We’ve put together some commonly asked questions to provide additional guidance on the new Strong Customer Authentication regulation and what it mean for your business. If you can’t find what you’re looking for contact us, our customer support team are on hand to help 24-7.
1. What is the Payment Services Directive (PSD2)?
PSD2 was introduced as a follow up to the original Payment Services Directive (PSD) by the European Commission, it took effect in January 2018. The aim was to bring in new laws to increase customer protection, foster innovation and inspire pan-European competition.
A key element of PSD2 is the introduction of the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) which applies to card-based ecommerce transactions in the European Economic Area (EEA).
2. When did SCA come into force?
Strong Customer Authentication was due to come into force in the UK on 14 September 2021. The Financial Conduct Authority (FCA) announced a 6-month extension to the deadline in recognition of the exceptional circumstances of the Covid crisis. The final implementation date was 14 March 2022. The next milestone in the SCA implementation timeline is the retirement of 3DSv1 by card schemes on 15 October 2022.
From the 1 June 2021, card schemes gradually begin their implementation of Strong Customer Authentication and e-Commerce transactions increasingly being checked for 3DS compliance. We recommended that merchants enable 3DSv2 before this date to ensure no disruption to payment processing as the ramp-up begins.
The first step to achieving SCA compliance, is to ensure your ecommerce payments have version one enabled. You can find out how to do this on page 8 of our MySagePay User Guide.
3DSv2 functionality is now available to Opayo customers in our test and live environments giving merchants an early opportunity to test how best to incorporate SCA compliance together with an improved user experience at checkout.
3. What is SCA and how does it affect my business?
Strong Customer Authentication makes payments more secure for both your business and the customer by adding an extra layer of protection known as two-factor authentication (2FA). Customers are now required to provide at least two of the following forms of identification when making a payment:
Something the customer knows e.g. a pin or password
Something the customer possesses e.g.
Something the customer is
All ecommerce transactions are being processed via secured industry protocol such as 3D Secure from 14 March 2022 (with some exemptions detailed below).
4. What is the purpose of SCA?
Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. Merchants increasingly face a delicate balance between ensuring customer security and convenience, while minimising fraud and friction.
Strong Customer Authentication has been introduced to help combat fraud by improving customer security while reducing the liability held against businesses for unauthorised transactions.
5. How will SCA affect the customer payment journey?
Today, payments are typically authenticated using 3DSv1 (sometimes known as Verified by Visa, Mastercard SecureCode, Amex SafeKey, Diners ProtectBuy, and JCB J-Secure) where the customer is asked to provide additional authentication data such as a password or an SMS verification code.
From March 2020, UK card issuers and/or acquirers began to gradually step up payments, requesting for 3D Secure to be performed with two-factor authentication (2FA). When 3DSv2 is used, around 90% to 95% of authentication requests have resulted in a frictionless authentication, where the customer doesn’t even realise that authentication has taken place.
Contactless card machine transactions are subject to new rules. Card issuers are required to prompt the Cardholder to perform a Chip and PIN transaction each time their cumulative contactless spend reaches £150 since their last Chip and PIN transaction.
6. What are the benefits of 3D Secure version 2?
During a 3D Secure authentication, how the authentication is performed is up to the card issuer. It’s possible to achieve SCA with 3DSv1, however 3DSv2 makes this much easier. Opayo’s upgrade to 3DSv2 introduces a better user experience:
Added security and protection for your business and your customers
Increased cardholder confidence when transacting with your business
Reduced fraud and chargebacks - liability shifts to the card issuer
Frictionless challenges where the customer doesn’t even realise that authentication has taken place e.g. biometric authentication using fingerprint, facial or voice recognition
Improved risk-based decisions using rich cardholder data leading to higher approval rates
Full support for all available exemption types and payment device types
When 3DSv2 is enabled, it is estimated that only 5% to 10% of authentications result in the cardholder having to be re-directed to their banks 3D Secure page to enter 2FA. Most authentication requests result in a frictionless authentication with an authorisation rate of up to 90%. What’s more, liability for unauthorised transactions passes to the card issuer, saving you time and money on potential disputes.
7. When do I need to activate 3D Secure version 2?
Since 14th March 2022 the card issuing banks have expected full 3D Secure V2 authentications for in session e-commerce transactions, any non-3D Secure transactions after this point risk declining. 3D Secure V1 will be decommissioned by the card schemes on 15th October 2022, therefore your integration will need to fully support 3D Secure V2 verifications by this date.
3DSv2 functionality is now available to Opayo customers in our test and live environments giving merchants an opportunity to test how best to incorporate SCA compliance together with an improved user experience at checkout.
8. How can I activate 3D Secure?
You can find out how to do this on page 10 of our MySagePay User Guide.
Your integration type determines if you need to make any further changes to support 3DSv2:
Form – No change. Fully supports 3DSv2
Server – No change. Fully supports 3DSv2
Direct – Extra 9 fields need to be submitted for 3DSv2.
Pi - Extra 8 fields need to be submitted for 3DSv2
9. How do I know what integration I am on?
If you don’t know which integration your website uses, you can find this in MySagePay by clicking on any successful payment, then choose Additional Details from the left menu. You will see the integration in the System Used field.
10. How do I test?
If you are using the Direct integration method integration documentation can be found here.
If you are using the Pi integration method integration documentation can be found here.
For Form and Server integrations, there is no change with the payment flow or with request and responses that you will submit to and receive from Opayo. You can, if you choose to, try some of the magic values to see the difference between the frictionless and challenge flows.
11. What exemptions apply?
There are several exemptions to SCA that may be requested to improve the payment experience.
You first need to speak with your acquirer to get their approval of any exemptions you choose to use. Once your acquirer has advised of suitable exemptions for your business model, you can request an exemption on a per transaction basis when submitting your transaction request to Opayo. If you choose to use an exemption, any chargeback liability is passed to you for the transaction.
The card issuer may not always agree with your exemption. In this instance, they may return a ‘soft decline’ and request that 2FA is performed.
Card issuers will allow your customer to add you as a trusted beneficiary, either during 2FA, or when they log into their card account. Once they have added you as a trusted beneficiary, you can apply for this exemption so that this applies every time they shop with you.
Recurring transactions or subscriptions
After initial set up, a subscription or membership fee consisting of repeat payments of the same amount to the same payee i.e. direct debit, will be exempt from authentication. Since your customer is off session when a recurring transaction is performed, they cannot be expected to perform an authentication. However, 2FA must be performed for the first transaction of a recurring series, where your customer is in-session.
Trusted Risk Analysis (TRA)
This exemption can be used if you have a low chargeback rate. Typically, between 1 and 13 chargebacks per 10,000 transactions. It varies depending on the transaction amount value up to and including £430 (€500). You cannot use this exemption for transaction values over £430 (€500). Overall fraud rates for card payments must not exceed the following thresholds:
- 0.13% to exempt transactions below £90 (€100)
- 0.06% to exempt transactions below £215 (€250)
0.01% to exempt transactions below £430 (€500)
Low-value transactions (LVT)
A Low Value Transaction (LVT) is one that is 30 EUR or less. This exemption is permitted for a maximum of five LVT per card account, per day, where the cumulative value does not reach more than €100 a day. If the cardholder uses their card to make 5 consecutive low value payments, or a total that exceeds €100, SCA will be required. This is not a straightforward exemption; your customer could already have consumed their permitted allowance elsewhere before purchasing an item from your website. If this is the case, the card issuer may “soft-decline” the transaction and request that your customer performs 2FA.
You can only use this exemption if you have participated in a delegated authentication program with the card schemes, where the card scheme approves delegation of the authentication process to you.
Secure Corporate payment
If your customer is using a corporate card, that is a lodged corporate card (typically used to book travel for all employees of a company), then this exemption can be used. It cannot be used for personal corporate cards.
12. Does this affect Mail Order Telephone Orders (MOTO) payments?
13. Does the Payment Services Directive (PSD2) apply to transactions outside of Europe?
Strong Customer Authentication applies to card-based ecommerce transactions (including digital wallets backed by cards) where both the card issuer (i.e. financial institution with whom cardholder has relationship) and the acquirer (i.e. financial institution with whom the merchant has a relationship) both reside within the European Economic Area (EEA).
As an example, if your customer is making a purchase with a card issued outside of the EEA, then SCA does not apply. If your customer is making a purchase with a card issued inside the EEA, but your acquirer is registered outside of the EEA, then SCA does not apply.
14. I’m still confused where can I find more information?
For more information please visit our support pages. We're here to help 24/7, 365 days a year. Existing customers can contact our dedicated UK-based support team on 0191 313 0299 or email us and we'll aim to get back to you within 24 hours.