On 14 September 2019, new requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2). PSD2 mandates that all electronic transactions in the European Economic Area will require Strong Customer Authentication (SCA).
The SFA is increasingly concerned that a significant proportion of members especially retailers and hotels may not be able to support this deadline, due to a lack of awareness and the technical challenges involved. The consequences of having a significant number of transactions cancelled on 14 September could lead to significant disruption for small businesses and consumers, resulting in reduced consumer choice and less competition.
The SFA urges all members to contact their payment service providers immediately if they have not already done so, to ensure that all the necessary technical changes will be in place by 14 September 2019.
What is Strong Customer Authentication?
SCA is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments once SCA goes into effect, you will need to build additional authentication into your checkout flow:
- SOMETHING THE CUSTOMER KNOWS(e.g., password or PIN)
- SOMETHING THE CUSTOMER HAS(e.g., phone or hardware token)
- SOMETHING THE CUSTOMER IS (e.g., fingerprint or face recognition)
SCA requires authentication to use at least two of the following three elements. From 14 September 2019, banks will decline payments that require SCA and don’t meet these criteria.
When is Strong Customer Authentication required?
SCA will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA. Exemptions have been adopted by the European Commission, taking account of the risk involved, the value of transactions and the channels used for the payment. Such exemptions include low value payments at the point of sale (to facilitate the use of mobile and contactless payments) and also for remote (online) transactions. The exemptions from strong customer authentication seek to avoid disrupting the ways consumers, merchants and payment service providers operate today. They are also based on the fact that there are alternative authentication mechanisms that are equally safe and secure.
We would expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.
PSD2 will provide the following opportunities:
- Reduced fraud rates in the industry and increased trust with consumers.
- Innovation around two-factor authentication to make the process smoother.
- A boost in eCommerce as consumers have more online banking and payment options.
- Merchants can leverage new payment aggregators to increase their strategic information on consumers.
SFA will continue to work closely with members to support:
- Industry wide communications; and
- Central Bank of Ireland and Department of Business, Enterprise and Innovation engagement.
For additional information or questions please contact firstname.lastname@example.org.