From 14 September 2019, certain electronic and remote payments must be subjected to two-factor, or “strong customer authentication” (SCA), under regulatory standards covering the European Economic Area (EEA) relating to the second EU Payment Services Directive, which took effect in January 2018 (PSD2). Retailers are uncertain whether these new European anti-fraud measures will cause consumers to abandon online purchases. Some transactions may be impacted although others may be exempt.
- UK SCA compliance. Owing to the prevalence of card payments for online transactions in the UK, compliance with SCA will usually be achieved by an extra check in the online checkout process, which would comply with the 3D Secure standard, though the arbiter of whether this process is compliant with the SCA is now the card-issuing bank rather than the retailer (or the retailer’s acquirer).
- Re-designing engagement with customers. Retailers will need to develop the ability to predict accurately whether and when a customer faces SCA and the proportion of transactions that might be abandoned if the customer is not ready or willing to undergo that check. Some retailers may also consider redesigning their engagement with customers to suit interpretations of the scope and exemptions from SCA. No doubt innovative security solutions and new service providers will also emerge to deal with the SCA challenge.
- Required action. We recommend that companies that accept online transactions analyze whether their processes should be viewed as SCA-compliant or otherwise excluded from PSD2 or the SCA standard. This analysis is particularly important for U.S.-based companies and other companies based outside of the EEA to the extent that they are not as familiar with PSD2.
The New Rules
The impact of the new rules is difficult to predict. In particular, SCA would apply to retailers accepting online payments from consumers based in the EEA, even if the retailer itself isn’t EEA-based, but only the payment service provider (PSP) issuing the security credentials, such as the card-issuing bank, ultimately decides whether an exemption applies. Taking that decision away from the retailer and their own PSPs (i.e., their “merchant acquirers”) means that the retailer may be unable to predict whether a customer faces an extra security step and, if so, the proportion of transactions that might be abandoned if the customer is not ready or willing to undergo that check. SCA could also affect online card payments, as well as payments in e-money and online bank transfers, in a range of circumstances that might not fit exemptions or that are hampered by legacy systems. With online sales rapidly approaching 20% of total retail sales in the UK, this represents a significant challenge for all existing and future retailers, not to mention the impact on consumers’ online shopping experience.
Whether a transaction is caught by SCA first depends on whether PSD2 applies. Some payment services and transactions may be completely out-of-scope of PSD2 based on currency and/or geographic location of the participants, or may be in-scope, but specifically excluded. Even if a transaction is in scope and not excluded under PSD2, a transaction may be subject to certain exemptions under the SCA standard.
Scope of PSD2
- The scope of PSD2 (and whether all provisions apply) is determined by currency and territory in which each of the payer’s and payee’s PSPs, or the sole PSP involved, is based. For example, where only one of the PSPs involved is based in the EEA, PSD2 only applies to the part of the transaction processed in EEA, and the European Banking Authority (EBA) has said the PSP need only use its best efforts to apply SCA (subject to bearing the liability for its failure to do so). This would include a card issued to a U.S. resident used online with a retailer based in the EEA.
- Some payment-related activities may be considered out of scope of PSD2 because they are not offered by way of business or as a business activity in its own right (i.e., they are merely ancillary to another business activity).
- Some services and transactions are in-scope of PSD2, but benefit from a specific exclusion. Broadly, these include transactions via commercial agents acting only for the payer or payee; technical services where the provider does not handle funds, initiate payments or provide access to payment account information; services based on instruments that can only be used in a limited way; and transactions between group companies. The nature and scope of these exclusions are quite complex and small changes in the facts may significantly change the analysis.
Scope of SCA
Payment transactions that are in scope of PSD2, and which do not benefit from an exclusion, may be subject to SCA when initiated. In a retail context, SCA must be applied where the payer initiates an electronic payment transaction or carries out any action through a remote channel that carries a risk of payment fraud or “other abuses”. While in-person card payments at an attended point of sale might on their face be out-of-scope (as not being solely “electronic” or remote transactions), the SCA standard assumes that chip-and-PIN card readers and 3D Secure (a technical security standard created by the card networks) are generally available. So, to the extent that a physical point-of-sale is not chip-and-PIN enabled or a 3D Secure environment, there may be some risk that the SCA standard still applies even though it is a card-present transaction.
The SCA standard generally applies to online transactions, but the regulated PSP that issues the payer’s security credentials, such as the card-issuing bank, may decide not to apply SCA, depending on the payment method and type of transaction. The SCA exemptions may be summarized as follows:
a) Remote low-value transactions: up to €30 per transaction (cumulative limit of five separate transactions or €100);
b) Series of recurring transactions: this could include, for example, subscriptions – as long as the recurring transactions are for same amount and payee (but SCA must be applied to the first transaction in the series);
c) Whitelisted merchants: Customers can add merchants to a whitelist of “Trusted Beneficiaries” maintained by their issuing bank, but the merchant is not allowed to prompt the customer to do this;
d) Corporate transactions: through a regulator-approved, dedicated process only available to non-consumers (although member states might treat micro-enterprises as consumers);
e) Contactless payments: up to €50 (cumulative limit of five separate transactions or €150);
f) Unattended payment terminals: but only for purposes of paying transport fares or parking fees;
g) Low-risk transactions: as determined by the card issuer, depending on the average fraud levels of the issuer and the acquirer processing the transaction, rather than the merchant or channel, with different limit for cards and credit transfers.
In addition, the EBA has issued guidance in the form of an opinion and a Q&A on its interpretation of the SCA standards and exemptions (although the courts would be the final arbiters). For instance, the EBA has issued a non-binding interpretation that transactions initiated only by the payee (referred to in the industry as “merchant initiated transactions”) are outside the scope of the SCA “to the extent that these transactions are initiated without any interaction or involvement of the payer”:
- “… where the payer has given a mandate authorizing the payee to initiate a transaction or a series of transactions through a particular payment instrument that is issued to be used by the payer to initiate the transactions, and where the mandate is based on an agreement between the payer and that payee for the provision of products or services, the transactions initiated thereafter by the payee on the basis of such a mandate can be qualified as payee initiated transactions, provided that those transactions do not need to be preceded by a specific action of the payer to trigger their initiation by the payee”(emphasis added).
The original payment authorization would still need be subject to the SCA if done remotely, and such “payee initiated transactions” are subject to certain liability constraints under PSD2.
Despite Brexit, the same rules are likely to apply in the UK. The UK FCA has already proposed regulatory technical standards for SCA which will apply in the UK from 14 September 2019 in the event of a no-deal exit by the UK from the EU.