- Strong Customer Authentication (SCA)
- 3D Secure
- The key stages of the migration towards SCA
- Out of scope transactions
- Exempted transactions
- Transfer of liability in case of fraud
The majority of payment fraud exists online, particularly on payments made by credit card.
The goal of the payment ecosystem as a whole is to effectively protect merchant activity while providing a seamless payment experience for consumers. In other words, maximizing the conversion rate while limiting fraud.
The challenge facing merchants is to find the right balance between fraud prevention and optimizing the user experience.
With this in mind, the second version of the Payment Services Directive (PSD2) - which is coming into effect since September 2019 - aims (among other things) to achieve this dual objective.
In this context, all card transactions must undergo strong customer authentication.
Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) requires at least two of these three factors to be satisfied:
|An element defining the payer (e.g. fingerprints, facial recognition)||An element that the payer knows (e.g. PIN, password)||An element that the payer possesses (e.g. phone, token)|
One of the PSD2 requirements is that any aliases created for future use must be strongly authenticated.
This has significant implications for the subscription economy since your subscribers will systematically have to strongly authenticate their first payment, whether with 3D Secure 1 or 3D Secure 2.
For one-off payments (when card data is not saved for future use), the PSD2 stipulates that there can be strong authentication exemptions in certain cases.
3D Secure is a secure protocol whose main objective is to limit the fraudulent use of bank cards, by ensuring that any online payment by card is made by its holder.
In 2021, two versions of 3D Secure coexist and meet the strong authentication prerequisite dictated by the PSD2:
- 3D Secure 1, the existing method based on sending an SMS code to the payer's mobile phone: this method remains compliant with the PSD2 at least until December 31, 2021
- 3D Secure 2, the new double authentication method directly on the payer's banking application
The key stages of the migration towards SCA
The Banque de France and the European Banking Authority (EBA) have opted for a gradual implementation of a new infrastructure in order to ensure compliance with the PSD2.
After deployment, for each transaction, this new infrastructure will ensure the following:
- Verify the need for strong authentication on the transaction
- Store the nature of the transaction and the needs of the merchant
- Manage exemption cases (as defined by regulatory technical standards) and the transfer of liability in case of authentication
The key stages in the implementation of strong authentication in France:
Since the implementation of this plan, it is important to note that only a small proportion of the transactions concerned have suffered a soft-decline (refusal by the issuing bank for lack of authentication).
However, a gradual ramp-up of these soft-declines is underway in order to finalize the migration towards systematic strong authentication scheduled for May 15, 2021.
Out of scope transactions
Payments that fall under the regulatory technical standards (RTS) for strong authentication are payments that meet these two conditions:
- Electronic payments
- Payments initiated by the cardholder
The European Banking Authority (EBA) has explicitly designated the following three types of payments as being out of scope with respect to strong authentication standards:
Merchant initiated transactions (including variable subscriptions)
Payments for which the amount is not initially known. These are payments made when the cardholder is not present, using stored card data.
To benefit from this exemption, the storage of the card data must be authenticated.
The merchant must also obtain the agreement of the payer (mandate) to be authorized to subsequently debit their card.
One leg payments
When the payer's bank or the merchant's bank is outside the EU, no authentication will be performed.
Mail Order / Telephone Order (MOTO) payments
Payments by mail and telephone are not considered electronic payments.
For one-off payments only, the PSD2 provides for a number of cases where the payer is exempt from strong authentication.
As a payment services provider, SlimPay is able to request these exemptions during payment processing: the cardholder's bank will then receive the request, assess the risk level of the transaction according to certain criteria, and then decide whether or not to allow SCA exemption.
Here is the list of exemption cases:
Payments under €30
All payments below €30 will be subject to this exemption. We estimate that approximately 50% of all online transactions will fall under this exemption.
However, these exemptions will not be valid if the total amount debited on the card since the last authentication is greater than €100, or if more than five transactions have been carried out on the card since the last authentication.
Fixed amount subscriptions
When a payer makes a series of recurring payments of the same amount to the same merchant, strong authentication will only be required for the first payment: there will be no authentication for subsequent payments.
A payer can choose to add a merchant to their list of trusted beneficiaries to avoid authentication for future payments.
Low risk payments / Risk analysis
Exemption initiated by the issuing bank: the card issuer can apply a TRA (Transaction Risk Analysis) exemption even if you have not requested it. We advise you to send additional data in your payment request in order to increase the chances of obtaining this exemption.
Exemption at the initiative of the PSP: payment service providers can ask not to strongly authenticate a transaction under certain circumstances, in the event that their fraud rate does not exceed certain predefined thresholds.
Transfer of liability in case of fraud
To ensure your transactions are PSD2 compliant, SlimPay manages all exemption requests on your behalf whenever possible, and strong authentication is requested from the payer whenever the bank requires it.
According to the European Payments Council:
“PSD2 provides that the payer can claim a full refund from the payment service provider in the event of an unauthorized payment, if no SCA measure was put in place and if the payer has not acted fraudulently.”
This means that in the event of fraud on transactions that have benefited from an exemption, you will be responsible for the chargebacks related to these transactions: there is no transfer of liability to the issuing bank.