Update (September 13, 2019): WP Simple Pay Pro and Lite are fully SCA-ready. Please see our Pro 3.6 release post for more details.
Credit card fraud is a bigger problem than ever. Losses for businesses have been steadily increasing. The trend will continue as we rely more on online transactions.
If you follow financial news, you’ve probably heard about the Payment Services Directive 2 (PSD2), Strong Customer Authentication (SCA), and 3D Secure 2.0. In this article, we’ll explain what these terms mean and how they affect you – a US merchant.
What Is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a European requirement under the Payment Services Directive 2 (PSD2). The first iteration of this law was released in 2007 to make online payments more secure. The second iteration becomes mandatory in 2019.
Generally, we verify identities with a password. This is considered “something you know.” It’s a piece of information you know that’s supposed to be secret.
But passwords are rarely secret. We create passwords from easily collected information, like birthdates and pet names. We share them with other people all the time. 83% of people use the same password for everything. If a hacker gets your Target.com account, they can probably use it to get into your Google account (or worse, your bank account) as well.
The goal of Strong Customer Authentication is to add extra layers of protection by authenticating payments with more identifying factors: “Something you own” and “something you are.”
- Something the customer knows (like a password).
- Something the customer has (like their phone).
- Something the customer is (like their fingerprint).
When you combine two or three of those data points together, it becomes significantly harder for malicious parties to access your accounts. For instance, if you designated a password and your mobile phone to authenticate your identity, a malicious person would have to steal your password and your phone to get into your account. That’s unlikely, to say the least.
In the past, Europeans only needed one factor to make an online transaction – their card. A card is something you have.
(Yes, they need three data points – the card number, expiration date, and CVV/CVC number – but they’re all on the same piece of plastic, so the card counts as single factor.) This is how we do it in the United States currently.
The purpose of SCA is multifold:
- Reduce the likelihood of fraud because thieves won’t have multiple identification factors.
- Reduce the cost of processing transactions. Less fraud means the credit card issuers can lower their fees on people and businesses.
- Increase cardholder confidence so people feel safe buying online.
- Comply with international regulations so a card can be used safely anywhere.
As of September, 2019, banks will decline unauthenticated payments. Declined payments will have to be re-submitted to the customer for Strong Customer Authentication. Read the full regulatory technical standards here.
What Is 3D Secure 2.0?
During an online transaction, a tool called 3D Secure 1.0 is used to verify the card transaction. You’ve probably seen this flow before: You enter your card details to make a payment and get redirected to a new page where your bank asks for a password/code to approve the purchase. This is when the customer gets redirected to a new page to input a code.
The benefits to 3D Secure 1.0 were obvious from the beginning. Not only do customers feel safe (because the page is usually branded by the bank or card network, e.g. “MasterCard SecureCode” or “Verified by Visa”), it also shifts liability from the merchant to the issuing bank.
However, 3D Secure 1.0 had two major drawbacks.
- It’s another step in the checkout flow, which can lead customers to abandon the process. Each additional checkout step will reduce your conversions, especially on mobile.
- Buyers had to remember another password from the card issuing bank. If they forgot the password, they might abandon the purchase.
Now there’s a new tool called 3D Secure 2.0 that makes it easier to meet SCA requirements without disrupting the user experience.
3D Secure 2.0 sends more than 100 data points on each transaction to the cardholder’s bank. The cardholder uses this information to assess the transaction’s risk.
Which data points are sent to the bank? Everything from the shipping address to the customer’s device ID, IP address, and even their previous transaction history.
If the data is sufficient to make the bank think the transaction is legitimate, the bank can qualify the transaction for “frictionless” flow. This means the user doesn’t have to do anything else to authenticate the transaction. The cardholder isn’t even aware that 3D Secure is used. (The merchant still shifts liability to the bank in this case.)
If the data isn’t sufficient, the transaction is forced into the “challenged” flow. This is just like 3D Secure 1.0 – an additional page, branded by the bank, asking for more information.
What’s interesting about 3D Secure 2.0 is that it can get better over time by adding data points. Theoretically, every new data point that verifies customers’ identities is more security.
Payments That Require Strong Customer Authentication
Under the European Union law, strong customer authentication will apply to most customer-initiated online transactions within Europe. This includes most credit and debit card payments and credit transfers. The first transaction in a subscription is customer-initiated, but the recurring payments are merchant-initiated, which is why they don’t require SCA.
A payment is considered within the scope of the law if the cardholder and merchant are both located in the European Economic Area. Some card issuers will require SCA for all transactions, regardless of where the merchant is located.
The mainstream providers have already taken steps to prepare for SCA. Stripe, for instance (our favorite payment processor) released an SCA-ready API called PaymentIntents. This tool lets you apply 3D Secure 2.0 whenever it’s required or when a particular transaction has a high risk of fraud. They plan to release it for everyone well before the September 2019 deadline. In turn, our plugin – WP Simple Pay – will be compliant with the European directive.
Exemptions to Strong Customer Authentication
Some types of transactions are exempt from SCA. Your payment provider (like Stripe, Square, or PayPal) can request an exemption on your behalf during payment processing. The cardholder’s bank will decide whether to grant or reject the exemption.
Here are the most common types of exemptions:
- Low-value transactions. Transactions under €30 are exempt. However, SCA is required if the card or payment method has seen more than five exempt transactions or the total of exempted transactions exceeds €100 in a day.
- Low-risk transactions. Payment processors can do a real-time risk analysis to judge whether to apply SCA. The processor can only do this if their fraud rates stay low.
- Subscriptions. SCA is required for the first payment, but not subsequent payments if they’re for the same amount to the same business. Variable amounts (or metered billing) require SCA every time.
- Whitelisted trusted beneficiaries. Customers can whitelist businesses they trust. These businesses get placed on a list of “trusted beneficiaries” maintained by the customer’s bank. SCA is required for the first payment to whitelisted business, but not for subsequent payments.
- MOTO transactions. Mail order and telephone order (MOTO) transactions are not considered “electronic” payments. They are not regulated under SCA.
What This Means for US Merchants
At the moment, PCI compliance is the main framework for regulating online transactions. The problem here, however, is that PCI compliance isn’t law. It’s just an initiative between the major credit card companies. You have to abide by it to work with those companies, but there aren’t any fines or penalties for violating it.
That said, you’ll need to abide by the PSD2 legislation and Strong Customer Authentication if you plan to sell to people to in Europe starting September 2019. This is actually a good thing for you because it will reduce the amount of credit card fraud you’ll deal with.
Fortunately, if you use any of the big payment processors (like Stripe, PayPal, or Square), you probably don’t have to do anything. Since those processors pass all transactions through their merchant account, they are responsible for complying with the EU directive. Check with your processor to make sure they’re taking steps to comply.