In our previous blog post PSD2, SCA, And 3DS2: Understanding The Basics Of Upcoming Regulations we mentioned that Payments Services Directive 2 (PSD2) is bringing about mandatory compliance for Strong Customer Authentication (SCA) on September 14, 2019. Does this directive apply to you? What will happen if you are not in compliance when the deadline takes effect?
If your eCommerce business is operating in the European Economic Area (EEA) it is likely you will be subject to the new PSD2 regulations. But how? We can safely assume that SCA will apply to “two-leg transactions”, where both the card issuer and the merchant’s acquiring Payment Service Provider (PSP) are located in a member state of the EEA.
There has been some confusing back and forth trying to understand if and how there will be enforcement for “one-leg transactions” where only the issuer or the merchant’s acquiring PSP are located in the EEA.
In an attempt to clarify this a frequently asked questions fact sheet was released by the European Commission in January of 2018. Per the FAQ, one-leg transactions must comply with PSD2 information disclosure and transparency on the costs and conditions of international payments. PSD2 disclosure and transparency standards are not the topic of this post but it is important for you to understand. Feel free to start here if you want to learn more.
Thankfully this document does indicate that SCA is not mandatory for one leg transactions. It should be safe for merchants to not be concerned about SCA in this case.
So how does SCA affect merchants? It is ultimately up to the EEA based issuing bank to decide if SCA will be required for accepted payments. If a significant portion of your credit card transactions are served by EEA based issuers it is important to start a conversation with your acquiring PSP and ask their advice.
As a merchant, not complying with the enforcement of SCA (and thereby PSD2) will have a few specific impacts. The major card brands are willing to offer a carrot for using 3DS2 to satisfy SCA. They will shift the liability of fraudulent e-commerce transactions away from the merchant. You could ignore this carrot, another very real possibility is that EEA based issuers will decline non-SCA transactions starting in September. This is the stick that the market expects will drive adoption of SCA by merchants.
We do not know exactly how issuers will decide to enforce the September deadline, or if said deadline will delay. Every EEA based issuer and acquirer is expected to comply with PSD2 and therefore SCA but remember that SCA does not mandate use of 3DS2. It mandates secure two-factor eCommerce transactions. It is possible to meet SCA without 3DS2 as long as a one time password or some other factor is required when the purchaser is authenticating their identity with the issuer. The ability to access to frictionless flows and exemptions will drive adoption of 3DS2 but remember it is a tool for compliance. As a merchant, your role is to request a secure transaction and allow the issuer to decide to accept the transaction or challenge it instead. As with all previous major compliance efforts, exact details should become clearer as we get closer to the SCA implementation deadline.
The strategic approach is to comply with SCA, even if you are not legally required to do so. This approach reduces the risk of transaction failures in September.
What about eWallets (like Apple Pay or Google Pay) and Alternative Payment Methods (like iDEAL and Giropay)? The good news is that these can be scalable, SCA-safe options. Most APMs in the EU already have a built-in authentication layer, meeting SCA compliance standards.
APMs are growing in adoption in the EU and throughout the world. The good news is that introducing APMs generally should not impact your SCA compliance.
Stay tuned, as we’ll be exploring some of the benefits of 3DS2 in an upcoming post.