The Regulatory Technical Standards (RTS) within the framework of the Second EU Payment Services Directive (PSD2) and the required strong customer authentication came into effect in mid-September 2019. This presented a new challenge for European online merchants, as well as their customers, acquirers and card issuers. We have put together a summary of the most important information for you.
Payment transactions have changed significantly in the European Union since 14 September 2019. With the Payment Services Directive (PSD2), the EU aims to increase the security of electronic payment transactions, promote innovation and competition and increase consumer protection. The new standards will, in particular, make online shopping more secure and user-friendly and, at the same time, increase conversion rates and the volume in e-commerce. In order to give online retail businesses more time for implementation, a transition period for implementing strong customer authentication has been granted.
What is meant by strong customer authentication?
PSD2 will introduce new, stricter rules for online payment processes. A static password will no longer be sufficient. In the future, customers will be required to identify themselves for online payments with two out of three different criteria (“two-factor authentication” or “strong customer authentication”).
something the customer knows
e.g. password, PIN, secret question
something the customer has
e.g. mobile phone, wearable device, security token provided by the bank
something unique that belongs to the customer
e.g. fingerprint, voice, iris or facial recognition
The double check serves to increase security for online and card payments. In order to put these standards into practice, merchants must implement 3-D Secure on their online shop.
A brief explanation of 3-D Secure 2.0
Many online merchants in Europe are already familiar with the form of customer authentication known as 3-D Secure 1.0. Developed by the card organizations Mastercard and Visa, this procedure involves redirecting cardholders to an external website or pop-up window during the payment process. In order to verify their identity, customers must enter a code or a password. In the past, this led to payments being aborted and is not really suitable for mobile payments. For this reason, numerous merchants have not yet implemented 3-D Secure 1.0 to date.
With PSD2 coming into effect, it is no longer optional for merchants to implement 3-D Secure. This is because the banks that issue the cards may decline online payments that have not been authenticated using 3-D Secure in future. This is why 3-D Secure 2.0 was developed: a modern process that fully and completely complies with the new standards and also takes into account future market requirements. In this regard, increased value was placed on an improved customer experience during online shopping, in particular on smartphones, for in-app purchases and the use of cyberwallets.
Exceptions and “Frictionless Flow”
An important principle of the new strong authentication requirements is that consumers are only required to prove their identity during online transactions in which the risk of fraud is considered to be higher.
Online payments that fall within this group of transactions are authorised automatically (“Frictionless Flow”) without the need for the customers to be asked to confirm their identity. 3-D Secure will then only be triggered when these exceptions do not apply.
What do merchants need to do?
After the expiry of the transition period, customers are obliged to ensure that they provide two-factor authentication for card payments using the 3-D Secure protocol. At the same time, merchants should check their online payment model and redesign their checkout process.
SIX Payment Services already meets the requirements and supports strong customer authentication with 3-D Secure 2.0.
What is the transition period for?
In order to give online retail businesses more time for the implementation process, the European Banking Authority (EBA) has granted local regulators the option of setting a transition period for implementing strong customer authentication. This transition period has already come into effect in countries such as Belgium, Germany, France, Great Britain, Italy, Luxembourg, the Netherlands and Austria. The duration of the transition period will be announced by the local supervisory authorities in the course of the fourth quarter of 2019.
SIX Payment Services is all set for PSD2
SIX Payment Services was one of the first payment providers in Europe to process live transactions with strong customer authentication for European merchants. In this regard, a smooth process for online payments is ensured, exceptions are managed and the online customer experience for your customers is optimised.
SIX Payment Services works with a number of merchants in order to guarantee compliance with the new policy. Our experts are ready to provide you with support in making the change so that, in the future, you can implement online payment processes that are more secure, more intelligent and easier to use.