Full Guide: PSD2 SCA Questions Answered

December 9, 2020

In 2018 , the second European Payment Services Directive (PSD2) established protocols mandating new security processes and standardized technology operations that ensured user confidentiality.

With PSD2 officially going into effect throughout most of Europe on December 31, 2020, we’ve compiled a guide with the most relevant and up-to-date information regarding SCA.

Frequently asked questions covering the upcoming
3D Secure transition:

As the initial deadline of 14th of September 2019 came closer, more and more European countries realised that a vast number of their national e-commerce companies and banks were unable to comply with this already once postponed enforcement date.

It was estimated that on average European online shops would lose around 20% in revenue if they were unable to comply timely, and the European Banking Authority (EBA), who is responsible for the Regulatory Technical Standards, finally decided to allow yet another postponement.

The new and final deadline announced in an EBA opinion is the 31st of December 2020, and the National Competent Authorities (NCAs) around Europe have announced the postponement to their respective countries’ relevant national players, i.e. banks, PSPs and internet shops.

However, to avoid a situation where the extension of the deadline could lead some of the parties to take no action until the new deadline comes dangerously close, EBA – via the NCAs – have demanded concrete SCA implementation plans from the parties as a condition for a postponement. In other words, EBA has ensured that they will not face the same situation again as the next deadline approaches.

Finally, it is important to underline that merchants and their PSPs should be technically ready no later than the end of October 2020 in order to get enough time to test the full chain with their acquirers, the schemes and the Issuers, since it is likely that there will be different interpretations of the new rules, and the fine-tuning can take time and must be completed before the winter period – with all the special events like black Friday, single day and Christmas events.

As of 1st of January 2021, most European acquirers and issuers will no longer process PSD2 non-compliant transactions.

MOTO (Mail Order Telephone Order) type distance selling transactions, payment initiated by the merchant and unrelated to the customer (MIT) as well as transactions between cardholders or merchant acquirers outside the European economic area (for instance, Switzerland and the opposite) are not subject to this RTS-SCA rule (considered as one-leg transactions).

The Bancontact transactions are 100% strongly authenticated and therefore compliant with the PSD2 regulation.

To comply with the requirement of strong customer authentication, you need to support at least SafeKey 1 (AMEX), ProtectBuy 1 (Diners), J/Secure 1 (JCB) and/or UnionPay 3-D Secure (Union Pay).

The aim of Strong Customer Authentication through 3-D Secure 2 is to reduce remote payment fraud, at the same time strongly improving user-friendliness for the cardholder, in particular by providing the issuer (the bank of the cardholder) with more information on the context of the transaction, in order to allow the latter to decide whether it should or should not proceed with Strong Customer Authentication of the cardholder.

  1. If you are already using 3-D Secure 1 for all your transactions, moving to 3-D Secure 2 will allow some of your transactions to go frictionless. This will increase your conversion rate while keeping you safe about fraud.
  2. If you are not using 3-D Secure 1 at all (“SSL” transactions only) or you are using it partially (dynamic 3-D Secure), implementing 3-D Secure 1 or 3-D Secure 2 is anyway mandatory to comply with the principle of SCA. Else, you can expect a lot of non-3-D Secure transactions declined by the issuers. 3-D Secure 2 will provide you with a better conversion rate than 3-D Secure 1.

The major additions of 3-D Secure 2 are:

  • Smoother and more integrated customer experience, especially for mobile applications.
  • New authentication methods of the cardholder bank side.
  • Management of exemptions and Frictionless.

The RTS stipulates 2 exemption options for point-of-sale payments:

  • Low value contactless transactions

The exemption for a contactless transaction can be invoked

➔ If the amount of the transaction does not exceed €50.
➔ If, since the last transaction with Strong Customer Authentication by the cardholder, the maximum amount of contactless transactions, regardless of the merchant, or the number of contactless transactions has not exceeded a maximum (velocity criteria) defined by the RTS-SCA (max €150 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).

  • Transactions on unattended terminal for parking or transport

An exemption from Strong Customer Authentication is applied for contact and contactless transactions to pay for a transport fare or a parking fee made on an unattended terminal. The exemption can be invoked:

➔ If the transaction is made under specific MCCs.
➔ If the amount of the transaction does not exceed maximum transaction amount specified by the schemes (Mastercard and Visa). For transactions with an amount exceeding the maximum amount allowed, Strong Customer Authentication of the cardholder will always be requested.

The RTS stipulates 5 exemption options for remote payments (e-commerce):

  • Trusted Beneficiaries of White-Listing (not applicable to the merchant)

White-Listing is the option for a cardholder to name, to the issuer of his card, in general his bank, a merchant whom he trusts and for whom he does not wish to make a Strong Customer Authentication while executing remote transaction, provided the latter meets the security criteria set by the bank.

  • Recurring transactions

An exemption from Strong Customer Authentication is applied for a series of remote transactions for the same amount to a single beneficiary. However, Strong Customer Authentication is required for the first transaction (the contract) or for each modification of the series conditions.

  • Low value transactions

An exemption from Strong Customer Authentication for a low value remote payment can be invoked:

➔ If the amount of the transaction does not exceed €30.
➔ If, since the last transaction with Strong Customer Authentication of the holder, the maximum amount of low value remote transactions, regardless of the merchant, or the number of low value remote transactions does not exceed a ceiling (velocity criteria) defined by the RTS-SCA (max €100 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).

  • Secure Corporate payments (not applicable to the merchant)

Exemptions are also valid for payments initiated by businesses with a debit from the business account (for example, central settlement cards, centralized accounts and virtual cards). In contrast, corporate cards (with debit from the employee’s bank account under special conditions) are similar to B2C transactions and are not covered by this special exemption.

  • Transactional Risk Analysis

The exemption from Strong Customer Authentication for a remote transaction referred to as ‘risk analysis’ can be invoked by the acquirer (on behalf of the merchant) and by the issuer if the following two conditions are met:

➔ That the transaction is declared safe (for example, no infection of the user’s workstation by a malware, no abnormal disbursements by the payer, location of the payer, transactions history, etc.).
➔ That the fraud rate (for remote transactions) for the payment establishment (for Bank acquirer and for Bank issuer but and not for the merchant or his PSP) is below preset ceilings:

  • 0,13% if the amount of the transaction is less than €100.
  • 0,06% if the amount of the transaction is less than €250.
  • 0,01% if the amount of the transaction is less than €500.
  • Exemption not applicable for transactions of over €500.

The exemptions are not routine and even if the conditions for exemption are met, the final decision rests with the issuer (the cardholder’s bank) which may or may not grant it. The Issuer will send a soft decline for the payment leading to a resubmission of the payment requesting Strong Customer Authentication from the cardholder.

The 3-D Secure 2 implementation, which requires changes throughout the electronic payment chain, will be carried out gradually depending on the various payment stakeholders (payment module, merchant banks, networks, issuer banks). Alto Global Processing and our acquiring partners are prepared to support 3D Secure 2.

The end of 3-D Secure 1 is announced not before end of 2020 by Visa and MasterCard. By the way, the main Card Schemes announced the application of new tariffs that discourage the use of 3-D Secure 1 (which offers no frictionless possibilities) against the usage of 3-D Secure 2. Those new tariffs will be applied in the coming months and they will continuously increase months after months.

Alto Global’s acquiring partners have confirmed they will not block subsequent transactions of an initial transaction that occurred before December 31st, whose initial in a first step and will continue to accept the subsequent transactions. For recurring payments conducted after December 31st, it is recommended to perform SCA for the first one and reference this one in subsequent transaction in order to keep the same approval rate.

The national regulators supervise the local acquirers and issuers activities. The most important for the merchant is however the location of his acquirer because this will determine whether a transition phase could be applied. Furthermore merchants with international business should have a look to the regulations of countries where there are doing business. Indeed some issuers in Europe will be obliged to support SCA by September 14th. That means that those issuers will probably decline card transactions processed without 3-D Secure.

No, MPKE transaction does not comply with PSD2 since it does meet the “2 factors among ‘what you know’ / ‘what you are’ / ‘what you have’” rule. Our recommendation is to process those transactions as Merchant-Initiated Transactions – MITs are only possible if SCA was performed as part of the initial transaction. The SCA can be done for example through an authentication on site, via a payment gateway or e-mail payment link.

SCA is required, but the issuer uses the “secure corporate payments” exemption. The merchant has no influence over this, and the payment is expected to go through as usual.

The guest performs strong authentication for the initial authorization and the payment is not processed. The guest does not show up at the hotel. A transaction without the guest’s presence must be processed to bill the no-show. After obtaining the credentials, if you are still within the period allotted by the scheme to perform completion, do it. Otherwise, carry out an MIT. You can also Change the process and encourage guests to pay at the time of booking.

During the check-in, the cardholder being present, perform a pre-authorization (CIT/F2F transaction) as initial MIT for the full amount of the accommodation. During the reservation, make sure the PAN is tokenized for future use, and use it to finalize the pre-authorization for the exact or higher amount including the deposit. After obtaining the credentials, if you are within the period allotted by the scheme to perform completion, do it; otherwise, carry out an MIT.

During the check-in, the cardholder being present, perform a pre-authorization (CIT/F2F transaction) as initial MIT for the full amount of the accommodation. During the reservation, make sure the PAN is tokenized for future use, and use it to finalize the pre-authorization for the exact or higher amount including the deposit. After obtaining the credentials, if you are within the period allotted by the scheme to perform completion, do it; otherwise, carry out an MIT.

SMEs: Analyzing 2023 And What to Expect in 2024

SMEs: Analyzing 2023 and what to expect in 2024 January 3, 2024 We start 2024 reflecting back on the last year and looking forward to ...
Read More →

Mobile Payments: Will They Dominate The Market?

The idea of a comprehensive digital ID looks like the solution, but there’s much work to do in regards to implementing it. Such as which ...
Read More →

The Future is Phygital

The Future is Phygital December 20, 2023 As with many other aspects of life, the COVID-19 pandemic affected the payments landscape in terms of the ...
Read More →
Scroll to Top