The revised Payment Services Directive ("PSD2") makes significant amendments to the laws that govern payment services in the EU. This includes the introduction of enhanced security protocols called strong customer authentication ("SCA"), for online transactions worth over €30. Merchants in the UK are applying this to transactions over £30.
What is SCA?
SCA requires a dual authentication process, whereby two independent sources of validation are combined to approve a customer's purchase. The authentication factors must be derived from two of the following three defined categories:
- knowledge (e.g. a password or PIN);
- possession (e.g. a phone or bank card); or
- inherent characteristics (e.g. a thumbprint or facial recognition).
British retailers and hospitality providers who take card payments in person, for instance in stores or hotels, will already be applying two-step validation for physical card transactions over £30. Such validation occurs through the chip and pin process by the combination of possession of the card and knowledge of a PIN number being required to approve purchase, rather than using contactless payment (which does not require a PIN to be used). However, the UK currently does not require SCA for online purchases, which can be completed solely through possession of a card. It is hoped that the introduction of PSD2 will boost customer protection and reduce opportunities for fraud at the point of purchase.
Which transactions must comply with SCA?
The new regime will only apply to "customer-initiated" transactions, in which both parties are in the European Economic Area ("EEA"). There are also a number of exceptions to two-factor authentication. Direct debit payments, for example, will not require SCA after the initial transaction, as they are then considered "merchant-initiated". Another exception is a 'trusted beneficiary', whereby customers have the option to pre-approve a business that they trust, in order to avoid having to authenticate future purchases.
Despite these exceptions, most online card payments and bank transfers will be covered by the new rules. Regulated Payment Service Providers ("PSPs"), such as banks, building societies and credit card providers, are responsible for ensuring the application of SCA and its exemptions. Currently, many retailers rely on 3D-Secure protocols to provide authentication, including 'Verified by Visa', 'SecureCode', and 'J/Secure'. This is likely to continue post-SCA implementation, with new versions of 3D-secure protocols made available to aid compliance with the regulations.
When must businesses implement SCA?
The original deadline for businesses to implement SCA was September 2019. However, the European Banking Authority has agreed a 15-month extension to the implementation of the new regime in the UK. Businesses therefore have until January 2021 to become compliant. This is likely to have been seen positively by a large number of retailers. According to Andrew Cregan who advises the British Retail Consortium on its payment policy, the extension "avoids a payments cliff-edge where 25%-30% of ecommerce transactions would have been at risk of failing after September".
The consequences of non-compliance?
In the UK, the FCA will be monitoring compliance with the new regime. Payment providers and banks are legally required to ensure PSD2 is followed. Failure to do so could result in significant fines and the FCA also has the power to remove a payment provider's licence. In order to protect themselves, providers will likely decline transactions that do not meet the SCA criteria. As a result, merchants currently operating online storefronts will likely risk losing transaction volume if they do not ensure that their online transactions are PSD2 compliant.
Will Brexit impact SCA?
The underlying legislation for SCA, namely PSD2, has already been adopted by the UK. Therefore, on the day that the UK leaves the EU, PSD2 will continue to be in force. Further, as a policy issue, fraud prevention is of significant importance to the e-commerce sector and it is likely that the UK will continue to support measures such as SCA after leaving the EU. As a result of these factors, Brexit is unlikely to impact the requirement on businesses to comply with SCA.