PSD2 SCA compliance and implementation guide
Learn how to comply with PSD2 SCA in your Netaxept integration. Please note that the information here should not be taken as a legal advice.
The Payment Services Directive 2 (PSD2) is an EU regulation and its key objectives are to minimize fraud and make payments more secure across Europe.
There are different aspects of PSD2, but the key article for merchants is called Strong Customer Authentication (SCA) – an extra level of security for transactions initiated by consumers. It means consumers are requested to provide two-factor authentication to confirm their identify before they can checkout online. The two factors must be independent of each other and should be from the following categories:
- Knowledge: Something only the consumer knows, e.g. a password or a PIN code.
- Possession: Something only the consumer has, e.g. a secure token or a mobile device.
- Inherence: Something only the consumer is, e.g. a biometric fingerprint or a facial recognition.
To make sure that your transactions comply with PSD2 SCA regulations, you need to implement 3D Secure authentication. For card payments this means using 3D Secure for Visa and Mastercard payments, and the equivalent authentication method for other cards, such as SafeKey for American Express and Dankort Secured by Nets for Dankort payments.
3D Secure for SCA compliance
3D Secure is an authentication protocol developed to protect consumers online through an additional security check. In practice this security check prompts the customer to confirm their identity when making a payment.
This happens usually through a mobile application which is provided by the consumer's card issuer or with a One Time Password (OTP) sent to the customer's mobile phone. They then must submit that code to complete the payment.
The exact form varies by country and is selected by each card issuer.
SCA requirements can have a noticeable impact on the way you process your online payments and on your customer's payment experience.
Whilst SCA will reduce fraud and increase security, introducing SCA may challenge the user experience and thus impact your conversion. The consequences of not being PSD2 SCA compliant can result in your transactions being declined and a disruption to your business.
SCA rules cover all online payments including card, account-to-account (A2A) and mobile wallets; the most impacted area the card payments. The easiest way to meet SCA requirements for card payments is to use 3D Secure (or equivalent) authentication for the relevant part of the payment flow.
3D Secure (and equivalent) authentication is required and consumers will not be able to make card payments online simply by typing in their card details, unless a SCA exemption applies or the transaction can be classified being out of scope of SCA.
Liability shift rules
For Visa and Mastercard, you are protected from chargeback liability if the transaction is 3D Secure (any version) or otherwise authenticated.
This liability protection can differ for other local and international card schemes.
Transactions flagged as merchant initiated (MIT) do not have the liability protection. The same is true if you request a SCA exemption and it is accepted by the card issuer.
However, if the exemption is applied by the card issuer, the liability shifts to the card issuer.
If you apply "Delegated authentication" to your transactions, you will carry the liability for these transactions.