Payment Services Directive 2020

Payment Services Directive (PSD) legislation came into effect in 2001 to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). In January 2018, the new EU Payment Services Directive (PSD2) took effect with the following objectives:

• Enhancing competition within the digital payments market
• Facilitate innovation, making it easier and safer to make payments online
• Protection of consumers
• Increasing security and contribution to a single EU Market in retail payments

When it comes to payments, security and convenience is essential, which is why AIBMS support the spirit of the regulation.

September 14th 2019 was the original hard deadline for businesses to become compliant,  However, the Central Bank of Ireland (CBI) along with other Competent Authorities (CA’s) within the EU stated that there will be a ‘limited migration period’ for implementation of Strong Customer Authentication (SCA). That Migration period ends on 31^st December 2020. This migration period related to ecommerce transactions only.

For AIBMS, its merchants and cardholders this revised date is the next key deadline, when the PSD2 Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) legally applies within Europe.

PSD2 requires Strong Customer Authentication (SCA) to be applied to all electronic payments within the European Economic Area (EEA). The SCA mandate is accompanied by some exemptions with the goal of supporting the frictionless cardholder experience. We will cover these exemptions later within this update. SCA can be performed using two factor authentication, for example, two of the following factors have to be used systematically during the authentication process:

Strong Customer Authentication (SCA) is required on all electronic payments within the European Economic Area (EEA) that are cardholder initiated. This means for every transaction where both the cardholder bank and the merchant is located within the EEA region, SCA will be required.

To clarify, the list of EEA countries where SCA applies is as follows:

Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK, Iceland, Liechtenstein and Norway.

At AIBMS we have been developing the technical solutions required to support SCA on the payments platform used to process your transactions. We have updated our Authorisation and Settlement Specification which your PSP /Gateway uses to integrate with us to ensure they can also support the requirements of your business.

These specifications have been provided to the approved gateways and we are working with them to facilitate getting their technical updates completed.

For online payments today, 3D Secure (3DS) is the most common way to authenticate a card payment. Each scheme requires the cardholder to enter an additional password when they make an online purchase ie. ‘Verified by Visa’ or ‘MasterCard SecureCode’ for Visa and MasterCard respectively.

3D Secure 2.0 is a newer version of the authentication protocol and will be the main method AIBMS recommend to authenticate online card payment to meet the SCA requirements.  3DS 2.0 alleviates some of the shortcomings associated with 3D Secure 1.0, such as requiring a cardholder to remember their own password which can result in a number of customers not completing their purchase. 3DS 2.0 has been developed with the goal of improving the overall performance of the 3DS program and supports the payments industry in delivering a consistent, and frictionless, user experience across all e-commerce channels and connected devices. Through supplying more data in the payment, it is understood this will speed up authentication, boost security and could improve drop off decline rates up to 70% according to a recent study from Visa¹ .

Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for merchants to offer a frictionless checkout experience while meeting the new requirements.

https://www.visaeurope.com/media/pdf/visa-infographic.pdf ¹

You need to identify what payment transactions your business accepts. If you take ecommerce transactions you will need to check if you currently use 3DS and if unsure engage with your Payment Service Provider (PSP)/Gateway and your Website/App Developer to understand how they can assist with getting your business ready for September.

3D Secure is the global specification for card payment security developed by EMVCo. EMVCo is collectively owned by American Express®, Diners Club International®, Discover Global Network®, JCB®, Mastercard®, UnionPay® and Visa®.

3D Secure 1.0 is an authentication process introduced to reduce online fraud and enable the cardholder to make safe and secure online payments.

3DS Version 1.0 will not be compliant beyond 31^st December 2020 and if you are currently operating on this version you should work with your PSP to migrate to 3Ds Version 2.0 or higher before the 31^st December 2020.

3D Secure 2.0, also known as EMV® 3-D Secure, is the updated version of 3D Secure 1.0.3D Secure 2.0 is a new version of authentication, designed to be frictionless, faster and safer, eventually replacing the old redirect of 3D Secure 1.0 with a dynamic bridge between the issuing banks and merchants. It is also designed to enhance competition within the digital payments market.

Either the cardholders bank (card issuer) or the merchant is domiciled outside of the EEA.

Some merchants store cardholder payment details for future payments. These are typically  deferred/delayed payments and require an agreement between the cardholder and the merchant to charge the card at a point in the future. Merchants with these types of transactions will need ensure the first transaction in this process is authenticated through the application of SCA, this is typically at the point of securely storing the card details or on the first payment, whenever the cardholder is present.

Where cardholders make payments over the telephone or via mail order.

If a transaction is taken without SCA or a legitimate exemption flagged correctly, it is the view of AIBMS that there is a higher possibility of the issuers declining the transaction. The issuing banks do not want to be in a position whereby this is their only option so the adoption of 3DS is a vital requirement to ensure there is no impact to your business.

The schemes are able to provide an updated list of all issuing BINs which are registered and available for 3DS 2.0. Your gateway provider should be able to send a request to the schemes directory servers to advise of a list of BINs and which version they are registered for.

For electronic payments under SCA, each authentication event must be linked to a specific amount and payee (dynamic linking). This requirement, effectively binding authentication to the payee and the amount, aims at ensuring that a valid authentication code is only used once and for the specific electronic payment for which the authentication is requested. The objective is to reduce “man in the middle” attacks.

One of the objectives of the PSD2 is enhancing competition and with this in mind there are some transactions that may be exempt from Strong Customer Authentication (SCA). It is vitally important to understand that whilst the below exemptions exist, ultimately it is the cardholders bank that will decide whether or not to accept a transaction with an exemption and no SCA.

AIBMS recommend that any merchants planning to submit transactions with exemptions, are also planning and building processes to handle situation where cardholders banks (issuers) decline transactions due to no SCA. In these situations merchants will need to manage the cardholder experience in order to support the initial decline and present the cardholder with the ability to authenticate the transaction using SCA and resubmit the transaction for approval.

Transactions below €50 will be considered as ‘Low Value’ and therefore may be exempt from SCA. However, if a cardholder has used the exemption five times since the last successful authentication or if previously exempt payment value exceeds €100, SCA will be required.

Fixed amount Recurring Payments such as subscriptions to the same merchant are exempt, but it is important to note that SCA will be required for the cardholders 1^st payment, and all subsequent may be exempt from SCA.

Where a legal person initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers. A good example would be lodged corporate cards, which are used for employee travel and managed directly by a travel agent.

Cardholders can ‘whitelist’ merchants that they trust or add them to their trusted beneficiaries list which is held and managed by the cardholders bank (issuer). To add a merchant SCA will be required, so that future payments will be exempt from SCA. The cardholders bank (issuer) will manage the associated criteria and how this solution is offered to each cardholder to manage will likely differ by issuer.

Subject to the prior approval from the acquirer (AIBMS) the Transaction Risk Analysis (TRA) exemption may be applied based on the Payment Provider (in this case AIBMS) or the cardholders banks fraud rates.

• 13% to exempt transactions below €100
• 06% to exempt transactions below €250
• 01% to exempt transactions below €500

In this case, the exemption will allow an acquirer to request an exemption if they deem the transaction to be low risk and the acquirer fraud rate is within the required thresholds to support the exemption. The TRA exemption is different to that of the Low Value Transaction, as transactions below €30 may still apply the exemption from SCA. It is important to note, the cardholders bank (issuer) still has the ability to decline the exemption and ask for transactions to be supplied with SCA.

Similarly with Low Value Transactions, Contactless payments made at a point of sale will be exempt up to a maximum value of €50. The exemption is for up to for up to five consecutive transactions or an accumulated value up to €150. The maximum limit of €50 within the Directive may vary from country to country based on local application.

Transactions made at unattended terminals which typically apply to transport fares or parking fees will be exempt from SCA

With the objective of PSD2 being around making payments more secure and the fact that the legislation forces the adoption of 3DS as a level playing field for merchants the priority for your business should be to adopt 3DS processing as much as possible then avail of the exemptions. It is important to note with exemptions that an issuing bank at any time can choose to challenge any payment with an exemption.

Card holders will be impacted by a number of pieces of this regulation in addition to the changes they will see when paying on your site. For more information in relation to card holders we suggest watching the helpful videos provide by the Banking and Payments Federation of Ireland.