Are you ready for Strong Customer Authentication?
New rules coming into place aim to make the online payments system safer for both merchants and consumers. Strong Customer Authentication is designed to verify that an online customer is who they say they are by adding an extra layer of protection at the time of the transaction, when a customer pays online.
What are the changes?
In the past, ecommerce customers only had to give their card number and the CVC verification code to pay online. From 14 September 2019 onwards, more information will be needed for the transaction to succeed. The move is intended to prevent fraudulent payment transactions, stopping millions of pounds worth of fraud every year.
Two different types of checks – known as two-factor authentication – will be introduced for some online payments. In the past, additional authentication might have been a password or a question like
What is your mother's maiden name?, but now, more sophisticated methods will be allowed, from fingerprints to wearable devices or tokens.
The changes apply to online payments within the European Economic Area (EEA), when both the cardholder's bank and the business's payment provider are in the EEA. They are the result of the banking and payments industries working together with regulators to create a solution to the EU Payments Services Directive (PSD2). These changes will be made whatever the UK's relationship with Europe in September, as the new rules are being passed into UK law.
You need to make sure your business understands what these changes mean for day-to-day operations and how to remain compliant. This guide explains what the changes are and how they might affect you.
When will Strong Customer Authentication be used?
Strong Customer Authentication (SCA) applies when a customer:
- Logs on to their online payment account
- makes an electronic payment online
- carries out another potentially high-risk transaction online, like changing their telephone number
To comply with the regulations, a new standard for verification, 3D Secure 2.0, will be required. Mastercard wants this in place for merchants by April 2019 and Visa by September 2019. Strong Customer Authentication comes into force on 14th September 2019.
A much higher number of transactions requiring authentication are likely and you may need to upgrade your website to support this new functionality. The new 3D Secure is designed to operate more smoothly and seamlessly with both desktop and mobiles, improving the payment experience for customers.
Transactions that do not need SCA
Some payments will be exempt from SCA. These include transactions that are:
- Low value (below €30)
An electronic transaction that is below the value of €30, doesn’t number more than 5 transactions, or exceed a €100 cumulative spend value.
- Contactless (below €50)
A contactless card transaction that is below the value of €50, doesn’t number more than 5 transactions, or exceed a €150 cumulative spend value.
- Below the fraud rate threshold
- From a trusted beneficiary – whitelisting
When the cardholder has listed a particular merchant as a trusted beneficiary with their bank, transactions will be exempt from 3D Secure. This process is also known as whitelisting. This means customers who shop with you regularly and add you to their whitelist will not usually need to authenticate payments with you again.
Adding or amending details about a trusted beneficiary will require additional authentication. It's also worth knowing that issuers can still reject the whitelisting request if the customer is thought to be high fraud risk.
- Mail orders and telephone orders
Recurring transactions like subscriptions with a fixed amount will be exempt from the second transaction onwards –once the initial transaction has been authorised.
What do you need to do?
You need to consider how these changes are likely to affect your online customer journeys and any potential impacts on your business. You may need to evaluate how you will integrate 3D Secure 2.0 into your payments process – for example, accepting a fingerprint for transactions made on a mobile phone – and then implement any changes.
By 14th September 2019, you must ensure that the following comply with RTS for strong customer authentication:
- You comply with RTS for strong customer authentication transactions thresholds.
- Your website or app is updated by your Payment Service Providers (PSP) to support the new regulations, e.g. Verified by Visa, or Mastercard Identity Check.
After the 14th September 2019, any non-compliant transactions may be declined by the issuing bank. If you are not compliant with the SCA regulation following this deadline, you (the merchant) may be liable for chargeback.
What is Lloyds Bank Cardnet doing about SCA?
We have been actively involved in discussions about the regulations to help make sure they are effective and workable.
We are updating our systems to comply with the new rules, while making sure that the process is as seamless as possible for merchants and their customers.
Lloyds Bank Cardnet has contacted all PSP to advise them of the changes. We also advise you to contact your PSP directly to discuss any technical changes that may be required.
See what changes are also being made to Confirmation of Payee.
Get tips on avoiding fraud and improving payment security.