Strong Customer Authentication is here! – or, is it?
On 1 April 2019, the second payment services directive (Directive (EU) 2015/2366) (PSD2) was implemented into Norwegian law. (In June, 2019, PSD2 was incorporated into the EEA-agreement, ensuring that the EU passporting regime became applicable to EEA countries as relates to payment services under PSD2.)
The RTS became applicable in Norway on 14 September by way of a reference to the RTS in the Norwegian legislation implementing PSD2. However, in the context of card-based payments for e-commerce transactions, the Norwegian FSA has permitted payment service providers to apply for an extension of the 14 September deadline. Apparently, more than 50% of the Norwegian banks have applied for an extension. (In the UK, the Financial Conduct Authority has by way of a no-action letter delayed its enforcement of SCA in relation to e-commerce card transactions and online banking by 18 months. Austria, Belgium, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, and Sweden have all announced that they are in favor of a transition period beyond the 14 September deadline.)
In Norway, strong customer authentication has been mandatory since 2016, e.g. at point-of-sale in store for card payments (card + pin code), and thus, the RTS becoming applicable should not entail a major shift in how authentication is applied in the Norwegian market. However, the online market (e-commerce market) could potentially experience some friction in connection with the introduction of SCA.
What is SCA?
PSD2 requires that payment service providers (hereunder banks) apply SCA when the user access his/hers payment account online, initiates a payment, or when the user carries out an action remotely which may imply a risk of payment fraud or other abuses.
SCA requires that the payer must supply two of three factors of authentication when initiating a payment transaction – factors that identify the payer as a person:
- Knowledge: Something only the payer knows (e.g. a password or a pin code).
- Possession: Something that can be uniquely be traced back to the payer/something only the payer has and of which only copy exits (e.g. a mobile device or a token).
- Inherence: Something the payer is (e.g. biometric markers like a fingerprint or facial recognition).
Banks, as the issuers of payment cards and guardians of the payment accounts, hold the ultimate control over SCA. They have the final say in the approval of a transaction – they determine whether enough authentication has been applied in order to permit a debit to a payment account. Thus, banks want to know whether the person requesting access to their account, or trying to make a payment, is the person permitted to make a payment and validate specific payment instructions.
Who is legally responsible for ensuring compliance with the SCA obligations?
Article 97 of PSD2 and the RTS require that the “payment service providers” apply strong customer authentication.
Thus, compliance with the SCA rules is something that the industry, i.e. the banks, as both issuers and as acquirers, the gateways, card schemes and other payment service providers has to facilitate. They are jointly responsible for ensuring that the value chain is ready for all the changes that PSD2 brings with it.
Neither PSD2 nor the RTS levy any legal obligations on the merchant in relation to SCA. However, the merchants should consult with their acquirer and payment service provider to ensure that any changes required in their set-up are implemented ahead of the RTS becoming applicable in order to avoid having transactions declined.
What a merchant needs to do depends on his set-up. Some merchants have customized set-ups that may require changes, while others have off-the-shelf set-ups that require no change.
Transactions in scope or out of scope for SCA?
Electronic payment transactions initiated by the payer are in scope for SCA. It does not matter what payment method is used. SCA applies to card payments, account-to-account transfers (bank transfers) and payments from mobile wallets. It does not matter whether the payer shops in-store or online. Typical transactions that are in scope for SCA are:
- One-off card payment online at a webstore (Amazon)
- Card-on-file payment online at a webstore (Amazon)
- POS in supermarket (Kiwi, Coop)
However, not every electronic payment transaction is in scope for SCA. Referring to Article 97 (1) of PSD2, the European Banking Authority (EBA) states the following in a Single Rulebook Q&A (2018_4031) dated 1 March 2019:
“Payment transactions that are not initiated by the payer but by the payee only are therefore not subject to strong customer authentication (SCA) to the extent that these transactions are initiated without any interaction or involvement of the payer.”(our underscore)
Thus, payments initiated by the payee only are not in scope for SCA (so-called Merchant Initiated Transactions, or MITs) provided that they are governed by a valid mandate given by the cardholder to the merchant, and where required SCA was applied when that authority was first given.
There are different types of MITs:
- recurring payments,
- unscheduled card on file,
- incremental payments,
- delayed charge, and
A recurring mobile phone subscription (different amount every time), television streaming subscriptions and utilities bill payments are MITs. SCA has to be applied in connection with the initial transaction, but subsequent transactions can be submitted as MITs.
Mail order and telephone order (MOTO) transactions are also out of scope for SCA.
Merchants must ensure that all transactions that are in scope for SCA are sent to authentication. It is the issuer of the payment card (the bank) that decides whether to apply an exemption (see below). The issuer of the payment card would expect to receive an authentication request for each transaction in scope, and they will decide whether to require an action from the payer. Most issuers will probably not apply exemptions (see below) from day one, but will enable them over time.
Exemptions for transactions in scope for SCA
Among the transactions that are in scope for SCA, the RTS exempts a number of them (cf. Chapter III of the RTS).
The RTS includes the following exemptions for payment transactions that are in scope for SCA:
- Contactless payments at point of sale (Article 11): Online transactions that do not exceed EUR 50 can be approved without SCA. SCA will apply after EUR 150 of spending or every five transactions.
- Unattended terminals (Article 12): E.g. car parking.
- Trusted Merchants (Article 13): Payers can identify to issuers particular merchants that they trust, and payment transactions will then not require SCA when they shop there (whitelisting).
- Recurring transactions (Article 14): A series of recurring transactions with the same merchant. (In certain situations, card schemes, issuers and acquirers could take different views on whether to rely on the MIT-out-of-scope-exclusion or this exemption.)
- Low value payments (Article 16): Online transactions that do not exceed EUR 30 can be approved without SCA. SCA will apply after EUR 100 of spending or every five transactions.
- Secure corporate payment processes and protocols (Article 17): Only available to payers who are not consumers.
- Low risk transactions (Article 18): Transactions identified as low risk can be approved without SCA. Article 18 of the RTS lists the characteristics that must be assessed.
Generally, the issuer of a payment card (payer’s bank) bears liability where there has been an unauthorized or fraudulent payment transaction. However, where the acquirer (merchant’s bank) applies an exemption, the acquirer will bear liability for an unauthorized transaction.
Online payments – the standard authentication protocol
3-D Secure is the authentication protocol for online card payments and is generally considered to be the standard online card authentication method. It has been adopted by all the major card schemes, including Visa, Mastercard and American Express.
If a merchant used 3-D Secure for online payments prior to 14 September, not much will change with SCA becoming applicable since 3-D secure is SCA compliant.
Prior to 14 September, 3-D Secure was optional. Not all merchants used it, and issuers accepted unauthenticated transactions. Issuers determined whether an action was required by the consumer in connection with a payment transaction (Often, the decision of whether to ask for an authentication step-up was based on consumer behavior.). Other merchants would ask for a step-up, i.e. require Bank ID/text message, in connection with a payment transaction. This changed after 14 September. As a case in point, the Norwegian payment app Vipps (licensed as a payment service provider) started applying SCA on 14 September, and any payment initiated using this app now complies with SCA requirements pursuant to PSD2 and the RTS.
A new version of 3-D Secure, 3-D Secure 2.0, is available (the card schemes apparently require all merchants to have it implemented by the end of 2019). The new version includes several improvements on 3-D Secure. Among them is support for app payments (authorization within the app itself, i.e. no new browser pops up). Furthermore, 3-D Secure 2.0 enables more data to be transferred for a better and more robust risk-based assessment by the issuers of payment cards (which makes it more likely that the low-risk exemption to SCA will be applied).
Most likely, there will be a gradual rollout of SCA across Europe during the next few months. Irrespective of this, merchants should already today be prepared for SCA since some card issuers may elect to apply SCA despite not being obligated to do so yet. This could cause friction (declined payment) in cross-border transactions.
It is also important for merchants to understand how SCA will impact their business, e.g. what payment transactions are in scope for SCA and what transactions are not.