Implementing SCA for PSD2 Compliance
As of September 14, 2019, acquirers operating in the European Economic Area (EEA) are progressively mandated as payment service providers (PSPs) to comply with EU Directive 2015/2366 (known as PSD2). This will help them guarantee more integrated, easier and more secure payments among the countries of the European Union. The main concept conveyed in this legislative act is the application of ‘strong customer authentication’ (SCA) to all electronic payments involving PSPs in Europe (that is, where either the acquirer or issuer is based in Europe), with some limited exemptions for low-risk transactions to help facilitate a frictionless customer experience.
The requirements derived from PSD2 for implementation into the regulatory frameworks of the current financial markets have a large impact on the major payment schemes present in Europe, as some of the main players in the payment industry, together with the acquirers and issuers themselves.
These payment schemes have adopted different solutions for complying with the regulation and embedding SCA processes into existing payment processes. These updates also created opportunities for the schemes to introduce new solutions into the market aimed at preserving the customer experience in addition to increasing their security. Some of the situations in which SCA must be applied are when the payer accesses their account online, initiates an electronic payment transaction, or carries out any other financial action through a remote channel that may imply a risk of fraud or other abuses.
Because of the impact on any electronic payment transaction, as noted above, PSD2 affects contactless payments. These payments have the advantage of being convenient for the customer but are potentially more vulnerable to fraud or illicit payments in case of lost or stolen card. Indeed, since the introduction of EMV has reduced card cloning attacks, lost and stolen fraud is rapidly increasing across many areas of the world. However, when trying to manage this increase in fraud it is important to maintain the balance between security and a good customer experience. Aspects of this balance when dealing with PSD2 are defined within the exemptions noted in Art. 11 of the Regulatory Technical Standards (RTS) issued after the PSD2 Directive. Individual contactless payments below a specific amount will not require the application of SCA unless the sum of previous transactions (without SCA) is above a secondary threshold.
A simple implementation of this would be to use counters on the EMV card itself, but because PSD2 also allows for exemptions for certain merchant and transaction types, such an implementation is not ideal. This SCA cumulative limit therefore introduces the potential for changes on the issuers’ systems, if an ideal implementation is to be achieved, with impact on the device settings as well as on the issuer host settings.
Although the initial date for PSD2 compliance has passed, deadlines have been pushed back for various reasons. Notwithstanding any of these delays, the necessity to comply remains and a few issuers still struggle to find their way around PSD2. How you implement your SCA controls to meet this new standard could be the difference between increased customer interaction and satisfaction, or pushing customers to consider new payment methods. Validating your controls, ensuring they achieve that balance between fraud reduction and payment facilitation, is vital.
Especially in the current environment, where many customers and merchants are looking to increase contactless payment options, there is an opportunity to succeed by giving the market exactly what it wants. Finding a way to do this securely, and within compliance requirements, is where companies will either succeed or fail.
As a global leader in the Level 3 certification of payment terminals, UL has developed a solid knowledge base regarding the application of PSD2 requirements in the test procedure for the go-live of payment devices that are fully compliant with new regulatory framework in Europe. Our expert team of analysts has worked in close contact with payment schemes and acquirers to provide guidance and support to customers in these evolving circumstances.
To speak with a UL expert, contact us now.