying trust.