PSD2 and Strong Customer Authentication: What You Need to Know
Updated November 2020 with new enforcement dates and link to 3DS 2.0 Integration Guide
As discussed in a previous blog on this topic, the Payment Services Directive 2 (PSD2) is a new European Economic Area (EEA) regulation which will go into effect on December 31, 2020 (enforcement by the UK Financial Conduct Authority [FCA] has been delayed till September 14, 2021).
This regulation impacts businesses whose acquirer is in the EEA and which are transacting online with customers whose issuer is also in the EEA.
It applies to all online transactions, including payments made via credit and debit cards and alternative payment methods.
Most Alternative Payment Methods are PSD2-compliant, e.g. PayPal, Amazon Pay, Apple Pay, iDEAL, SOFORT, SEPA. Therefore, the main impact of PSD2 will be on credit and debit card transactions.
Strong Customer Authentication
The main requirement of PSD2 that is relevant to businesses is Strong Customer Authentication (SCA). SCA is a new EEA regulatory requirement to make online payments more secure and reduce fraud while increasing authorization rates. Card issuers advise that when using 3DS2, fraud should be no higher than 5bps, and authorization rates should be at least 95%.
To ensure that your transactions meet SCA requirements, you will have to present customers a 3D Secure (3DS) flow when they make an online purchase. This allows them to "authenticate" both their identity and that they are the valid holder of the credit card they’re using to complete the purchase. Starting December 31, 2020, card issuers will start declining payments that require SCA but which have not been authenticated via 3DS.
That said, not all transactions will require SCA. There are certain conditions where a transaction can be exempt from SCA, including transactions under 30 EUR and subscription or recurring transactions (after the first purchase). Merchants may be able to explicitly apply for these exemptions. However, support for SCA exemptions varies by gateway. You should contact your gateway to understand how they support exemptions.
How Recurly is helping you prepare for PSD2
Recurly supports a number of global gateways and payment methods. The latest list is always available on our PSD2 documentation page.
Recurly is actively working with the gateways and payment partners above. We will be enhancing our client-side integration so you can use Recurly to do SCA. Our goal is to provide a gateway agnostic solution to minimize the amount of work your teams will have to do for each gateway you use. We will continue to provide key updates as the implementation date approaches. Please look for Recurly emails and blog posts on this topic, review our documentation, and follow any guidance regarding how we can help to assist with your compliance.
Updating your integration
To accept payments once PSD2 goes into effect on December 31, 2020, you will need to build additional authentication into your checkout flow. Please review our integration guide so you are ready to undertake the development work necessary for compliance with PSD2.
If you would like to subscribe to our blog for updates on PSD2 and other content, visit our blog homepage and look for the subscribe form at the top. In the meantime, please refer to our PSD2 documentation for more details and consult your gateway partner on how PSD2 will impact your business.