What is PSD2?
PSD2 is the latest version of the Payment Services Directive, which was intended to establish a Single Euro Payments Area (SEPA). The original regulation was established over a decade ago, and the PSD2 update is intended to better align payment regulation with the current state of payments technology and the payments ecosystem. If your e-commerce business is operating in the EU, then your business is more than likely subject to the PSD2 regulations.
While most transactions in the EU must be PSD2 compliant, there are some exemptions to the requirements. For our purposes, the most important of these is the case of recurring transactions. Recurring transactions are exempt from PSD2 as long as the consumer has already given permission to the merchant to run recurring transactions. More on this later.
SCA (Strong Customer Authentication)
One of the core principles of the new PSD2 regulation is SCA or Strong Customer Authentication. Where previously single-factor authentication was sufficient, due to advances in technology authentication using multiple, independent factors, is required for additional security. To protect the consumer, banks must now implement multi-factor authentication for all transactions. SCA is achieved by two of the three following measures: something you know (ex. password, PIN, etc), something you possess (ex. mobile phone, smart card, etc) and something you are (ex. biometric fingerprint).
PSD2 and EMV 3D Secure
Our article from last week about EMV 3DS looked at the latest implementation of 3D Secure (aka 3DS) technology. 3DS is intended to reduce fraud, increase approval rates, and enhance the online shopping experience for the consumer. When a transaction is authenticated using EMV 3DS, the liability for chargebacks shifts to the card-holder, thus preventing ‘friendly fraud’, which is the driver of a majority of online chargebacks. 3DS collects up to 150 data parameters to send to the banks to authenticate a transaction. There are 41 required data points and over 100 optional points that the merchant can choose to send to the cardholder’s bank about the transaction. These data points allow card-issuers to do risk-based authentication (RBA), giving each transaction a score based on the level of risk associated with processing the transaction.
The EBA (European Banking Authority) has not named a specific technology that must be used by merchants to achieve Strong Customer Authentication. However, EMV 3DS is the only technology available that will achieve both SCA (a core requirement of PSD2) and chargeback liability shift.
Subscription-based services and products (ex. Netflix, Birchbox, Spotify, Dollar Shave Club, etc) are becoming more and more popular. For merchants using the subscription model (or trial-subscription model), chargebacks can be a challenge. PSD2 only requires the initial transaction to be authenticated with SCA. However, the initial transaction is rarely the one that cardholders chargeback with their bank. The consumer remembers the initial signup – it is the first rebill they don’t recognize and subsequently call their bank about. By authenticating the first transaction and first rebill, merchants can reduce their chargeback ratios drastically.
Implementation
Implementing EMV 3DS on your website is very simple. 3D Secure Providers like PAAY will offer to do the implementation for the merchant. Adding 3DS authentication to your checkout page generally takes less than a day, including implementation and testing. To learn more about how EMV 3DS can help with PSD2 compliance, you can schedule a demo with PAAY.