“PSD2” is the acronym used to refer to the second Directive (EU) 2015/2366 of 25 November on payment services. This directive is the European regulation that includes the regulatory framework that applies to electronic payments in Europe.
This standard prescribes the mandatory application of specific security measures and procedures for electronic payment transactions, and in particular those taking place at a distance. These measures and procedures are based on the concept of “enhanced customer authentication” (“ECS”).
The requirement to perform enhanced customer authentication when initiating an electronic payment transaction consists of the obligation for Payment Service Providers (PSPs) issuing payment instruments to authenticate the identity of the payer based on the use of two independent security features (authentication factors) each time the payer makes a payment at a physical or electronic store.
The obligation to perform SCA when initiating an electronic payment transaction began to apply to face-to-face purchases as of September 14, 2019. For online purchases it will begin to apply in the coming months, and the authentication factors that will be requested will not be the same as for face-to-face purchases.
The use of SCA for card payments over the Internet will change the way payment service users make purchases, as payers will no longer be able to make online payments using their card information only (card number, expiry date and security code). Instead, they will have to, for example, verify their identity during the payment process by entering an additional code that they will receive on their mobile phone or through the banking application that is connected to their phone and that requires a password or fingerprint to approve a transaction.
Stronger customer authentication in Internet payments is based on the combined use of two of the following types of authentication factors:
In this way, the issuer of the payment instrument can be sure that the payer is who he says he is. In this sense, each issuing institution has decided which authentication factors it will ask its customers for, so the shopping experience may vary depending on the card being used.
However, there are a number of situations that allow you not to have to ask for both authentication factors all the time, which benefits the user experience without reducing the security of the payment.
The application of CIS to cardholders is the responsibility of the card-issuing bank, although the PSD2 provides for a number of situations (called exemptions) in which issuing banks are allowed not to apply CIS as they are considered to be lower risk transactions. In this respect, CIS may not be applied in the following cases:
What exactly is Strong Client Authentication (SCA)?
Strong Customer Authentication, also known as “SCA”, involves the application of new security measures that will make card payments even more secure, as this will be the way in which issuing banks will identify cardholders when they order payments in face-to-face or online shops.
These new security measures began to be applied to face-to-face purchases from 14 September 2019. For online purchases it will start to be applied in the coming months, until its full implementation in January 2021.
Currently the authentication of customers in secure shops was done by asking them to enter the card number, expiry date, their CVV, and the 4-digit OTP key that was sent to their mobile phone by SMS.
From the moment that SCA is requested, when a customer makes a purchase at an online store, he or she will be asked to enter the card number and expiration date, but in addition, the bank that issued the card used to make the purchase will ask for 2 of the following 3 types of authentication factors:
Issuing banks will ask their cardholder customers for the most convenient and user-friendly authentication factors according to their preferences in terms of the use of technology and the way they relate to them.
As a result, a customer’s shopping experience at a store may be different depending on the bank that issued the card they use to make payment.
No, the Banco de España has confirmed that CCS will always have to be applied, unless the transaction is exempt (e.g. in the case of cross-border transactions from outside the EU) or one of the exemptions provided for by law can be applied.
No, since they are not considered payment transactions.
Yes, as these are operations initiated via the Internet or a device that can be used for remote communication. This would include transactions carried out via the Internet and transactions carried out via mobile phones (in the case of an Internet purchase, it is not a “contactless” purchase).
The European Banking Authority has clarified that both in cases where the originator has pre- authorised the blocking of a maximum amount and in cases where this pre-authorisation has not been given, if the final amount is equal to or less than the agreed amount, the transaction can be executed without the need to request ACS again, but if the amount is greater, the issuer will have to either request ACS or reject the transaction.
The white list is maintained by the issuing bank but is created by the customer and only he can modify it. It is for this reason that the European Banking Authority has established that issuing banks cannot make suggestions of new entries or modifications of shops to customers. However, there is nothing to prevent the merchant from informing his client of this possibility and even suggesting it to him. However, whitelisting must be done in the issuing environment and requires SCA.
Issuing entities are not legally required to inform the acquiring bank or the merchant if a business is included in the white list. Sharing such information without the express consent of the cardholder could violate data protection law. However, nothing prevents the merchant from obtaining this information from its own customer.
On the other hand, the ultimate decision to apply SCA to a transaction is that of the issuing entity, so, following risk criteria, it could decide to apply SCA to a transaction, even if the trade was included in its white list.