The first Payment Services Directive (EU) 2007/64/EC (PSD1) was implemented in 2009, and introduced the ground rules for electronic payments like credit transfers, credit/debit card, and mobile payments. With PSD2 enforced beginning on December 31st, 2020, the European Commission has updated the existing regulatory framework by adding new security specifications meant to cover all aspects of online payments. The new rules are introducing new benefits:
The PSD2 requirements are based on three pillars:
Compliance with PSD2 is to be implemented in two stages: Pillar 1 (transparency) became effective on January 13, 2018, while Pillars 2 and 3 came into force on December 31st, 2020.
PSD2 requires Strong Customer Authentication (SCA), a process by which the issuing bank validates the identity of the payee and allows the transaction to go through.
The SCA comes with two forms of authentication which should be provided by the customer for the payment to be validated by the issuing banks.
When merchants are using the 2Checkout-hosted ordering engines, the customers and shoppers are automatically directed from website to 2Checkout once they're ready to pay.
Since 2Checkout hosts the payment process, ensuring that merchants are ready for the new SCA requirements falls within our responsibilities.
B2C subscription businesses should notify their customers about PSD2, and inform them of the new requirements to authenticate their transaction via 3DS2. B2B business should suggest that their customers check if the "whitelisting merchants" feature is supported by their banks, so that they can skip the authentication and have smoother transactions. Most of the banks in the EU should have had this feature ready by the end of 2020.If you are processing usage-based billing or variable amount recurring billing (which come under merchant-initiated transactions), and 3DS2 verification was done for the first transaction, then those subscriptions can be applied for exemption. However, the customer's bank will still have the final say if that subscription still requires SCA, which could add to friction; you can choose to accept payments via direct debit, for example, to help eliminate this friction.
SCA is the new requirement that comes along with the mandatory implementation of EMV 3DS/ 3D Secure 2.0 for online transactions and purchases, which reduces fraud and makes online payments more secure. SCA and 3DS 2.0 require the use of at least two of the following three elements:
SCA is required for all customer-initiated online transactions (CIT) within Europe, which means most payment methods (contactless payments included) and bank transfers are done with SCA. For online payments, SCA applies to transactions where both the business and the cardholder's banks are located within the European Economic Area (EEA).
The Revised Payment Services Directive allows payment providers like 2Checkout to request exemptions from SCA and skip authentication for low-risk payments. Payments that require SCA will need to go through the "challenge" flow, whereas transactions that can be exempted from SCA can be sent through the "frictionless" flow.
Direct debits and other alternative payment methods, initiated by the payee only and not the payer, are outside the scope of strong consumer authentication (SCA).
Payments go through the 3DS2 filter provided by 2Checkout via our ordering engines. In our back end, we automatically check to see if the issuing bank supports 3DS 2.0. If it does, the information about the payment is sent along with a request for exemption only when applicable. If the issuing bank labels the payment as exempt from SCA, the customer does not have to go through any extra authentication steps and the payment is authorized. If the issuing bank labels the payment as risky or it needs additional information to verify the customer, they will ask for the payment to go through the extra layer of security provided by 3DS 2.0.
Lastly, if the cardholder's issuing bank does not support the 3DS2 flow, the customers will be redirected via 3DS1, which acts as a fallback solution.
Overall, the new 3DS 2.0 technology aims to improve the user experience and data transfer, as well as providing more data with less friction. This gives us more information so that we challenge potential fraud. Only the riskiest transactions go through additional verification. The rest of the transactions are authenticated in the back end and receive validation.
3DS2 is putting the shopper experience at the forefront of authentication, while merchants benefit from full liability for transactions where fraud is detected.
The European Commission presented the following scenarios in which online payments can be exempt from SCA:
Sharing as much information about the customer with the issuer will make it more likely that they decide a frictionless flow (no authentication) is appropriate for that particular transaction.
Each country's National Competent Authority (NCA) has flexibility regarding when and how to enforce the SCA requirement on issuing banks.
Some countries like the UK postponed the SCA final implementation towards September 2021. Other countries will formally maintain the EBA deadline, but allowing progressive ramp-ups with soft decline, applicable to various minimum transaction amounts.
Finally, other countries such as Austria or Bulgaria will not apply fines for a few months.
2Checkout is closely monitoring communication issued by all of these authorities, making sure that all transactions are compliant.
The mass adoption of 3DS 2.0 falls under the responsibility of the card-issuing bank. While some banks are already supporting 3DS 2.0, others will take more time to implement the new technology depending on the country and region (local regulators can give time extensions for the PSD2 compliance, in order for banks to be well-prepared).
If a bank is not yet compliant with 3DS2, 2Checkout will request a 3DS1 authentication request in order to process the transaction. If the bank doesn't have support for 3DS1 or 3DS2 in place and is still processing online transactions, this means they are not compliant with PSD2, are fully liable, and risk significant fines.
For the time being, 3D Secure 1 will still be an available option for authentication online transactions.
In the future, this technology will become obsolete and banks will need to adopt 3DS 2.0 to be compliant with PSD2. In some cases, depending on the region or country, banks will need extra time to implement the new technology. During this time 3DS 1.0 will continue to be provided by banks. As a merchant working with 2Checkout you do not need to do anything to upgrade to 3D Secure 2.
3DS 1.0 has some disadvantages in comparison with 3DS 2.0:
2Checkout supports both versions and will dynamically adapt for each transaction based on what the customer's bank supports, so merchants don't have to worry or make any changes to ensure compliance and the best customer experience.
3D Secure 2.0:
Was introduced in Europe on December 31st, 2020, mandate for all issuing banks
If an issuing bank requests SCA on a transaction and the authentication is not validated, the bank will most likely decline the authorization.
No certification of PSD2 compliance is currently in place.