Comply with PSD2
In 2013, the European Commission published a proposal for the revised version of the first Payment Services Directive, to simplify payment processing and create the rules and regulations for payment services in the European Union (EU). It began the need for a second Payment Services Directive known as PSD2 and a new version of 3-D Secure, version 2.1 (3DSv2.1). PSD2 came into force in January 2018. It aims to ensure consumer protection across all payment types, promoting an even more open, competitive payments landscape. As a payment service provider, we pride on being confirmed PSD2-compliant since 29 May 2018.
The deadline for PSD2 implementation was 31st of December 2020 for all the European Union countries members. The only exception goes for the United Kingdom (UK) who decided to apply the SCA as from March 2022. Learn more by visiting our news section.
In the guide, we will walkthrough on how to take full advantage of this new norm and how you can ensure compliance.
2. What is Strong Customer Authentication?
Part of this new regulation is the implementation of Strong Customer Authentication (SCA) that applies to European electronics transactions. It means your customers need to authenticate themselves with at least TWO out of the following three methods:
- Something they know (like a PIN, or password)
- Something they possess (like a card reader or mobile)
- Something they are (like a voice recognition or fingerprint)
The biggest change and advantage for you as a merchant is that you will not be responsible in case of a fraudulent transaction. The decision of the authentication request will be in the hands of the customer's bank (issuer).
The graph explains the types of electronic transactions affected by PSD2.
3. Indicate preferred SCA scenario
When your customer (the cardholder) starts a transaction on your webshop, either one of these two scenario flows can happen:
- Challenge flow: The cardholder will need to provide additional data to authenticate themselves.
- Frictionless flow: The cardholders do not need to authenticate themselves because the authentication took place in the background without their input. In this case, the issuer is confident with the information you provided with the transaction and the liability shifts to the issuer.
As the decision is now in the hands of the issuer, they will ask you for more data. Issuers are hungry for data points to improve the accuracy of their decision which can ultimately lead to a frictionless scenario even though you are the one on the front line capturing the data.
Note: Before you can send any parameters, make sure that you have 3DS active on all your credit card payment methods. If this is not the case, please get in touch with us and request activation.
4. SCA exclusions
Some transactions are considered out-of-scope and are excluded from PSD2. Thus, no SCA is required.
- Transactions through mail orders or telephone orders (MOTO)
- Transactions that happen when your acquirer or the cardholder's bank is located outside of the EEA zone
- Anonymous prepaid cards up to €150 (Article 63 of PSD2)
- Recurring transactions, subscriptions or delayed/split shipments that meet Merchant-Initiated transactions (MIT) conditions. If they do not meet these conditions, you will need to send additional parameters to our platform. However, when you are setting up a first recurring transaction with your customer, strong customer authentication is mandatory and this also needs to be highlighted with a specific parameter Mpi.threeDSRequestorChallengeIndicator=04
5. SCA exemptions
To reduce friction at checkout, there are some transactions exempted from SCA. You will have to request an exemption, and the issuer will decide if the exemption is granted or not. You can request exemptions by sending additional parameters to our platform.
Transactions that can be exempted are:
- White-listed merchants: Customers can request an exemption to their issuer to white-list a merchant. These merchants are considered as "trusted beneficiaries". This exemption is applied by the issuers. Deze vrijstelling wordt toegepast door de uitgevers.
- Corporate transactions: These are transactions made between two corporations. This exemption is applied by the issuers. Deze vrijstelling wordt toegepast door de uitgevers.
- Acquirer TRA (Transaction Risk Analysis): You can request an exemption for transactions that you consider to be of low risk. Since it is the acquirer's liability, they look at the overall portfolio of the transaction (transaction value, fraud rate) and decide if an exemption should be made or not. Contact your acquirer for details.
- Issuer TRA: The issuer can request an exemption if you or the acquirer did not make an exemption. The issuer will look at the overall portfolio of the transaction (transaction value, fraud rate) and decide if an exemption should be made or not.
- Low amount transactions: An exemption can be applied for purchases valued below €30. However, SCA will happen if a customer makes five transactions in a row or reaches a value of more than €100.
- Delegated authentication (certified wallet): An issuer can give authority to a third-party such as a certified wallet provider or a merchant to perform SCA on their behalf.
There are two ways how to request an exemption, either within an authentication, asking for a frictionless flow or directly within authorisation, with fallback to retry the transaction again with authentication should the issuer refuse your exemption request.
- If you are using our DirectLink integration solution, read our chapter on this topic.
- If you are using our Hosted Payment Page integration solution, read our chapter on this topic.
6. Skip SCA with Soft Decline
As described in the previous chapter, you may request to skip SCA altogether for some of your transactions. However, there is always a chance that your customer’s bank insists on 3-D Secure, resulting in a declined transaction.
Our Soft Decline mechanism is a great way to recover these declined transactions. It allows you to resend the transaction once more to our platform after a first rejection due to missing 3-D Secure. Sending the authentication data in the second request will raise the chance that your transaction is accepted after all. It is available for Visa, American Express, MasterCard and Carte Bancaire.
For more information on Soft Decline, read our DirectLink guide on this topic.