PSD2 - Strong Customer Authentication: how does it affect you?

Strong Customer Authentication remains the big unknown variable of PSD2. Governments have still not decided how to implement it into local law and online shop owners are still unsure about what to do about this issue. This post will help them along.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is one of the big subjects of PSD2 - especially since it’s one of the mandates that affect online shop owners.

Unlike PSD2 itself, the technical standards on SCA have not yet come into effect. They are expected to apply from September 2019. However, EU advice online shop owners to start preparing for the law and start looking into solutions that will make them compliant.

Today, a customer is authenticated by providing a code or password when making a purchase - at least in most instances. Strong Customer Authentication calls for - yes you’ve guessed it - a stronger authentication process than that. The new rules require customers to be authenticated by at least two of the following three methods:

1. Something the customer knows, e.g. a password or a code

2. Something the customer owns, e.g. a one-time password

3. Something the customer is, e.g. a fingerprint

This is a way to ensure that the customer is the rightful owner of the card he is paying with.

When is SCA not necessary?

While SCA will be the norm after September 2019, there will be a few instances where a transaction can be completed without the security feature. Those are:

• Online purchases below 30 Euros (although SCA has to be applied for every 100 Euros spent and for every fifth transaction)
• Recurring transactions of the same amount, e.g. your Netflix subscription
• Low-risk transactions (based on the acquirer’s evaluation)
• Transactions two oneself
• Secure corporate payments (when they are processed through secure systems)

But in most cases, you will need to apply SCA to the transactions made in your online shop. It may sound a tat complicated, but there are very simple solutions out there. Two of the more popular ways to comply with the PDS2 requirements are by applying 3-D Secure to your transactions or having customers pay with Apple Pay. All you need is an acquirer and a payment gateway who offer these services and it can be set up in no time.

Become SCA-Compliant with 3-D Secure

One way to comply with the new SCA rules is by using 3-D Secure in your online store. 3-D Secure is a term covering Visa’s Visa Secure (formerly known as Verified by Visa) and Mastercard’s Mastercard SecureCode.

With 3-D Secure, an extra step in the authentication process is added, so that you end up using two of the above mention three criteria. 3-D Secure uses the “something the customer know”, often by asking for the CVV code on the payment card, and the “something the customer has”, by sending a one-time code to the customer’s phone or by email. This one-time code is then entered in a pop-up or in-frame window looking something like this:

3-D Secure is not only good because it makes you SCA-compliant. It also entails what is called the liability shift, meaning that as soon as an online store owner tries to apply 3-D Secure on a transaction, he can no longer be liable in case of fraud - this is a pretty great deal! Read more about 3-D Secure here.

At Clearhaus we offer Conditional 3-D Secure. This allows you to specify rules for when 3-D Secure is applied. It means that you can choose to only have 3-D Secure on transactions from certain areas or over a certain value. Right now, you can set these areas and values as you like, but when SCA kicks in, we will make sure that 3-D Secure is only applied to transactions over 30€ and on transactions from countries in the EU - if this is what you want, of course.

Become SCA-Compliant with Apple Pay

Several mobile wallets, including Apple Pay, also fulfill the requirements for SCA. They usually work almost the same way; the card details are stored (in a tokenised manner) on the phone (the something you have) and a transaction is completed by using a biometrical feature, such as fingerprint, iris or face recognition (the something you are).

Let’s take an example with Apple Pay. First, the cardholder sets-up his Apple Pay account by registering his card. This can be done on both iPhones, iPads, Apple Watches, and Macs. Next, he goes to a POS, an app, or an online shop to make a purchase. To complete the purchase, he simply uses the Face ID or fingerprint scanner to approve the transaction. Paying in an app looks like this:

When customers pay with digital wallets, like Apple Pay, you don’t have to worry about 3-D Secure and SCA - it’s all taken care of. Clearhaus allows you to accept payments made with Apple Pay in your online shop.

To sum up..

Even though there’s a lot of buzz about Strong Customer Authentication, it’s pretty easy to comply with the new rules. 3-D Secure is the solution that comes best recommended, as Apple Pay (and the like) is not an option for all of your customers. Of course, supporting both is the best way to satisfy both the EU and your customers.