Alert icon

IPG file issue 13062019

Please note due to a technical issue overnight, some Merchants will experience a 1 day funding delay. The funds that are due today will instead be deposited into your account tomorrow, Friday 14th of June. Apologies for the inconvenience this has caused.

Close button
New customer? Request a Call Back Help & Guidance Tel. 1850 200 417 or Email Us Insight Login now
Close search icon
Menu button

Payment Service Directive (PSD2) 2019

  1. 3D Secure
  2. Payment Services Directive (PSD2) 2019 FAQs

Payment Services Directive (PSD2)

What is PSD2?

Payment Services Directive (PSD) legislation came into effect in 2001 to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). In January 2018, the new EU Payment Services Directive (PSD2) took effect with the following objectives:

  • Enhancing competition within the digital payments market
  • Facilitate innovation, making it easier and safer to make payments online
  • Protection of consumers
  • Increasing security and contribution to a single EU Market in retail payments

When it comes to payments, security and convenience is essential, which is why AIBMS support the spirit of the regulation.

For AIBMS, its merchants and cardholders the 14th September 2019 is the next key deadline, when the PSD2 Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) legally applies within Europe.

What is Strong Customer Authentication (SCA)?

PSD2 requires Strong Customer Authentication (SCA) to be applied to all electronic payments within the European Economic Area (EEA). The SCA mandate is accompanied by some exemptions with the goal of supporting the frictionless cardholder experience. We will cover these exemptions later within this update. SCA can be performed using two factor authentication, for example, two of the following factors have to be used systematically during the authentication process:

Category Description Example
Knowledge Something only the Cardholder knows

 

A Password, A Pin, Memorable Information
Possession Something only the Cardholder has

 

A pre-registered mobile phone, card reader or keyfob

 

Inherence Something the Cardholder is

 

A biometric (facial recognition, finger print, voice recognition, behavioural biometric)

What solution does AIBMS recommend as a solution for SCA?

For online payments today, 3D Secure (3DS) is the most common way to authenticate a card payment and this scheme requires the cardholder to enter an additional password when they make an online purchase, familiar ones known as ‘Verified by Visa’ or ‘MasterCard SecureCode’ for Visa and MasterCard respectively.

3D Secure 2 is a newer version of the authentication protocol and will be the main method AIBMS recommend to authenticate online card payment to meet the SCA requirements.  Unlike some of the shortcomings associated with 3D Secure 1, such as requiring a cardholder to remember their own password causing a number of customers not complete their purchase. 3DS 2 has been developed with the goal of improving the overall performance of the 3DS program and supports the payments industry in delivering a consistent, and frictionless, user experience across all e-commerce channels and connected devices. Through supplying more data in the payment, it is understood this will speed up authentication and boost security, and could improve drop off decline rates up to 70% according to a recent study from Visa1 .

Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for merchants to offer a frictionless checkout experience while meeting the new requirements.

https://www.visaeurope.com/media/pdf/visa-infographic.pdf 1

When does SCA apply?

Strong Customer Authentication (SCA) is required on all electronic payments within the European Economic Area (EEA) that are cardholder initiated. This means for every transaction where both the cardholder bank and the merchant is located within the EEA region, SCA will be required.

To clarify, the list of EEA countries where SCA applies is as follows:

Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK, Iceland, Liechtenstein and Norway

There are some transactions which are deemed ‘out of scope’ and therefore it is not mandatory to for SCA to be applied. These are:

  • ‘One leg out’ transactions – either the cardholders bank (card issuer) or the merchant is outside of the EEA
  • Merchant-initiated transactions (MIT) – Some merchants store cardholder payment details for future payments. These are typically agreed upon deferred/delayed payments and require an agreement between the cardholder and the merchant to charge the card at a point in the future. Merchants with these types of transactions will need ensure the first transaction in this process is authenticated through the application of SCA, this is typically at the point of securely storing the card details or on the first payment, whenever the cardholder is present.
  • Mail order and telephone order transactions (known as MO/TO) – where cardholders make payments over the telephone or via mail order
  • Anonymous payments

Card Present Transactions

Card Present transactions are already compliant with Strong Customer Authentication (SCA) due to the use of Chip and Pin. In a card present environment, the convenience of contactless at point-of-sale would remain for low value transactions up to a maximum of €30 Ireland and £30 within the UK, other countries may vary.

Exemptions

One of the objectives of the PSD2 is enhancing competition and with this in mind there are some transactions that may be exempt from Strong Customer Authentication (SCA). It is vitally important to understand that whilst the below exemptions exist, ultimately it is the cardholders bank that will decide whether or not to accept a transaction with an exemption and no SCA.

AIBMS recommend that any merchants planning to submit transactions with exemptions, are also planning and building processes to handle situation where cardholders banks (issuers) decline transactions due to no SCA. In these situations merchants will need to manage the cardholder experience in order to support the initial decline and present the cardholder with the ability to authenticate the transaction using SCA and resubmit the transaction for approval.

Low Value Transactions

Transactions below €30 will be considered as ‘Low Value’ and therefore may be exempt from SCA. However, if a cardholder has used the exemption five times since the last successful authentication or if previously exempt payment value exceeds €100, SCA will be required.

Recurring Payments

Fixed amount Recurring Payments such as subscriptions to the same merchant are exempt, but it is important to note that SCA will be required for the cardholders 1st payment, and all subsequent may be exempt from SCA.

Whitelisting / Trusted Beneficiaries

Cardholders can ‘whitelist’ merchants that they trust or add them to their trusted beneficiaries list which is held and managed by the cardholders bank (issuer). To add a merchant SCA will be required, so that future payments will be exempt from SCA. The cardholders bank (issuer) will manage the associated criteria and how this solution is offered to each cardholder to manage will likely differ by issuer.

Secure Corporate Payments

Where a legal person initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers. A good example would be lodged corporate cards, which are used for employee travel and managed directly by a travel agent.

Transaction Risk Analysis (TRA)

Subject to the prior approval from the acquirer (AIBMS) the Transaction Risk Analysis (TRA) exemption may be applied based on the Payment Provider (in this case AIBMS) or the cardholders banks fraud rates.

  • 13% to exempt transactions below €100
  • 06% to exempt transactions below €250
  • 01% to exempt transactions below €500

In this case, the exemption will allow an acquirer to request an exemption if they deem the transaction to be low risk and the acquirer fraud rate is within the required thresholds to support the exemption. The TRA exemption is different to that of the Low Value Transaction, as transactions below €30 may still apply the exemption from SCA. It is important to note, the cardholders bank (issuer) still has the ability to decline the exemption and ask for transactions to be supplied with SCA.

Contactless Payments

Similarly with Low Value Transactions, Contactless payments made at a point of sale will be exempt up to a maximum value of €50. The exemption is for up to for up to five consecutive transactions or an accumulated value up to €150. The maximum limit of €50 within the Directive may vary from country to country based on local application.

Unattended Terminals

Transactions made at unattended terminals which typically apply to transport fares or parking fees will be exempt from SCA

What do you need to do now?

AIBMS is currently working with all payment gateway providers to ensure that the required technical solutions are in place to support the correct transaction flagging. This technical work includes our own payment gateway updates with AuthIpay to ensure we can support this new legislation by the September 2019 deadline.

If you have not already engaged with your payment gateway to, we strongly recommend that you do so to understand what, if any, changes you may need to make to support Strong Customer Authentication to help protect you cardholders against fraud and be compliant with the PSD2 legislation.

For any further questions, please review our FAQs or contact your relationship manager or our helpdesk for further information.

Helpful Industry Documents

Visa have provided a very useful toolkit  which answers questions in relation to 3DS 2.0 along with their PSD2 Implementation Guide. 

In addition Visa published a sector related document for the Travel and Hospitality sector.

Click here to see the 3DS 2.0 Transaction Flows which outlines the route of a transaction for both a frictionless flow and a challenged transaction flow.

Get in touch and let us help your business

Sales

Are you interested in trying one of our products?


Sales Enquiry Form

General Customer Enquiries

We're here to help existing customers with any issues


Customer Service Enquiry Form

Partners

We'd love to talk about how we can work together?


Partnership Enquiry Form