PSD2, SCA and Toggle

SCA

What is PSD2?

The Payment Services Directive (PSD) first came into force across Europe in 2007. It laid out the rules and regulations that would help create a single market for payments.

PSD2 is the next iteration of the Payments Service Directive and had to be implemented into national law by 13th January 2018. It brought in all sorts of interesting new possibilities for the financial technology industry, such as “Open Banking”, plus many other things.

Anyway, all of that isn’t really relevant.

Apart from one bit… making Secure Customer Authentication (SCA) mandatory for e-commerce payments.

Ok, so what is SCA?

It is an EU requirement to make online payments more secure. So when a European shopper makes a purchase online, there will be extra levels of authentication. It comes into force on 14th September 2019.
Whereas before, by law, the only requirement was for a card number and CVC verification code for an online payment, it will now be mandatory to have an extra authentication check.
You’ve probably already come across SCA with “3D Secure” where a password, or parts of a password, have to be entered as an extra security step when making a payment. That’s SCA.
However, the current “3D Secure v1” is a bit clunky. So there is a new standard coming out called “3D Secure v2” which will make it easier to collect SCA during online payment journeys.

When does SCA not apply?

There are some circumstances when SCA doesn’t apply. Relevant ones for Toggle customers are:

  • Transactions under 30 EUR (though it will be asked for every 5 transactions)
  • “Low risk” transactions (defined by the fraud levels of the acquiring bank and card issuer)

Do Togglers need to do anything?

When it comes to Toggle, no.
The payment service providers that Toggle supports (e.g. Stripe, Secure Trading) handle all the payment processing for your customers and they have updated, or are in the process of updating, their APIs to support the new 3D Secure v2 authentication methods.
And here at Toggle, we will be making the necessary changes on our side to support the payment gateway’s new authentication mechanics as part of the checkout journey user interface.

What will the new 3D Secure v2 look like to my customers?

At the time of writing, we don’t know exactly; the authentication methods are ultimately down to the banks. But we do know that authentication will need to be provided from a combination of two or more of:

  • something the customer knows (e.g. a PIN)
  • something the customer has (e.g. a card/phone)
  • something the customer “is” (e.g. a fingerprint)

So the things a customer will be asked for are likely to be already familiar to them, such as receiving a text message to their mobile phone and entering the code. Or using their fingerprint on their mobile phone.

What’s next?

We’ll be implementing any necessary changes in the coming months prior to September 14th 2019 and we’re looking forward to more user-friendly checkout experiences thanks to PSD2!
****
Disclaimer: This article is not legal advice. We suggest all our clients consult with legal advisors if there is anything they are unsure about.