As online payments have gained a foothold in the European payment market, payment regulations must keep pace to ensure transaction security. PSD2, SCA, and 3DS2 form a triad of regulations and technologies shaping the future of digital payments in Europe and beyond. Understanding these frameworks and their implications will help businesses and customers navigate the evolving landscape of online payments.
In this article, we’ll break down the complexities of PSD2, SCA, and 3DS2, and shed light on their significance in shaping the future of secure online payments.
What are PSD2, SCA, and 3DS2?
Two organizations stand at the forefront of European financial regulations: the European Banking Authority (EBA) and the PCI Security Standards Council (SSC). They play a crucial role in shaping and implementing critical financial regulations that enhance the financial ecosystem’s security and integrity.
The EBA, an autonomous entity within the EU, is responsible for overseeing PSD2, including the enforcement of SCA standards. The PCI Security Standards Council, primarily known for safeguarding payment card data through Payment Card Industry Data Security Standards (PCI DSS), also oversees the 3DS2 protocol.
Now, let’s review each regulation in detail.
What is PSD2 (Revised Payment Services Directive)?
The second iteration of the Payment Services Directive (PSD2) is a comprehensive framework introduced by the European Union (EU) to regulate payment services and payment service providers across the EU and the European Economic Area (EEA).
PSD2 evolved from its predecessor, the first Payment Services Directive (PSD). It was initially established to create a single payment market within the European Union, making cross-border payments as easy, efficient, and secure as domestic payments.
PSD2 builds upon the original directive’s foundation by introducing stringent security requirements for electronic payments. Additionally, it intends to encourage competition and innovation in the financial sector by opening the payment market to new entrants.
What is SCA (Strong Customer Authentication)?
Strong Customer Authentication (SCA) is a regulatory requirement introduced under the second Payment Services Directive. The purpose of it was to increase the security of electronic payments.
At its core, PSD2 Strong Customer Authentication mandates multi-factor authentication for electronic payment transactions. It aims to significantly reduce the risk of fraud in online payments by ensuring that the person requesting the transaction is the rightful owner of the account. By implementing these measures, SCA enforces customer protection and bolsters the overall security of the digital payments ecosystem.
What is 3DS2 (3-D Secure 2.0)?
3D Secure 2 (3DS2) is the latest iteration of the 3D Secure authentication protocol, designed to secure card-not-present transactions online. It introduces a more sophisticated and user-friendly approach to authentication, leveraging advanced data exchange and risk-based assessment to minimize friction for the user during the payment process.
Difference between 3DS1 and 3DS2
The primary difference between 3D Secure 1 (3DS1) and 3D Secure 2 (3DS2) lies in their approach to user experience and data exchange. 3DS1 often led to a clunky and disruptive payment authentication process, potentially redirecting users to another page for verification. Such an approach led to higher cart abandonment rates.
In contrast, 3DS2 facilitates a smoother, more integrated authentication experience by leveraging extensive data exchange for risk-based authentication. It allows for non-intrusive verification methods and offers greater mobile compatibility to meet today’s online shopping behaviors.
How does 3DS2 make transactions more secure?
Unlike its predecessor, 3DS2 offers a seamless integration into merchants’ checkout flows, offering a better user experience without compromising security. The protocol supports the use of biometrics, SMS codes, and other forms of authentication to meet PSD2 SCA requirements. By doing so, 3DS2 aims to reduce fraud, increase transaction approvals, and ultimately improve the online shopping experience for consumers.
SCA, PSD2 and 3DS2 Regulations
Now, let’s delve deeper into the specific requirements encompassed by 3DS, as well as PSD2 SCA regulation.
PSD2
PSD2 introduces several key regulations. One of them is the mandate for banks and financial institutions to grant access to their customers’ account data to Third-Party Providers (TPPs) upon customers’ consent. TPPs are able to do this through the use of Application Programming Interfaces (APIs), which enable them to build financial services on top of the bank’s infrastructure. Another critical aspect of PSD2 is the enforcement of SCA.
SCA
Strong Customer Authentication regulations mandate a rigorous authentication process for electronic transactions within the European Economic Area. Specifically, SCA requires at least two forms of authentication from three categories:
- Knowledge (something only the user knows, like a password or PIN);
- Possession (something only the user possesses, such as a mobile device or hardware token);
- Inherence (something the user is, including biometric features like fingerprints or facial recognition).
3DS2
3D Secure 2 is designed to ensure PSD2 SCA compliance, providing a seamless and secure online payment experience. It requires merchants to send additional information with each transaction so that the bank can verify that the cardholder is the one making the purchase. If the data matches the bank’s requirements, the transaction will proceed smoothly without interruption.
What Are the Risks of SCA/PSD2 Non-Compliance?
Non-compliance with SCA and PSD2 regulations can result in severe consequences for financial institutions, payment service providers, and merchants. Here are some of the major risks associated with non-compliance:
- Financial penalties
Regulatory bodies within the EU can impose significant fines on entities that fail to ensure PSD2 SCA compliance. Fines can be a substantial financial burden for companies and negatively impact their financial health.
- Increased fraud liability
Non-compliance can place the liability for fraudulent transactions onto the entity that failed to implement the required SCA measures. In turn, it can lead to financial losses and compensation claims for the organization.
- Loss of consumer trust
Companies that do not adhere to regulatory standards are likely to be perceived as less secure, causing customers to turn to competitors.
- Operational disruptions
Delayed or insufficient PSD2 SCA compliance can cause operational disruptions, including payment processing issues, resulting in lost sales and revenue.
- Restricted market access
Entities that do not comply with PSD2 cannot operate or expand their services within the EU and EEA, limiting their growth opportunities.
Exceptions for SCA and PSD2
PSD2 and Strong Customer Authentication requirements include several exceptions designed to balance security with usability. They aim to reduce friction in low-risk or routine transactions, making checkout smoother for consumers while maintaining high security standards. Some notable exceptions include:
Low-value transactions
Payments below a certain threshold (typically €30) may be exempt from SCA. However, if several low-value transactions made by one payer total more than €100, or if five consecutive low-value transactions occur, SCA will still be required.
Trusted beneficiaries
Consumers can whitelist trusted merchants, identifying them as beneficiaries for whom they don’t need to undergo SCA for each transaction.
Recurring transactions
For regular payments of the same amount to the same merchant (e.g. subscriptions), SCA is required only for the first transaction. Subsequent transactions are considered low-risk and exempt from SCA as long as the amount and the recipient remain constant.
Low-Risk Transactions
Transactions that are deemed low-risk based on real-time risk analysis may be exempt from SCA. This assessment is conducted by the payment service provider using transaction risk analysis (TRA) tools to evaluate factors like the amount, frequency, and user’s behavioral patterns.
The Intersection of PSD2, SCA and 3DS2
The combination of PSD2, SCA, and 3DS2 marks a pivotal shift towards a more secure and user-centric digital payment environment. Basically, PSD2 acts as the legislative backbone, promoting open banking and mandating the adoption of SCA to ensure electronic payments are executed with robust security measures.
In turn, SCA, as a core component of PSD2, introduces a critical layer of security by requiring multi-factor authentication for online transactions. However, the potential complexity of implementing SCA could lead to increased transaction friction, potentially deterring consumers from online purchases.
Here, 3DS2 comes to the rescue, emerging as the technological solution that harmonizes the requirements of PSD2 and SCA with the need for a frictionless payment experience. It addresses the challenges posed by its predecessor (3DS1) by facilitating a smoother transaction process, capable of transmitting extensive data to assess transaction risk in real time.
What Are the Benefits of Implementing SCA?
Strong Customer Authentication offers several significant benefits, central to enhancing security and trust in the digital payment landscape. Among them are:
- Reduced fraud rate
By requiring multi-factor authentication, SCA makes it much harder for fraudsters to steal and use payment accounts.
- Increased customer trust
Knowing that transactions are protected by robust security measures, clients are more likely to make purchases on a merchant’s website or application.
- Regulatory compliance
By adhering to SCA requirements, a company is able to comply with PSD2 regulations in the European Union.
- Commitment to innovation
SCA implementation drives authentication technology innovation, leading to the development of secure, efficient, and user-friendly verification methods.
How are SCA, PSD2, and 3DS2 changing?
While PSD2, SCA, and 3DS2 have established a solid regulatory foundation, they continue to evolve in response to technological advances, emerging threats, and changing consumer behaviors.
Strong Customer Authentication requirements are evolving to incorporate newer, more secure authentication methods, such as biometrics and behavioral analytics.
PSD2 may see updates or revisions to address the challenges and opportunities presented by technology advancement in financial services. There may be clarifications on the regulatory framework for new financial services, enhanced consumer protection measures, and adjustments to the open banking ecosystem to encourage greater innovation and competition.
3D Secure 2 is also being enhanced to improve its risk-based authentication model. By doing so, the 3DS2 protocol aims to become more adept at identifying genuine transactions and reducing false declines. Enhancements are also focused on greater integration with mobile payment systems, acknowledging the shift towards mobile-first consumer behaviors.
Akurateco’s solutions for PSD2, SCA, and 3DS2 compliance
Adhering to PSD2, SCA, and 3DS2 regulations can be a major undertaking for businesses. Yet, there’s a streamlined approach to achieving secure payment processing without navigating these complexities directly. Entrepreneurs can partner with payment vendors that offer ready-made compliant payment systems.
One of them is Akurateco, a renowned PCI DSS Level 1 certified Fintech software provider. The company offers a comprehensive solution fully compliant with PSD2, SCA, and 3DS2. Akurateco distributes its software on a white-label basis, allowing businesses to eliminate the burden of regulatory compliance while branding the software according to their brand identity.
By integrating Akurateco, companies can seamlessly adapt to the compliance landscape, ensuring their payment processes are secure, compliant, and tailored to the unique dynamics of their brand without the hassle of navigating the complex requirements on their own.
Additionally, they will also benefit from over 350 integrated banks and payment methods, as well as top-notch technologies such as intelligent routing, cascading, tokenization, smart invoicing, and others already embedded into the system.
