PSD2 SCA Compliance
This document is intended to help you learn about PSD2, SCA, and how that may impact your business. If you would like more context on the upcoming regulations start with our blog post on PDS2, SCA, and 3DS2. Ready to jump straight to implementation? 3DS2 Guide
Payments Services Directive (PSD2)
The second Payments Services Directive (PSD2) mandated that starting September 14, 2019 online credit card transactions where both the issuing and acquiring banks are within the EEA (EU + Norway, Iceland, and Liechtenstein) must meet Strong Customer Authentication (SCA).
Strong Customer Authentication (SCA)
PSD2 mandates Strong Customer Authentication (SCA) for eCommerce transactions. SCA requires customers prove their identity by providing two of the three categories of authentication. The categories are knowledge, possession, and inherence. Often referred to as, something you know, something you possess, and something you are.
SCA compliance with 3D Secure (3DS1 and 3DS2)
3D Secure was implemented to authenticate credit card transactions and the best way to meet SCA compliance is to integrate both 3DS1 and 3DS2. 3DS2 is a substantial improvement from 3DS1 but there is an indication that some banks will not meet the PSD2 SCA deadline and will fall back to 3DS1 to comply with SCA.
You can find out how to get started on 3DS2 and 3DS1 using our implementation guides.
Certain transactions, like recurring transactions and merchant initiated transactions, can be exempted from SCA requirements under PSD2 rules. Exemptions are arbitrated by the issuing bank and it is not clear which exemptions will be supported by which issuing banks before the compliance date. Many gateways are filing exemptions on behalf of their merchants for applicable transactions and this automatic application of exemptions should be no different if you are transacting through Spreedly. If you discover a manual exemption request must be added to your transaction request just let us know what fields need to be passed. Each exemption is separate, and only one needs to be requested even if multiple are eligible. It is important to note that an exemption request is not a guarantee, the issuer can request SCA at their discretion. Below is a list of possible exemptions, but feel free to check out the directive’s requirements yourself.
- Article 12 - Unattended terminal for transport and parking
- Article 13 - Trusted beneficiaries: This is generally where the consumer has already whitelisted the merchant to run transactions
- Article 14 - Recurring transactions: Similar to 13, this is where the consumer has already given permission for the merchant to run subsequent recurring transactions
- Article 15 - Credit transfers to self: Where the consumer and the payee are the same and both accounts are the same service provider
- Article 16 - Low-value transactions: Where the amount of the remote electronic payment transaction does not exceed €30 and the cumulative amount of previous remote electronic payment transactions initiated since the last challenge does not exceed €100 or 5 consecutive individual remote electronic payment transactions.
- Article 17 - Secure corporate payment processes and protocols
- Article 18 - Transaction risk analysis: PSPs are allowed to notify authorities that they intend to use real time risk analysis to qualify certain transactions if they can show that the overall fraud rate is less than the required threshold. The thresholds are: 0.13% to exempt transactions below €100, 0.06% to exempt transactions below €250, and 0.01% to exempt transactions below €500.