PSD2 directive for online payments by credit card
Article translated by machine
This text is a machine translation. A revised version is planned.
Please use the “Print” function at the bottom of the page to create a PDF.
Valid for iPayment.
The new technical regulatory standards of the Payment Service Directive 2 (PSD2) have been in force since 14 September 2019. These were defined by the European Banking Authority and all European online retailers are obliged to ensure improved customer authentication when shopping online. This article informs you about the details.
Background to strong hedging
In detail, this means for all European online retailers: all credit card payment transactions must be "strongly" secured and double-checked to ensure that the buyer is actually the cardholder. This process is called two-factor authentication.
The requirements for strong customer authentication (SCA) are intended to increase the security of electronic payments and thus protect against fraud when shopping online. Since 1 January 2021, SCA must be used for all e-commerce transactions, unless an exception applies.
What is strong customer authentication?
With strong authentication, the identity is verified by two factors. These factors are divided into categories. As a general rule, the factors used must come from different categories.
The usual categories at present are
- Knowledge: This includes passwords or a PIN
- Possession: For example, a credit card or a smartphone
- Inherence (characteristics or behaviour): This includes, for example, fingerprints and facial recognition
Example: The procedure often used in the past to secure the credit card number with the security code on the back of the card does not meet the requirement of strong authentication. This is because both the credit card number and the security code belong to the possession category.
Consequence: In addition to the credit card number, a further factor, e.g. password, PIN or TAN or a fingerprint must be used, as these factors are in the knowledge or inherence category.
Two-factor authentication is not a new procedure per se. What is new is that its use is mandatory for all electronic payments for the first time.
What does this mean for online retailers in detail?
- Introduce the security check or the 3D Secure security procedure. This applies to all online payments by credit card, e.g. MasterCard Identity Check (formerly SecureCode) or Visa Secure (Verified by Visa), Amex Safe Key.
- Activate the option Perform 3D Secure check in the ipayment configuration menu under Applications > Security settings.
- For new installations, we will activate 3D Secure for you by default. Prerequisite: The shop must support 3D Secure forwarding. Check whether the 3D Secure box needs to be ticked :
- - To do this, click on Payment methods in the ipayment admin menu.
- - Now select a payment provider and click on Edit.
- - On the details page for the payment method, tick the corresponding box for 3D Secure.
- Inform your customers so that they are as well prepared as possible for the process. This will minimise your purchase abandonment rates and avoid frustrated buyers with card payments.
The existing Shop > ipayment interface can still be used as usual.
The new 3D Secure process
3D Secure Procedure 2 (3DS2) is a new standard introduced to the market by EMVCo and the major credit card schemes. It introduces a new approach to authentication through a broad data spectrum, biometric authentication and an improved, standardised online experience. 3D Secure Procedure 1, which was previously used, will continue to be operated in parallel.
The aim of 3DS2 is to check, based on risk, whether the customer really needs to go through authentication (SCA). Banks can better assess the risk of fraud as more customer data is exchanged between the merchant and the bank than before. This can be over 100 data points. The data includes, for example, information on the browser, the device used (mobile phone, tablet) and the delivery address. For example, the bank can compare whether the data transmitted by the retailer matches the data it already has on file from its own customers. This should make it easier to recognise misuse.
The data is stored at the card-issuing bank, but is usually deleted after one year. The aim is also to offer the customer the simplest possible authentication procedure.
The dynamic and user-friendly process of payment processing with 3DS2 thus improves the basic customer experience compared to its predecessor and leads to fewer possible purchase cancellations on the merchant side.
Furthermore, the new 3DS2 will now also function more easily and securely on smartphones.
The most important exceptions to strong customer authentication
The Payment Services Directive defines various exceptions. However, the bank can decide whether to allow an exception or require double identification.
Merchant initiated transactions (MIT) including recurring payments and subscriptions with variable amounts
Recurring transactions are exempt from the second transaction onwards. Only the first transaction requires strong customer authentication. Please note that these transactions must be labelled as recurring transactions in order to benefit from the exemption. It is important that the initial transaction is carried out with 3D Secure and that the initial and all subsequent transactions are correctly labelled as recurring transactions.
Further details can be found in the ipayment technical manual in the chapter "Recurring payments"
Low risk
Payments for which your card-issuing bank anticipates a low risk of fraud can also go through with simple authentication.
Mail Order and Telephone Orders (MOTO)
MOTO transactions are not considered electronic payments and are therefore not relevant for SCA. Important, make sure that your MOTO transactions are correctly labelled for all cardholder purchase or payment scenarios.
If cardholder authentication is performed with 3D Secure, merchants are generally protected from fraud-related chargebacks. In these cases, liability is transferred to the card issuer. If the merchant applies an exception to the transaction when using 3DS2, liability is not transferred to the card issuer.
Please note
3D Secure only protects against chargebacks in connection with fraud. 3D Secure does not protect against chargebacks due to the regular cancellation and return policy, e.g. goods do not correspond to the description, defect or non-receipt of the object of sale.