Europe. Users, retailers, service providers, and politicians are looking at the continent. Not just because of the EU elections last week, but also because of Europe’s role in promoting a smart, secure, and unified digital economy through measures in various key areas such as artificial intelligence, privacy, and security in e-commerce.
The GDPR had its first birthday on Saturday. And the deadline for the implementation of Payment Service Directive 2 (PSD2) will be on September 14, 2019. This requires strong customer authentication (strong customer authentication, SCA for short).
The aim of PSD2 is to create a secure, transparent payment system and to ensure fair competition within the EU, as well as to reduce entry barriers for payment service providers.
But so far, just under a quarter of German retailers have implemented its strategies developed for it. 21 per cent haven’t planned any approach. Additionally, many online retailers don’t think they have enough info about this. Not a good thing when time is running out and further questions will arise. That’s why we’re trying to bring light in the darkness.
Online retail payments: PSD2 and SCA provide more security and customer loyalty
Because of its upcoming deadline, PSD2 is again a hot topic. However, it was adopted in October 2015. The new directive will require banks in EU countries to provide third-party access to their customer accounts through an API interface. Fintechs and third parties will benefit. At the same time, the strong authentications mentioned above are intended to further secure payment transactions in all e-commerce transactions. At this point, SCA comes into play.lay.
Strong customer authentication as the heart of PDS2
SCA is required to initiate electronic payments and to access applications that trigger electronic payments or provide access to account information. Both B2B and B2C payments are subject to SCA. An exception is when payments are made through a business process that doesn’t depend on a person’s authentication. In addition, an authority must confirm that the security processes comply with the directive.
When will SCA be used? It’s required in the form of at least two steps of authentication whenever a user wants to pay online. These factors correspond to three different ways by which to verify the identity of a payer in order to accept the payment: Knowledge (password), inherence (any biometric method), and ownership (TAN code within an app).
For online shops, this identification depends on the payment provider.
- The most popular online payment method PayPal will no longer work on a pure TAN in the future. Converting to follow SCA will be mandatory. The provider itself is also responsible, not the retailer.
- Payments via speech recognition can be performed by at least one authentication method. Alexa and Google Home offer, in addition to a first security method, optional approval processes via fingerprint (Google Home) or a four-digit code (Amazon Echo).
- Mobile transfers often use a TAN from a high-security app.
- Apple Pay reviews online transactions with biometric recognition.
It’s noteworthy that »the retailer has no freedom of choice with regard to SCA,« since the query technically never takes place on the website of the retailer, but is only involved there via an iframe, the bevh.
Paying with credit cards: 3D Secure 2.0 technology for simple and safe payments
And what does 3D Secure 2.0 have to do with it? The technology is used by credit card companies such as VISA and Mastercard to prevent credit card fraud and simplify purchasing processes for consumers and retailers. This isn’t yet legally binding, but it could be short or long. It’s important for dealers that the SCA procedure can be set up from September 14, 2019, to process credit card transactions on their own online shop.
PSD2 for online stores: Who’s responsible for implementing requirements?
Online stores offer, on average, 6.6 different payment methods. For a seamless payment process, merchants often submit and process payments to a payment service provider (PSP), which basically brings together all the methods and simplifies the entire process.
But the question arises if retailers should bear in implementing this directive. In principle, the answer is no. But watch out. According to the bevh, payment service providers typically need to deploy the SCA process. Retailers are only legally responsible if they make the payment. This can happen, for example, when an online shop implements an interface with the banks. In such cases, retailers must ensure that a bank complies with SCA standards during the process.
Online retailers still have some time to make all the necessary checks and adjustments. But not much. The main thing is to get started and to deal with it. Certainly, more questions will follow.
You can find even more information about payment methods such as micropayments or recurring payments in these 5 reading tips.