Cookie Preference Centre

Your Privacy
Strictly Necessary Cookies
Performance Cookies
Functional Cookies
Targeting Cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, your device or used to make the site work as you expect it to. The information does not usually identify you directly, but it can give you a more personalized web experience. You can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, you should know that blocking some types of cookies may impact your experience on the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site may not work then.

Cookies used

Performance Cookies

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.

Cookies used

Google Analytics

Functional Cookies

These cookies allow the provision of enhance functionality and personalization, such as videos and live chats. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these functionalities may not function properly.

Cookies used




Targeting Cookies

These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant ads on other sites. They work by uniquely identifying your browser and device. If you do not allow these cookies, you will not experience our targeted advertising across different websites.

Cookies used


This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties


Here are some suggested Connections for you! - Log in to start networking.

Article : PSD2 & SCA: What Do We Need to Know, Right Now?

#contactcenterworld, @eckoh

Author: Claire Lynam, Marketing Manager, Eckoh

Just when you thought GDPR was nicely bedded down, along comes another mammoth compliance regulation. PSD2, the EU's second Payment Services Directive, actually came into effect in January, but merchants and consumers will notice the biggest change in September.

The big idea behind PSD2 is to encourage greater competition and innovation — which is music to the ears of FinTech companies. An initiative called Access to Accounts (XS2A) will bring Account Information and Payment Initiation services under regulation and allow non-banks to offer payment services. This might lead to more accessible services, faster payments and lower costs.

There's a second reason for PSD2. The EU wants to improve security and reduce fraud by introducing Strong Consumer Authentication (SCA) for electronic payments. And it's this feature that will come into force on September 14.

As these regulations have been adopted by the UK already, it's not anticipated that Brexit will prevent their full implementation.

....NOTE - content continues below this message


We invite you and your colleagues to join us LIVE as we take the highest rated industry conference back on the road in 2022 - join us and the elite in the industry at the 17th annual NEXT GENERATION Contact Center & Customer Engagement Best Practices Conferences!



Two-factor authentication as standard
The most common way organisations will comply with SCA for card payments, is to adopt the payment security process 3DS 2.0 (the latest version of 3D Secure). This provides more potential fraud signals, shares 135 data points and supports biometrics.

SCA will mean extra hoops for shoppers to jump through when making electronic payments. Customers will have to present two out of three factors from the following list:

  • Something you are (eg. biometrics, such as a fingerprint)
  • Something you have (eg. a pre-registered device or token generator)
  • Something you know (eg. a password or PIN)

Many consumers are familiar already with authentication beyond passwords. They've got iPhones that recognise their touch, banking devices that generate security numbers — or codes that are sent to their mobile phones. But with SCA, this will become the norm, not the exception.

For retailers, this could sound like awful news (most global merchants will be affected if they have EU issued cards transacting via an EU acquirer). No retailer likes the idea of customers losing their nerve or running out of patience at the checkout because there's another obstacle in their way.

There's no avoiding it, SCA could present a very real problem from September 14 for organisations receiving online payments.

But SCA isn't a blanket change. There are some exemptions. These can include:

  • Low value transactions — Those of €30 or less are not included within SCA. Regular payments of the same amount can be included, but must not accumulate to over €100 or SCA will be triggered

  • Trusted listings — Consumers can ask the issuer for a merchant to be part of a ‘trusted payee’ list

  • Low risk transactions — The highest value agreed would be €500 and the merchant must maintain a low average fraud rate to keep this

Also, certain transactions are out of scope, regardless of their value:

  • Merchant Initiated Transactions (MIT) - Repeat payments

  • Mail Order / Telephone Order (MOTO) - Telephone / contact centre payments

  • One Leg Out (OLO) - Where the issuer or the acquirer is outside the EEA

Also, a ‘grandfathering’ rule is in place to remove the need to re-authenticate existing card-on-file customers. However, any change to that customer's registration with the merchant would trigger the need for re-authentication.

There are also other tools that can increase exemption levels, such as:

  • Visa Transaction Advisor: This is a Cybersource tool used to identify the opportunity for an exemption

  • Visa Trusted Listing: This allows customers to request that a merchant is added to the trusted listing as part of the 3DS transaction — to remember things for next time

However, sometimes a green light might still get a red light. That's because, despite all the possible exemptions, issuers may still decline them and force the extra authentication anyway.

So who's responsible for SCA?

The ultimate responsibility and the legal obligation lies with the issuers (typically banks). They are responsible for providing the authentication mechanism, adhering to the rules and are responsible for the consequences.

However, that responsibility is pushed down the chain — meaning that from September 14 issuers will no longer process transactions from acquirers (and therefore payment service providers, and therefore merchants) if they do not meet the requirements of SCA.

Merchants must support the ‘step up’ process as part of their eCommerce customer journeys and set transaction exemption flags.

Merchant Suppliers, such as Eckoh, will have 3DS v2 as part of the eCommerce journey and set transaction exemption flags appropriately.

What about other sales scenarios?

PSD2 and SCA relates to electronic payments. But what about when the lines blur? After all, in our multi-channel world, transactions are made in many different ways. What fits within the scope of SCA and what's outside? Here are some quick answers to common questions:

Q: Do payments made over a phone-call require SCA?
A: No. Interactive Voice Response (IVR) payments and phone orders to agents (and for mail orders), known as Mail-Order-Telephone-Order (MOTO), are not covered — unless the call culminates in an e-commerce order, then that transaction needs SCA.

Q: What about payments made during a chat session with an agent?
A: If the payment processing is initiated by the agent, as in our ChatGuard solution, these transactions are considered to be MOTO transactions and therefore SCA is not required.

Q: How does SCA apply to pre-loaded e-Wallets?
A: It's required that merchants authenticate the load AND authenticate the transaction. However, it may be that exemptions are the solution here but this will take some time to iron out.

Q: What about 'split auth and settle' payments?
A: Here, the merchant must set the 3DS flags at the initial authentication request.

Specific advice for merchants
Merchants will be affected by SCA ... and forward-thinking businesses will look for opportunities to turn the change to their advantage.

#contactcenterworld, @eckoh

About Eckoh:
Company LogoEckoh is a global provider of Secure Payment and Customer Engagement solutions via our Eckoh Experience Portal. We’ve an international client base and offices in the UK and US. We're providers in transforming contact centre operations by delivering customer experiences across every channel, boosting agent productivity, reducing operations costs and maximising payment security. We’ve over 20 years’ experience in contact centre technology solutions. Eckoh has been a PCI DSS Level One Service Provider since 2010.
  Company Blog   Company RSS Feed   Company Facebook   Company Twitter   Company YouTube   Company LinkedIn   Company Profile Page

Today's Tip of the Day - Suggestion Box

Read today's tip or listen to it on podcast.

Published: Thursday, June 13, 2019

Printer Friendly Version Printer friendly version

2022 Buyers Guide Visual Communications

Premium Listing
SJS Solutions

Optymyse is a unique neuroscience-based approach which takes care of your most valuable asset - your people. Using a scientifically supported formula, Optymyse delivers stunning visuals which unlock the full potential of your contact centre whilst protecting the mental wellbeing of all of your employees.


Co-Browsing Integration
Co-Browsing is the practice of web-browsing where two or more people are navigating through a website on the internet. Software designed to allow Co-Browsing focuses on providing a smooth experience as two or more users use their devices to browse your website. In other words, your customer can permit the agent to have partial access to his/ her screen in real-time.

About us - in 60 seconds!

Submit Event

Upcoming Events

The 17th Annual Best Practices and Conferences are here! Meeting Point for the World's Best Contact Center & CX Companies! Read More...
Showing 1 - 1 of 5 items

Newsletter Registration

Please check to agree to be placed on the eNewsletter mailing list.

Latest Americas Newsletter
both ids empty
session userid =
session UserTempID =
session adminlevel =
session blnTempHelpChatShow =
session cookie set = True
session page-view-total = 1
session page-view-total = 1
applicaiton blnAwardsClosed =
session blnCompletedAwardInterestPopup =
session blnCheckNewsletterInterestPopup =
session blnCompletedNewsletterInterestPopup =