Payment Services Directive 2020
What is PSD2?
Payment Services Directive (PSD) legislation came into effect in 2001 to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). In January 2018, the new EU Payment Services Directive (PSD2) took effect with the following objectives:
- Enhancing competition within the digital payments market
- Facilitate innovation, making it easier and safer to make payments online
- Protection of consumers
- Increasing security and contribution to a single EU Market in retail payments
When it comes to payments, security and convenience is essential, which is why AIBMS support the spirit of the regulation.
September 14th 2019 was the original hard deadline for businesses to become compliant. However, the Central Bank of Ireland (CBI) along with other Competent Authorities (CA’s) within the EU stated that there will be a ‘limited migration period’ for implementation of Strong Customer Authentication (SCA). That Migration period ends on 31st December 2020. This migration period related to ecommerce transactions only. This is a significant deadline, when the PSD2 Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) legally applies within Europe.
What is Strong Customer Authentication (SCA)?
SD2 requires Strong Customer Authentication (SCA) to be applied to all electronic payments within the European Economic Area (EEA). The SCA mandate is accompanied by some exemptions with the goal of supporting the frictionless cardholder experience. We will cover these exemptions later within this update. SCA can be performed using two factor authentication, for example, two of the following factors have to be used systematically during the authentication process:
Category | Description | Example |
---|---|---|
Knowledge | Something only the Cardholder knows
|
A Password, A Pin, Memorable Information |
Possession | Something only the Cardholder has
|
A pre-registered mobile phone, card reader or keyfob
|
Inherence | Something the Cardholder is
|
A biometric (facial recognition, finger print, voice recognition, behavioural biometric) |
What solution does AIBMS recommend as a solution for SCA?
For online payments today, 3D Secure (3DS) is the most common way to authenticate a card payment and this scheme requires the cardholder to enter an additional password when they make an online purchase, familiar ones known as ‘Verified by Visa’ or ‘MasterCard SecureCode’ for Visa and MasterCard respectively.
3D secure version 2.0 is a newer version of the authentication protocol and will be the main method AIBMS recommend to authenticate online card payment to meet the SCA requirements. Unlike some of the shortcomings associated with 3D secure version 1.0, such as requiring a cardholder to remember their own password causing a number of customers not complete their purchase. 3D secure version 2.0 has been developed with the goal of improving the overall performance of the 3D secure program and supports the payments industry in delivering a consistent, and frictionless, user experience across all e-commerce channels and connected devices. Through supplying more data in the payment, it is understood this will speed up authentication and boost security, and could improve drop off decline rates up to 70% according to a recent study from Visa.
Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for merchants to offer a frictionless checkout experience while meeting the new requirements.
https://www.visaeurope.com/media/pdf/visa-infographic.pdf
When does SCA apply?
September 14th 2019 was the original hard deadline for businesses to become compliant. However, the Central Bank of Ireland (CBI) along with other Competent Authorities (CA’s) within the EU stated that there will be a ‘limited migration period’ for implementation of Strong Customer Authentication (SCA). That Migration period ends on 31st December 2020. This migration period related to ecommerce transactions only. This is a significant deadline, when the PSD2 Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) legally applies within Europe.
Strong Customer Authentication (SCA) is required on all electronic payments within the European Economic Area (EEA) that are cardholder initiated. This means for every transaction where both the cardholder bank and the merchant is located within the EEA region, SCA will be required.
To clarify, the list of EEA countries where SCA applies is as follows:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK, Iceland, Liechtenstein and Norway
There are some transactions which are deemed ‘out of scope’ and therefore it is not mandatory to for SCA to be applied. These are:
- ‘One leg out’ transactions – either the cardholders bank (card issuer) or the merchant is outside of the EEA
- Merchant-initiated transactions (MIT) – Some merchants store cardholder payment details for future payments. These are typically agreed upon deferred/delayed payments and require an agreement between the cardholder and the merchant to charge the card at a point in the future. Merchants with these types of transactions will need ensure the first transaction in this process is authenticated through the application of SCA, this is typically at the point of securely storing the card details or on the first payment, whenever the cardholder is present.
- Mail order and telephone order transactions (known as MO/TO) – where cardholders make payments over the telephone or via mail order
- Anonymous payments
Card Present Transactions
Card Present transactions are already compliant with Strong Customer Authentication (SCA) due to the use of Chip and Pin. In a card present environment, the convenience of contactless at point-of-sale would remain for low value transactions up to a maximum of €50 Ireland and £50 within the UK, other countries may vary.
Exemptions
One of the objectives of the PSD2 is enhancing competition and with this in mind there are some transactions that may be exempt from Strong Customer Authentication (SCA). It is vitally important to understand that whilst the below exemptions exist, ultimately it is the cardholders bank that will decide whether or not to accept a transaction with an exemption and no SCA.
AIBMS recommend that any merchants planning to submit transactions with exemptions, are also planning and building processes to handle situations where cardholders banks (issuers) decline transactions due to no SCA. In these situations merchants will need to manage the cardholder experience in order to support the initial decline and present the cardholder with the ability to authenticate the transaction using SCA and resubmit the transaction for approval.
Low Value Transactions
Transactions below €30 will be considered as ‘Low Value’ and therefore may be exempt from SCA. However, if a cardholder has used the exemption five times since the last successful authentication or if previously exempt payment value exceeds €100, SCA will be required.
Recurring Payments
Fixed amount Recurring Payments such as subscriptions to the same merchant are exempt, but it is important to note that SCA will be required for the cardholders 1st payment, and all subsequent may be exempt from SCA.
Whitelisting / Trusted Beneficiaries
Cardholders can ‘whitelist’ merchants that they trust or add them to their trusted beneficiaries list which is held and managed by the cardholders bank (issuer). To add a merchant SCA will be required, so that future payments will be exempt from SCA. The cardholders bank (issuer) will manage the associated criteria and how this solution is offered to each cardholder to manage will likely differ by issuer.
Secure Corporate Payments
Where a legal person initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers. A good example would be lodged corporate cards, which are used for employee travel and managed directly by a travel agent.
Transaction Risk Analysis (TRA)
Subject to the prior approval from the acquirer (AIBMS) the Transaction Risk Analysis (TRA) exemption may be applied based on the Payment Provider (in this case AIBMS) or the cardholders banks fraud rates.
- 13% to exempt transactions below €100
- 06% to exempt transactions below €250
- 01% to exempt transactions below €500
In this case, the exemption will allow an acquirer to request an exemption if they deem the transaction to be low risk and the acquirer fraud rate is within the required thresholds to support the exemption. The TRA exemption is different to that of the Low Value Transaction, as transactions below €30 may still apply the exemption from SCA. It is important to note, the cardholders bank (issuer) still has the ability to decline the exemption and ask for transactions to be supplied with SCA.
Contactless Payments
Similarly with Low Value Transactions, Contactless payments made at a point of sale will be exempt up to a maximum value of €50. The exemption is for up to for up to five consecutive transactions or an accumulated value up to €150. The maximum limit of €50 within the Directive may vary from country to country based on local application.
Unattended Terminals
Transactions made at unattended terminals which typically apply to transport fares or parking fees will be exempt from SCA
What do you need to do now?
AIBMS is currently working with all payment gateway providers to ensure that the required technical solutions are in place to support the correct transaction flagging. This technical work includes our own payment gateway updates with Authipay to ensure we can support this new legislation by the 31st December 2020 deadline.
If you have not already engaged with your payment gateway to, we strongly recommend that you do so to understand what, if any, changes you may need to make to support Strong Customer Authentication to help protect you cardholders against fraud and be compliant with the PSD2 legislation.
For any further questions, please review our FAQs or contact your relationship manager or our helpdesk for further information.
Helpful Industry Documents
Visa have provided a very useful toolkit which answers questions in relation to 3DS 2.0 along with their PSD2 Implementation Guide.
In addition Visa published a sector related document for the Travel and Hospitality sector.
Click here to see the 3DS 2.0 Transaction Flows which outlines the route of a transaction for both a frictionless flow and a challenged transaction flow.
As noted above the deadline to implement the required changes to become PSD2 compliant is now 31st December 2020.
FAQs
What is PSD2?
Payment Services Directive (PSD) legislation came into effect in 2001 to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). In January 2018, the new EU Payment Services Directive (PSD2) took effect with the following objectives:
- Enhancing competition within the digital payments market
- Facilitate innovation, making it easier and safer to make payments online
- Protection of consumers
- Increasing security and contribution to a single EU Market in retail payments
When it comes to payments, security and convenience is essential, which is why AIBMS support the spirit of the regulation.
September 14th 2019 was the original hard deadline for businesses to become compliant, However, the Central Bank of Ireland (CBI) along with other Competent Authorities (CA’s) within the EU stated that there will be a ‘limited migration period’ for implementation of Strong Customer Authentication (SCA). That Migration period ends on 31st December 2020. This migration period related to ecommerce transactions only.
For AIBMS, its merchants and cardholders this revised date is the next key deadline, when the PSD2 Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) legally applies within Europe.
What is Strong Customer Authentication (SCA)?
PSD2 requires Strong Customer Authentication (SCA) to be applied to all electronic payments within the European Economic Area (EEA). The SCA mandate is accompanied by some exemptions with the goal of supporting the frictionless cardholder experience. We will cover these exemptions later within this update. SCA can be performed using two factor authentication, for example, two of the following factors have to be used systematically during the authentication process:
Category | Description | Example |
Knowledge | Something only the Cardholder knows
|
A Password, A Pin, Memorable Information |
Possession | Something only the Cardholder has
|
A pre-registered mobile phone, card reader or keyfob
|
Inherence | Something the Cardholder is
|
A biometric (facial recognition, finger print, voice recognition, behavioural biometric) |
When does SCA Apply (Strong Customer Authentication)
Strong Customer Authentication (SCA) is required on all electronic payments within the European Economic Area (EEA) that are cardholder initiated. This means for every transaction where both the cardholder bank and the merchant is located within the EEA region, SCA will be required.
To clarify, the list of EEA countries where SCA applies is as follows:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK, Iceland, Liechtenstein and Norway.
How is AIB Merchant Services preparing for the regulation?
At AIBMS we have been developing the technical solutions required to support SCA on the payments platform used to process your transactions. We have updated our Authorisation and Settlement Specification which your PSP /Gateway uses to integrate with us to ensure they can also support the requirements of your business.
These specifications have been provided to the approved gateways and we are working with them to facilitate getting their technical updates completed.
What Solution does AIBMS recommend for SCA?
For online payments today, 3D Secure (3DS) is the most common way to authenticate a card payment. Each scheme requires the cardholder to enter an additional password when they make an online purchase ie. ‘Verified by Visa’ or ‘MasterCard SecureCode’ for Visa and MasterCard respectively.
3D Secure 2.0 is a newer version of the authentication protocol and will be the main method AIBMS recommend to authenticate online card payment to meet the SCA requirements. 3DS 2.0 alleviates some of the shortcomings associated with 3D Secure 1.0, such as requiring a cardholder to remember their own password which can result in a number of customers not completing their purchase. 3DS 2.0 has been developed with the goal of improving the overall performance of the 3DS program and supports the payments industry in delivering a consistent, and frictionless, user experience across all e-commerce channels and connected devices. Through supplying more data in the payment, it is understood this will speed up authentication, boost security and could improve drop off decline rates up to 70% according to a recent study from Visa1 .
Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for merchants to offer a frictionless checkout experience while meeting the new requirements.
https://www.visaeurope.com/media/pdf/visa-infographic.pdf 1
What do I need to do between now and December 31st to ensure my business is ready?
You need to identify what payment transactions your business accepts. If you take ecommerce transactions you will need to check if you currently use 3DS and if unsure engage with your Payment Service Provider (PSP)/Gateway and your Website/App Developer to understand how they can assist with getting your business ready for September.
What is 3D Secure?
3D Secure is the global specification for card payment security developed by EMVCo. EMVCo is collectively owned by American Express®, Diners Club International®, Discover Global Network®, JCB®, Mastercard®, UnionPay® and Visa®.
What is 3D Secure 1.0?
3D Secure 1.0 is an authentication process introduced to reduce online fraud and enable the cardholder to make safe and secure online payments.
Is 3DS Version 1.0 compliant with the new regulation (SCA)?
3DS Version 1.0 will not be compliant beyond 31st December 2020 and if you are currently operating on this version you should work with your PSP to migrate to 3Ds Version 2.0 or higher before the 31st December 2020.
What is 3D Secure 2.0?
3D Secure 2.0, also known as EMV® 3-D Secure, is the updated version of 3D Secure 1.0.3D Secure 2.0 is a new version of authentication, designed to be frictionless, faster and safer, eventually replacing the old redirect of 3D Secure 1.0 with a dynamic bridge between the issuing banks and merchants. It is also designed to enhance competition within the digital payments market.
What are 'One leg out' Transactions
Either the cardholders bank (card issuer) or the merchant is domiciled outside of the EEA.
What are Merchant-initiated transactions (MIT)
Some merchants store cardholder payment details for future payments. These are typically deferred/delayed payments and require an agreement between the cardholder and the merchant to charge the card at a point in the future. Merchants with these types of transactions will need ensure the first transaction in this process is authenticated through the application of SCA, this is typically at the point of securely storing the card details or on the first payment, whenever the cardholder is present.
What are Mail order and telephone order transactions (known as MO/TO)
Where cardholders make payments over the telephone or via mail order.
What will happen on the 31st of December if I do not have any version of 3DS enabled on my ecommerce website?
If a transaction is taken without SCA or a legitimate exemption flagged correctly, it is the view of AIBMS that there is a higher possibility of the issuers declining the transaction. The issuing banks do not want to be in a position whereby this is their only option so the adoption of 3DS is a vital requirement to ensure there is no impact to your business.
How will I know which Issuers will be ready for 3DS 2.0 and when?
The schemes are able to provide an updated list of all issuing BINs which are registered and available for 3DS 2.0. Your gateway provider should be able to send a request to the schemes directory servers to advise of a list of BINs and which version they are registered for.
What is SCA Dynamic Linking?
For electronic payments under SCA, each authentication event must be linked to a specific amount and payee (dynamic linking). This requirement, effectively binding authentication to the payee and the amount, aims at ensuring that a valid authentication code is only used once and for the specific electronic payment for which the authentication is requested. The objective is to reduce “man in the middle” attacks.
What are SCA exemptions
One of the objectives of the PSD2 is enhancing competition and with this in mind there are some transactions that may be exempt from Strong Customer Authentication (SCA). It is vitally important to understand that whilst the below exemptions exist, ultimately it is the cardholders bank that will decide whether or not to accept a transaction with an exemption and no SCA.
AIBMS recommend that any merchants planning to submit transactions with exemptions, are also planning and building processes to handle situation where cardholders banks (issuers) decline transactions due to no SCA. In these situations merchants will need to manage the cardholder experience in order to support the initial decline and present the cardholder with the ability to authenticate the transaction using SCA and resubmit the transaction for approval.
Low Value Transactions
Transactions below €50 will be considered as ‘Low Value’ and therefore may be exempt from SCA. However, if a cardholder has used the exemption five times since the last successful authentication or if previously exempt payment value exceeds €100, SCA will be required.
Recurring Payments
Fixed amount Recurring Payments such as subscriptions to the same merchant are exempt, but it is important to note that SCA will be required for the cardholders 1st payment, and all subsequent may be exempt from SCA.
Secure Corporate Payments
Where a legal person initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers. A good example would be lodged corporate cards, which are used for employee travel and managed directly by a travel agent.
Whitelisting / Trusted Beneficiaries
Cardholders can ‘whitelist’ merchants that they trust or add them to their trusted beneficiaries list which is held and managed by the cardholders bank (issuer). To add a merchant SCA will be required, so that future payments will be exempt from SCA. The cardholders bank (issuer) will manage the associated criteria and how this solution is offered to each cardholder to manage will likely differ by issuer.
Transaction Risk Analysis (TRA)
Subject to the prior approval from the acquirer (AIBMS) the Transaction Risk Analysis (TRA) exemption may be applied based on the Payment Provider (in this case AIBMS) or the cardholders banks fraud rates.
- 13% to exempt transactions below €100
- 06% to exempt transactions below €250
- 01% to exempt transactions below €500
In this case, the exemption will allow an acquirer to request an exemption if they deem the transaction to be low risk and the acquirer fraud rate is within the required thresholds to support the exemption. The TRA exemption is different to that of the Low Value Transaction, as transactions below €30 may still apply the exemption from SCA. It is important to note, the cardholders bank (issuer) still has the ability to decline the exemption and ask for transactions to be supplied with SCA.
Contactless Payments
Similarly with Low Value Transactions, Contactless payments made at a point of sale will be exempt up to a maximum value of €50. The exemption is for up to for up to five consecutive transactions or an accumulated value up to €150. The maximum limit of €50 within the Directive may vary from country to country based on local application.
Unattended Terminals
Transactions made at unattended terminals which typically apply to transport fares or parking fees will be exempt from SCA
Is there an order or preference/priority on the exemptions a merchant should apply to a transaction?
With the objective of PSD2 being around making payments more secure and the fact that the legislation forces the adoption of 3DS as a level playing field for merchants the priority for your business should be to adopt 3DS processing as much as possible then avail of the exemptions. It is important to note with exemptions that an issuing bank at any time can choose to challenge any payment with an exemption.
How does this regulation impact cardholders?
Card holders will be impacted by a number of pieces of this regulation in addition to the changes they will see when paying on your site. For more information in relation to card holders we suggest watching the helpful videos provide by the Banking and Payments Federation of Ireland.