This page will describe the Payment Service Directive 2 (PSD2) regulation, providing merchants with an overview of the directive and its implications. References to PXP Financial's PSD2 framework overview and API documentation will also be provided.
What is it and why is it necessary?
The EU Payment Service Directive 2 (2015/2366 PSD2) is a European Commission proposal to create a more secure landscape for European payments by providing increased consumer protection for online shopping, promoting innovation in payments, and unifying the European payments market. It is a revision of the original Payment Service Directive (PSD).
The PSD2 mandate requires all electronic payments within the European Economic Area (EEA) to have Strong Customer Authentication (SCA).
PSD2 does allow for exemptions from SCA for specific payment use-cases, as well as scenarios which are out-of-scope of the mandate.
What is SCA and how does it work?
SCA is a two-factor authentication (2FA) process which validates that a payer is authorised to make use of a specific payment instrument. It is triggered when a payer initiates an electronic transaction and requires two or more of the elements from the following list to be demonstrated during the authentication process:
- Knowledge: Something only the payer knows (e.g. PIN or password)
- Possession: Something only the payer possesses (e.g. card or mobile device)
- Inherence: Something only the payer is (e.g. fingerprint or voice)
These elements are functionally independent from one another i.e. if one is compromised, it does not have an impact on any of the others. This provides a framework that is far more secure than single-factor authentication methods - static passwords for example - and provides users with a much higher degree of protection.
In addition, for remote electronic payments such as card payments, dynamic linking of transaction information is necessary.
How is SCA achieved?
One of the mechanisms available on the market to achieve SCA is 3D Secure 1 and 3D Secure 2.
When is the hard SCA Deadline?
The PSD2 deadline was previoulsy the 14th September 2019 before a grace period was granted, given that Issuers, Acquirers, Gateways and Merchants were not ready as the EMV 3D Secure 2.0 protocol was still evolving.
14th March 2022
Rest of the European Economic Area (EEA)
31st December 2020
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden
To avoid cliff edge impact, Issuers within the EEA will begin a phased enforcement and begin to gradually "soft decline" a small number of transactions without SCA, slowly ramping it up as we approach the respective deadlines.
From the date when the PSD2 mandate becomes effective, Issuers will begin screening card transactions for SCA compliance and making the determination of whether or not SCA is necessary.
If SCA is necessary, then the transaction will result in a "soft decline" which is the issuer informing you that you need to step up and perform SCA before re-attempting the transaction.
For more information on handling soft declines, please see Soft Decline Handling
What is classed as Out Of Scope from SCA?
|Merchant Initiated Transactions||A transaction, or series of transactions, of a fixed or variable amount and fixed or variable interval governed by an agreement between the cardholder and merchant that, once agreed, allows the merchant to initiate subsequent payments without any direct involvement of the cardholder. Where the initial mandate is set up through a remote electronic channel, SCA is recommended if there is a risk of fraud but should not be necessary for subsequent payments initiated by the merchant.|
|Mail Order Transactions||Mail Order/Telephone Order transactions are out of scope|
|One Leg Out||A transaction where either the Issuer or Acquirer is located outside the EEA|
|Anonymous Transactions||Transactions through anonymous payment instruments are not subject to the SCA mandate|
What is classed as Exempt from SCA?
|Trusted beneficiaries||The payer may add a trusted merchant to a list of trusted beneficiaries held by their Issuer, completing an SCA challenge in the process, to prevent further SCA application on subsequent transactions with the trusted merchant.|
|Recurring transactions||Applies to a series of transactions of the same amount made to the same payee|
|Low value transactions||Any transaction that is below 30 EUR, or equivalent in the processing currency.|
(Subject to certain conditions being met)
|Secure corporate payments||Payments made through dedicated corporate processes and protocols (e.g. lodge cards, central travel accounts and virtual cards)|
|Transaction Risk Analysis (TRA)||SCA is not mandated where a PSP, having in place effective risk analysis tools, assesses that the fraud risk associated with a remote payment transaction is low (when the requirements are met). The Issuer has the ultimate say on whether SCA needs to apply|
Which exemptions are supported in ANYpay?
|lowValue||A low value exemption can be applied on any transaction that is below 30 EUR, or equivalent in the processing currency. The card issuer will keep track of certain counters (such as the number of transactions or the sum of transaction amounts) and if these are exceeded (after five consecutive transactions or if the sum exceeds EUR 100 or equivalent in another currency), then the card issuer will return a soft decline and will require SCA via 3D Secure.|
|secureCorporate||A secure corporate exemption can be applied on any secure corporate card such as Lodge Cards, Central Travel Accounts and Virtual Cards that are not associated with an individual cardholder and are used within a secure dedicated corporate payment process.|
|transactionRiskAnalysis||A transaction risk analysis exemption can be applied to any transaction within the banding value supported by your acquirer and when they have enabled you for the exemption .|
NOTE: You must gain permission from your acquirer and agree on a transaction banding, providing proof to PXP so this can be enabled on your account.
|trustedBeneficiary||A trusted beneficiary exemption can be applied if a white list has previously been set up between the card holder and the merchant.|
NOTE: You must gain permission from your acquirer and provide proof to PXP so this can be enabled on your account.
Out Of Scope
All out of scope transaction types are supported and will require the appropriate flagging so they can be identified as out of scope by PXP, Acquirers and Issuers.
Exemption Liability Shift
Where an exemption is applied successfully without SCA, liability will be shifted to the merchant.
Updated over 1 year ago