PSD2 authentication came into effect on September 14, 2019. It’s known as a Strong Customer Authentication (SCA) which is a regulatory requirement across Europe for businesses that process any kind of digital payments.
The definition of Strong Customer Authentication
Strong Customer Authentication is exactly what it sounds like, however, three layers are hidden underneath this name – knowledge, possession and inherence.
Knowledge is information that only the user knows, like typical security questions – what is your childhood street, first pet’s name etc. Possession is something a person possesses – it’s usually a physical belonging like a smartphone. Inherence is something a user is – like a fingerprint.
The process of SCA requires at least two aforementioned elements to guarantee a high level of security. They are each separate and not related to each other, hence in case of a breach, the further step cannot be taken by the breacher. It ensures full confidentiality of the user’s authentication data and reliability.
The PSD2 authentication was needed due to increasing online service use and higher chances of fraud. Without proper legislation, the financial information would be left unprotected and data breaches could create significant losses to both businesses and their clients. SCA ensures that there is a proper identification process in place which reduces the cost of processing fraudulent transactions and potential fabrication. With the minimization of potentially fraudulent activities comes increased customer trust in digital services and payment transactions.
The use of PSD2 authentication
PSD2 authentication is mostly mandatory when transactions happen within Europe. In this case both – the payee and the merchant – are in Europe. Nowadays, the trend of SCA employment has spread outside Europe to other regions, like India, that introduced SCA in their online payment environment and it became a requirement.
However, not all transactions fall into the scope or require SCA. Consequently, to simplify the SCA process and ease user experience payment exemptions were created:
- Transactions with low risk. A low-risk transaction is defined as payment through an acquirer or issuer that has a fraud threshold below the specification. If the acquirer deems an in-scope transaction to be low-risk it can proceed with the request for exemption to skip SCA. For this request to be successful the acquirer or issuer should be below the fraud rates thresholds.
- Low-value transactions. If payment is under 30€ or it’s a cumulative transaction over 100€ charged on an individual card it is exempt from the SCA. Nevertheless, the issuing bank will monitor transaction records to determine the number of payments made via this exemption. As mentioned above, in cases where transactions total 100€ or more the SCA will come into effect. Also, even though payments do not reach 100€ the SCA will be applied every five transactions to avoid any fraudulent activities.
- Trusted beneficiaries. PSD2 authentication can be exempt if a cardholder chooses merchants that they trust. Every financial institution compliant with PSD2 provides a possibility for their customers to assign merchants to a trusted beneficiaries list. If a business is on this list, then the transaction amount loses its importance and becomes exempt from the SCA. Consequently, for a person who regularly purchases from a certain business, the buying process is shortened with the removal of SCA making transactions faster.
- Recurring transactions. A recurring transaction is a payment made regularly with a fixed amount. It becomes exempt from SCA from the second payment and onwards, however, to the very first transaction SCA will be applied. In case of amount changes, SCA will be required for the first payment or every payment with a different amount.
- Business to Business (B2B) transactions. It is a type of payment made between two businesses utilising a specific tool allowing PSD2 authentication exemption.
PSD2 authentication plays a very important role in making online transactions safer and user-friendlier for both – businesses and consumers.