In Europe, the new Strong Customer Authentication (SCA) requirements, which are part of PSD2, were supposed to go into effect on September 14, but many businesses and banks have not met all the regulatory requirements to fully launch.
Strong Customer Authentication (SCA) is a new European banking requirement that’s part of the PSD2 regulations. SCA is designed to make online payments more secure. Merchants are required to ask for extra steps in the authentication process during transactions. SCA asks for something that customer has, knows, and is. For example, your card, a password, and a fingerprint.
Additional SCA tools can include one-time passwords, QR codes, two-factor authentication, and biometric authentication like fingerprints (e.g. your iPhone) or facial recognition (e.g. your fancy new iPhone).
The current authentication tool is called 3D Secure 1.0 (3DS), which is used to verify ecommerce transactions and to verify a shopper’s identity while online. The new 3D Secure 2.0 (3DS 2.0) specifications make it easier to capture SCA details during the transaction.
We recently found an article in ThePaypers.com about how businesses can prepare for a phased implementation of the new 3DS requirements, especially as they relate to the regulations’ impact, liability, enforcement, and what will be done about subscription-based purchases.
According to the article, some countries are doing a phased implementation of SCA over an indeterminate period of time. Luxembourg, Norway, and Poland are contacting the regulators to set their own timeline, and the United Kingdom has announced an 18-month phase-in so banks and businesses can better prepare things on their end.
Since most businesses and banks are already delaying the implementation, most banks won’t be doing anything differently at this time. (In fact, some experts expect most banks would not be 2.0 ready by the deadline.) But if the different countries do make SCA a requirement without being ready for 3DS 2.0, then 3DS 1.0 will be the only way they can authenticate credit and debit cards.
Merchant services providers can help their merchants with the transition by helping them put dynamic authentication technology in place so they can get accustomed to it.
Also, some European banks may strictly follow regulatory guidelines, while others will be a little softer in their implementation. That means a merchant’s payment service provider should be able to determine which banks are following the guidelines and which are waiting. They should be able to help merchants plan accordingly and guide them to the banks that will best meet their own technological capabilities.
An additional requirement is that shoppers will receive a confirmation “challenge” that requires them to confirm that they approve each transaction. Every time they make a purchase, they will have to answer the challenge and confirm that they’re allowing this purchase.
But rather than confirming every transaction with every business, consumers can whitelist the businesses they trust, which will allow card issuers to exempt those purchases from these confirmation requirements. The current timeline to start supporting whitelisting is in 2020.
Finally, an issue that some merchants may face are those that provide subscription-based services and recurring transactions. While most of these transactions are exempt from SCA requirements, authentication still needs to happen during the signup stage, especially those that offer a free trial before starting the subscription.
This usually isn’t a problem for many merchants in the US, since they often require new customers to provide their credit card as part of the free trial in the first place. But subscription merchants will need to figure out how to implement the challenge confirmation early in the signup process without customers abandoning the registration process before its completed.
Merchants in Europe are facing a lot of tough new regulations, as are American and Canadian merchants doing business with European customers. Corepay can help you meet these new standards and guide you toward the best technology to help you get there. To learn more, just visit our website or call us at (800) 408-0095.
Photo credit: QuinnTheIslander (Pixabay.com, Creative Commons 0)
