On September 14, 2019 (unless an extension is granted by the relevant EU regulators) European-based merchants who accept credit card payments will have to comply with new two-factor authentication requirements as part of a new regulation called Strong Customer Authentication (SCA).
This new requirement is part of the new European banking regulations known as PSD2 (Payment Services Directive #2).
The SCA requires your customers paying with a credit or debit card to have any two of these three elements to satisfy the two-factor authentication:
- Something you know, like your password or PIN.
- Something you have, like your phone or card chip.
- Something you are, like your fingerprint or face recognition.
As long as they have two of these three elements, their payment will be approved. If they do not, the payment will be rejected by the bank that provided the card.
Additionally, each of the elements are supposed to be kept separate and independent from each other, so that any breach of one set of data does not compromise the other two sets.
You have probably already encountered this type of authentication if you’ve ever used a debit card at a store, putting your card into the chip reader and entering your PIN. This meets the requirement of something you know (your PIN) and something you have (your chip card).
You can also use Apple Pay or Google Pay at a checkout because, again, it’s something you have (your phone) and something you are (your fingerprint or facial recognition).
If your merchant account doesn’t have a way to capture the two elements (for example, you don’t have a chip reader), then your customers’ payments will be refused right on the spot.
Further, if you charge a recurring debit, such as a membership or a subscription, that’s considered “merchant-initiated” and is therefore exempt from SCA. The exemption also applies to purchases that are under €30, since they’re considered low value.
Merchants will be able to use the 3D Secure 2.0 technology to be able to sell to their customers without any problems or hangups on their transactions.
The new Strong Customer Authentication requirement and PSD2 are not something merchants should ignore; September 14, 2019 is looming large for European-based e-commerce merchants. If you want to be prepared and protect your business, contact us.