How Merchants Comply with EU Strong Customer Authentication

How Merchants Can Comply With Strong Customer Authentication

James Pinborough

Nov 9, 2020

Payments Services Directive (PSD2) and Strong Customer Authentication is a European directive to make payments more secure.  Strong Customer Authentication (SCA) will be enforceable within the European Economic Area (EEA) at the end of the year and requires more robust fraud prevention checks for online transactions.

Many merchants are still scrambling to implement the second Payment Service Directive (PSD2) Strong Customer Authentication (SCA) requirements that the European Union will enforce by the end of the year.

Failure to comply with the regulations may result in declined transactions and lost business.

The new regulation is designed to deter online transaction fraud by requiring additional user authentication before banks authorise payment and has the potential to hurt merchants who do not comply. Countries in the European Economic Area will require that online eCommerce purchases be conducted through a fully operational SCA process.

Advocates see Strong Customer Authentication as a necessary step to prevent fraud. When enforcement begins, banks and payment service providers will require customers to authenticate themselves using two of three acceptable factors

  1. Something in their possession (i.e. a mobile phone)
  2. Something they know (such as password or PIN)
  3. Something inherent to them (such as a fingerprint)

This 2-factor authentication requirement ensures it is more difficult for criminals to pose as legitimate account owners to make unauthorised purchases. Following the deadline, any non-exempt, in-scope transaction that cannot be verified through 2-factor authentication must be soft-declined by card issuers. This is likely to result in significant loss of revenue — a price no European airline, hotel, eCommerce company, or other merchant wants to pay. These are steps merchants need to take to become compliant with  Strong Customer Authentication  requirements in advance of the deadline:

Implement EMV® 3-D Secure

Enable the latest version (2.x) on your storefront or eCommerce website. This protocol interfaces with the parties involved to ensure the data of each partner gets routed in real-time. When the bank requires SCA for a transaction, the 3DS protocol determines whether the cardholder is enrolled in 3D Secure. If so, and if transaction authentication is needed, 3DS directs shared data among merchants, card networks, and banks for verification. Version 2 (3DS2) offers a cleaner user interface than the original version as well as optimisation for collecting authentication details from mobile phone users.

Formulate an exemption strategy

Evaluate your tolerance for chargeback liability and your desire for frictionless customer checkout experiences to determine how aggressive you want to be in requesting exemptions. It is up to you to request SCA exemptions, but the issuer decides whether to allow them. If the issuer grants your exemption request and the transaction turns out to be fraudulent, you may be liable for the chargeback. Even if there is an exemption the issuer may still evoke SCA for their own fraud prevention rules. Never requesting an exemption eliminates risk but could cost you customers. Using all available exemptions virtually eliminates friction but maximises liability risk. So, you need to strike a balance with both to match your risk appetite.

Synchronise with banks and PSPs

Ensure your payment service provider is compliant with SCA and supports the latest version of the 3DS2 protocol. They should be able to offer support for bringing your own compliance online, integrating with their systems, and upgrading your server and/or checkout procedures, if necessary. Ensure you collect the data that banks will need and store it in the required format. Communication with your SCA partners should include a discussion of how your exemption strategy matches typical transactions on your site. For instance, you will want to know which kinds of exemptions are likely to be allowed.

Real-time decision making

By properly categorising transactions as they are being prepared, your platform can determine which authentication workflows to observe. For instance, Accertify’s payment gateway interfaces with our PSD2 Strong Customer Authentication solution to easily route exempted transactions around the authentication process. Deployment and customisation of the standard 3DS2 decision engine make it possible for these tasks to take place in the background so they are unnoticeable by users. Transactions that do not warrant an exemption (and those you choose not to request exemptions for) are tagged for enhanced account verification.

Partner with Accertify

Accertify’s  SCA Optimisation is a real-time decision driver that enables Strong Customer Authentication and regulatory compliance. While it compares every transaction against possible criteria to uncover applicable exemptions, the solution offers best-in-class fraud screening and real-time reporting. Its fully configurable decision matrix incorporates machine learning so decision making improves continuously by adapting to transaction trends and new fraud schemes. Our optional, rigorous, scheme-agnostic 3DS2 authentication solution streamlines SCA.

With Accertify’s expertise and technology hard at work enabling regulatory compliance and maintaining your customers’ online shopping experience, you can be confident that your eCommerce site is positioned to thrive once PSD2 is enforced.

Contact Accertify today to request a demonstration of our PSD2 Strong Customer Authentication (SCA) solution SCA Optimisation.