UPDATE! The SCA deadline imposed by the EC to has been extended by 18 months, meaning the new compliance date for Strong Customer Authentication (SCA) is March 2021.
What is PSD2?
Payments Services Directive (PSD2) is a directive from the European Commission (EC) that deals with the changing payments landscape that affects anyone doing business in the EC. The goal is to create more competition in the banking sector and to clear up who is responsible for what when it comes to payment.
It applies to payment providers within the European Union (EU) and European Economic Area (EEA). The EU countries are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.
The EEA also includes Iceland, Liechtenstein and Norway.
Please note that UK businesses will need to adhere to PSD2 as dictated by the Financial Conduct Authority in the UK, even in the event of a no-deal Brexit.
What is SCA?
One of the new regulations is Strong Customer Authentication (SCA) for payments taken from European customers. SCA requires that checkout flows need to authenticate:
Something the customer knows (e.g. password or PIN)
Something the customer has (e.g. phone, credit card)
Something the customer is (e.g. facial and fingerprint recognition)
The most common interpretation is that you need to offer two-factor authentication at checkout. So not only a credit and debit card but also a password or PIN.
SCA applies to both online and offline transactions, except for contactless payments.
The most common implementation of SCA today is ‘3D Secure’ (3DS).
3DS is a form of two-factor authentication and therefore reduces fraud and chargebacks to the merchant. It’s not possible for a fraudster to make transactions even if they have a clone of a credit card - they will need more information than that.
Common implementations of 3DS you might recognise are consumer-facing brands like Visa Secure, Mastercard Identity Check, or American Express SafeKey. The 3DS standard was developed by EMV, a consortium of credit card transaction processors like Europay, Mastercard and Visa (that’s what EMV stands for).
How does 3DS work?
In 3DS, there is an additional step in checkout where you must enter a password that you’ve agreed with your card issuer (i.e. your bank).
This is most commonly done by allowing the customer to set a password the first time they checkout with a given debit or credit card, then this password is used to authenticate the user in future.
One problem with 3DS is that this extra step page during checkout is often left unconsidered and uses a different URL, linked to either the card issuer or the card company, rather than the merchant websites. This is confusing to many users and it’s also hard to tell if the page is genuine or not.
Monzo, a UK bank, has a notably better way of authenticating customers. During the 3DS step, the page simply asks the customer to open their Monzo app on their phone and from there they can approve the transaction.
Either way - 3DS is a way of authenticating a payment so that even if a card is cloned it can’t be used. Since the 3DS authentication mechanism does not rely on the merchant storing anything, there’s less chance of fraud even in the case that a merchant’s systems are compromised.
Outside of the US, banks have been encouraging the use of 3DS by offering lower processing fees to merchants or even mandating 3DS for merchants that sell high-value items. In most cases, if they are a merchant that forgoes using 3DS they must accept full fraud and chargeback liability.
Why is 3DS not used in the USA?
Our European and British readers will be used to having to complete the extra 3DS step.
The US has a much larger and more fragmented banking system and these changes encountered more resistance from customers in the mid-2000s. Instead, inferior mechanisms like CVC (card verification code) and Address Verification System (AVS, where the customer needs to enter their zip to authenticate a transaction) are still used.
Will that change? Probably. International merchants in the US will have to enable 3DS due to PSD2 anyway. And the 2nd generation of 3DS will eliminate usability problems by using contextual data from the transaction (order size, customer addresses, IP and MAC addresses, order histories and location etc) to approve transactions.
Where there is doubt, the bank will add the usual 3DS password page to challenge the customer. The good news is that even in this case, 3DS 2.0 will support modals within the merchant’s checkout, which are less confusing and easier to brand.
Does every transaction require SCA/3DS?
No - low-risk transactions can skip SCA so long as certain thresholds of fraud are not crossed.
Some implementations of 3DS will automatically approve transactions that are deemed not risky.
Alex is Co-founder at We Make Websites, the go-to Shopify agency for global commerce. We Make Websites design, develop and optimise e-commerce websites for the fastest growing brands on the planet, with teams in London and New York. Alex is an international speaker on ecommerce, brand and business growth.
Subscribe to our newsletter
Be the first to hear about what’s hot in e-commerce and Shopify Plus. Straight to your inbox.