Author: Claire Lynam, Marketing Manager, Eckoh
Just when you thought GDPR was nicely bedded down, along comes another mammoth compliance regulation. PSD2, the EU's second Payment Services Directive, actually came into effect in January, but merchants and consumers will notice the biggest change in September.
The big idea behind PSD2 is to encourage greater competition and innovation — which is music to the ears of FinTech companies. An initiative called Access to Accounts (XS2A) will bring Account Information and Payment Initiation services under regulation and allow non-banks to offer payment services. This might lead to more accessible services, faster payments and lower costs.
There's a second reason for PSD2. The EU wants to improve security and reduce fraud by introducing Strong Consumer Authentication (SCA) for electronic payments. And it's this feature that will come into force on September 14.
As these regulations have been adopted by the UK already, it's not anticipated that Brexit will prevent their full implementation.
....NOTE - content continues below this message
INVITATIONWe invite you and your colleagues to join us LIVE as we take the highest rated industry conference back on the road in 2022 - join us and the elite in the industry at the 17th annual NEXT GENERATION Contact Center & Customer Engagement Best Practices Conferences!
>>>>> FIND OUT MORE: HERE
Two-factor authentication as standard
The most common way organisations will comply with SCA for card payments, is to adopt the payment security process 3DS 2.0 (the latest version of 3D Secure). This provides more potential fraud signals, shares 135 data points and supports biometrics.
SCA will mean extra hoops for shoppers to jump through when making electronic payments. Customers will have to present two out of three factors from the following list:
Many consumers are familiar already with authentication beyond passwords. They've got iPhones that recognise their touch, banking devices that generate security numbers — or codes that are sent to their mobile phones. But with SCA, this will become the norm, not the exception.
For retailers, this could sound like awful news (most global merchants will be affected if they have EU issued cards transacting via an EU acquirer). No retailer likes the idea of customers losing their nerve or running out of patience at the checkout because there's another obstacle in their way.
There's no avoiding it, SCA could present a very real problem from September 14 for organisations receiving online payments.
But SCA isn't a blanket change. There are some exemptions. These can include:
Also, certain transactions are out of scope, regardless of their value:
Also, a ‘grandfathering’ rule is in place to remove the need to re-authenticate existing card-on-file customers. However, any change to that customer's registration with the merchant would trigger the need for re-authentication.
There are also other tools that can increase exemption levels, such as:
However, sometimes a green light might still get a red light. That's because, despite all the possible exemptions, issuers may still decline them and force the extra authentication anyway.
So who's responsible for SCA?
The ultimate responsibility and the legal obligation lies with the issuers (typically banks). They are responsible for providing the authentication mechanism, adhering to the rules and are responsible for the consequences.
However, that responsibility is pushed down the chain — meaning that from September 14 issuers will no longer process transactions from acquirers (and therefore payment service providers, and therefore merchants) if they do not meet the requirements of SCA.
Merchants must support the ‘step up’ process as part of their eCommerce customer journeys and set transaction exemption flags.
Merchant Suppliers, such as Eckoh, will have 3DS v2 as part of the eCommerce journey and set transaction exemption flags appropriately.
What about other sales scenarios?
PSD2 and SCA relates to electronic payments. But what about when the lines blur? After all, in our multi-channel world, transactions are made in many different ways. What fits within the scope of SCA and what's outside? Here are some quick answers to common questions:
Q: Do payments made over a phone-call require SCA?
A: No. Interactive Voice Response (IVR) payments and phone orders to agents (and for mail orders), known as Mail-Order-Telephone-Order (MOTO), are not covered — unless the call culminates in an e-commerce order, then that transaction needs SCA.
Q: What about payments made during a chat session with an agent?
A: If the payment processing is initiated by the agent, as in our ChatGuard solution, these transactions are considered to be MOTO transactions and therefore SCA is not required.
Q: How does SCA apply to pre-loaded e-Wallets?
A: It's required that merchants authenticate the load AND authenticate the transaction. However, it may be that exemptions are the solution here but this will take some time to iron out.
Q: What about 'split auth and settle' payments?
A: Here, the merchant must set the 3DS flags at the initial authentication request.
Specific advice for merchants
Merchants will be affected by SCA ... and forward-thinking businesses will look for opportunities to turn the change to their advantage.
Eckoh is a global provider of Secure Payment and Customer Engagement solutions via our Eckoh Experience Portal. We’ve an international client base and offices in the UK and US. We're providers in transforming contact centre operations by delivering customer experiences across every channel, boosting agent productivity, reducing operations costs and maximising payment security. We’ve over 20 years’ experience in contact centre technology solutions. Eckoh has been a PCI DSS Level One Service Provider since 2010.
Published: Thursday, June 13, 2019
Co-Browsing is the practice of web-browsing where two or more people are navigating through a website on the internet. Software designed to allow Co-Browsing focuses on providing a smooth experience as two or more users use their devices to browse your website. In other words, your customer can permit the agent to have partial access to his/ her screen in real-time.