Payment Services Directive 2 (PSD2) and Strong Customer Authentication (SCA) – FAQ

PSD2 came into effect on 13th January 2018. It is the result of an expansion of regulatory requirements from the EU Commission governing payments in Europe, and has been transposed into local legislation by the individual EU member states.

The provisions of PSD2 only come into force on 14th September 2019.

One of the main goals is to make online payments more secure for customers. A core component in pursuit of this goal is the mandatory use of Strong Customer Authentication. This must be carried out before any banking-based online payments are made (e.g. credit card payments or online transfers).

The majority of banks have already contacted their customers in recent months to inform them of the upcoming changes and alterations to their Terms and Conditions.

In future, banks must verify two of three criteria pertaining to the customer before initiating an online payment:

• something you own (e.g. credit card, smartphone)
• something you know (e.g. PIN)
• something you are (e.g. fingerprint, facial features)

This means that in order to fulfil the Strong Customer Authentication requirements, the customer may need to provide their fingerprint using a smartphone in order to authorise a payment.

Such biometric authentication methods make it easy for the customer to identify themselves, as they only need to provide something they always have with them, in this case a smartphone and fingerprint.

Static passwords are no longer sufficient.

Banks must require that merchants demand Strong Customer Authentication for credit card payments. Merchants are therefore required to display a page from the bank on their website, via which the customer can unequivocally identify themselves. This ensures that no unauthorised persons gain access to this bank account and make payments in the customer’s name.

Transfer payments made by third parties, such as SOFORT in Germany or iDeal in the Netherlands, similarly require Strong Customer Authentication.

No. PSD2 provides for certain exceptions in the use of Strong Customer Authentication.
Strong Customer Authentication may not be required when:

• the customer’s bank deems negligible risk that the payment is from an unauthorised third party rather than the customer
• the payment is of a maximum value of 30 EUR. Note: Banks must however demand Strong Customer Authentication if five payments have been made since the last authentication, or the total amount in payments made since the last authentication exceeds 100 EUR.
• the customer pays to a merchant whom the customer has ‘whitelisted’ with their bank as being a trusted beneficiary. The customer can normally do this during the authentication process.

Important:
Despite these exceptions, the customer’s bank can demand Strong Customer Authentication at any time. There is no guarantee that Strong Customer Authentication will not be demanded.

Strong Customer Authentication is never required when:

• the customer has provided the merchant a mandate for initiating payments. This occurs when the customer registers for the merchant’s services. The customer provides the credentials necessary for making the payments and provides Strong Customer Authentication.
• payment is made for a subscription. In such cases, the customer needs to provide Strong Customer Authentication only once when signing up for the subscription.

The customer’s bank ultimately decides which Strong Customer Authentication method is offered. The merchant has no say in the matter.

The merchant similarly has no knowledge about which Strong Customer Authentication method the customer chooses and provides.

This is guaranteed by the fact that iframes are used to display the pages for Strong Customer Authentication as provided by the bank or by third-party payment providers (e.g. iDeal).

The merchant has no influence upon or access to the contents of the iframe displayed on their website.

Similarly for payment methods where the merchant forwards the customer to the payment provider’s site (e.g. SOFORT), they do not know which authentication method is provided or chosen by the customer.

3D Secure in general is a process designed to provide security for credit card payments online. It aims at reducing the risk of fraud by having the customer confirm their identity with a code or password.

3D Secure 2.0 is a revision to this process to bring it into line with the requirements of PSD2, specifically Strong Customer Authentication.

In future, payments by credit card will also require Strong Customer Authentication through the use of 3D Secure 2.0.

Strong Customer Authentication will be ensured by 3D Secure 2.0 using, for example, an app provided by the customer’s bank. The bank page displayed on the merchant’s site will request the customer open the app on their smartphone. Depending on the particular method, the app may then request the costumer’s fingerprint on the smartphone.

Banks may offer different authentication methods for the customer to choose between.

Other possible methods include: one-time passwords displayed to the customer in a special app, or facial recognition via the customer’s banking app.

Online transfers via payment service providers such as SOFORT, iDeal, Multibanco or Przelewy24 will also be required to collect Strong Customer Authentication in future.

Many merchants and banks will not be capable of supporting Strong Customer Authentication by 14th September 2019, as required.

As a result, on 21st June 2019 the European Banking Authority (EBA) recommended that the EU states and their financial authorities responsible for monitoring implementation of PSD2 should offer an extended implementation period to such companies.

As a result, the deadline will be respected in some countries, whereas others will provide the banks said extended implementation period.
Nevertheless, even in countries with an extended implementation period, some banks will start using Strong Customer Authentication from 14th September 2019.

To find out how and when your bank will demand Strong Customer Authentication, please contact your bank.