Strong Customer Authentication
Payment Services Directive 2 - all you need to know
PSD2 aims to reduce fraud and improve consumer choice:
1. Strong Customer Authentication (SCA) is mandated under PSD2 from 31 December 2020 and will be required for all European e-commerce transactions
2. The challenge is to reduce and manage fraud without negatively impacting the customer experience
3. The emergence of Third Party Providers (TPPs) is expected to drive payments innovation and competition
The European Union’s Second Payment Services Directive (PSD2) is driving change and innovation in the payments industry. The directive contains two key elements of particular importance for e-commerce merchants – Strong Customer Authentication (SCA) and the emergence of two types of new regulated payment providers designed to promote increased competition and innovation in banking and finance.
Strong Customer Authentication: what it is and how it works
- The core principle of Strong Customer Authentication (SCA) is to reduce payment fraud with minimal impact on the customer experience, i.e. without introducing too much friction into the payment process.
- The key enabler is two-factor authentication. Consumers will need to provide two pieces of information to prove they are who they say they are: something they own (e.g. a mobile phone), something they know (e.g. a PIN code) or something they are (e.g. a fingerprint).
- The standard industry protocol is 3D Secure (3DS). The latest version of this software (3D Secure 2.1) allows for new authentication processes such as fingerprints or facial recognition. 3DS 2.1 also facilitates a much more user-friendly payment process on mobile devices and complements digital wallets such as Apple Pay or Google Pay. And it also allows the acquirer to send richer transaction data to the issuer, which can lead to higher authentication rates.
- Some transactions will be exempt from authentication – for example low-value transactions, recurring transactions and if a user has ‘whitelisted’ the merchant by indicating they shop there often and they don’t wish to be authenticated. Merchants will be able to claim some of these exemptions through the use of the next iteration of 3D Secure – version 2.2, due in early 2020.
In October 2019, the European Banking Authority (EBA) released an opinion stating that the revised deadline for migration to SCA has been set at 31 December 2020. The focus of the EBA opinion is on ensuring a harmonised, phased approach to implementation, with a clear timeline of actions required by payment service providers (PSPs) to ensure full compliance throughout the payments ecosystem well in advance of the deadline.
How the emergence of Third-Party Providers (TPPs) will drive payments competition and innovation
Currently the main way for customers to access their bank accounts is through the products and channels provided by their banks. Under PSD2 two new regulated entities will emerge:
- Payment Initiation Service Providers (PISP) – This allows third party companies to initiate payment on behalf of a consumer without them having to visit their online bank’s portal. PISPs offer consumers flexibility when it comes to payment.
- Account Information Service Providers (AISP) – This will allow third party companies to access a consumer’s bank, as well as display information relating to their account. For example, this could allow a consumer to aggregate information from multiple accounts in a single application giving them an overview of their financial situation.
In order to facilitate these new providers, banks will have to provide their APIs (Application Programming Interfaces) to those that request it. This is quite a radical change that could provide a boost for Fintech innovation, fitting in with the European Union’s desire to promote increased competition and innovation.
The support for TPPs is expected to give consumers greater control and convenience as they are expected to be able to centralise their account information and payment options on a single device.
What does the development of TPPs mean for e-commerce merchants?
The growth of TPPs is anticipated to benefit the e-commerce market because it will give customers more flexible banking and payment options. There are also opportunities for merchants; for example, they could potentially utilise an AISP to get more information about a potential consumer, such as their account balance and payment flows and use it to make risk assessments.
Or they could use the information to identify and target their most high-value customers. Of course, merchants will have to radically rethink the way they obtain their customer’s consent to store personal data and ensure their processes and procedures comply with the General Data Protection Regulation.
Four takeaways: the anticipated benefits of PSD2 for merchants
1. Reduced fraud rates in the industry and increased trust with consumers.
2. Innovation around two-factor authentication to make the process smoother.
3. More online banking and payment options for e-commerce consumers
4. Merchants can leverage new payment aggregators to increase their strategic information on consumers.
J.P. Morgan is SCA-ready
3DS 2.1 is available today via J.P. Morgan to authenticate your transactions, with version 2.2 anticipated for 2020. Our solution helps you to retain full ownership of the consumer experience while benefiting from the flexibility to adapt to local market conditions.
We will continue to work closely with our European merchants to ensure they migrate to authentication approaches that are compliant with SCA.
As part of our enhanced advisory offering we monitor authorisation and fraud rates for all our merchants, and proactively advise them of any potential issues as well as help them put solutions in place
Contact your J.P. Morgan representative or call our merchant support team on:
Europe: +353 1 726 2909
UK: +44 845 399 1130
1 PSD2, General obligations for access interface, EU Regulation 2018/389, Article 30 (1)