The move to Strong Customer Authentication has begun; here’s what you need to know
In response to rising levels of fraud in online transactions over the past decade, the EU authorities made the decision to enforce new rules which would strengthen the authentication procedures for online transactions.
Officially, the EU Payments Services Directive (PSD2), took effect under law in January 2018 and was initially due to be fully implemented on the 14th of September 2019. However, to combat fears of disruption to customers and businesses, the decision was made to implement the changes over an 18-month period running until March 2021.
We’ve put together this guide to help you understand the changes to Customer Authentication and what they mean for your business and your customers.
What is Strong Customer Authentication?
The new authentication system will replace the current process of 3D Secure authentication for online transactions over €30.
Strong Customer Authentication means customers will no longer be able to checkout online using just their credit or debit card details alone, they will also need to provide an additional form of identification to establish a system of two-factor authentication.
These two factors can be any two out of three categories; something you know (e.g. your PIN number), something you have (e.g. your card) and something you are (e.g. a fingerprint).
Where does it apply?
Strong Customer Authentication applies only to transactions over €30 in value within the European Economic Area, where both payer and payee are in the region.
The processes of Strong Customer Authentication have already been enacted into UK law, so no matter the eventual outcome of Brexit, UK issuers will be required to put in place the necessary measures.
There are a number of transactions that are exempt from the Strong Customer Authentication process. These include low-value payments (those under €30), recurring payments for the same amount and secure corporate payments where the transaction is initiated by a legal entity. The full list of exempted payments can be found in our complete guide to Strong Customer Authentication.
What’s the difference between Strong Customer Authentication and 3D Secure?
3D Secure is the industry name for the current process of Customer Authentication whereby the customer may be asked for a unique password via a secure pop-up page from the Card Issuer.
Trade names such as ‘Verified By Visa’, ‘MasterCard Secure Code’, and ‘American Express SafeKey’ are used by issuers in reference to their 3D Secure processes.
The current version of 3D Secure, known as 3D Secure v1, has been deemed sufficient to meet the requirements of PSD2 for the time being.
However, as 3D Secure v1 doesn’t provide enough information for card issuers to adequately evaluate the transaction risk, a request for authentication is likely to be the default for all E-Commerce transactions until 3D Secure v2 is widely available.
The new version of 3D Secure is in the process of being implemented by card issuers and will become the norm by March 2021. This new version is commonly referred to as 3D Secure v2. The system will allow additional information to be passed to the card issuer so they can carry out a meaningful Transaction Risk Assessment and apply exemptions accordingly.
What do businesses need to do?
The implementation of Strong Customer Authentication is the responsibility of the issuers and not the individual merchants. Meaning all you need to do is have switched on 3D Secure authentication before the end of the transition period in March 2021.
If you don’t have 3D Secure switched on yet you may experience an increase in card declines, especially if you accept a large number of payments from EU-issued cards.
There shouldn’t be any disruption to the client-facing departments, such as customer support. However, as with any change to processes, it’s advisable to make all internal stakeholders aware, so that they can monitor the number of and reason for any declines experienced.
We recommend that all RSM2000 e-commerce clients use 3D Secure, currently in its v1 iteration. We are testing 3D Secure v2 and will make this available for client testing as soon as we are certain it is stable. We will be migrating users from v1 to v2 once we are completely happy with it.
How will Strong Customer Authentication affect customers?
There have been concerns that the more stringent framework of Strong Customer Authentication may cause friction in the shopper journey.
Much of that concern comes from people’s personal experiences with the current 3D Secure authentication technology. 3D Secure v1 has started to feel clunky, and its use of pop-up windows might seem suspicious to those who equate pop-ups with spam and phishing.
However, 3D Secure v2, uses a much more advanced infrastructure and is far more dynamic and streamlined than its predecessor. This should mean that the 3D Secure v2 authentication experience will be much smoother than v1, meaning customers won’t feel as much of a disruption to their payment journey.
Ultimately, the developments in Customer Authentication brought about by 3D Secure v2 will work to combat online payment fraud and make the customer’s online purchasing experience safer and smoother.
For businesses, traders and charities accepting online payments, Strong Customer Authentication will ensure that your payments are received securely and without the risk of fraud.
For a further explanation of how Strong Customer Authentication works, and what it means for you, download our comprehensive document here.