On the 14th September 2019, PSD2 comes in to force. If you receive payments online from your customers, you should understand what changes to expect, and whether or not action will be required on your part to comply with the law and to avoid significant loss of income.
Let’s start with a little glossary
The Revised Payment Services Directive is the second iteration of the ‘Payment Services Directive’ (PSD), a European Union (EU) directive first introduced in 2007 to regulate payment services and providers. The directive was introduced to break the banks’ monopoly on payment services, encouraging innovation and improved security.
Strong Customer Authentication is essentially the same as the Two Factor Authentication you may already be familiar with if you have ever had to receive a code by email or SMS in order to log in to an online service. Its purpose is to improve security by requiring two of the following three things:
- Something the person knows (such as a password)
- Something the person has (such as a mobile phone or device)
- Something that the person is (such as a fingerprint or their face)
3D Secure is a term used to describe additional authentication during an online payment. You may remember when 3D Secure first appeared in 2001 as “Verified by Visa” and many online card payments required a password? The interruption to the checkout process was hugely disruptive – damaging to businesses and frustrating to customers, but merchants were obliged to implement it or risk not being protected against fraudulent transactions. 3DS2 aims to address many of the shortcomings of 3D Secure 1 by introducing less disruptive authentication and a better user experience.
3D Secure 2 allows businesses and their payment provider to send more data elements on each transaction to the cardholder’s bank. This includes payment-specific data like the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history.
The cardholder’s bank can use this information to assess the risk level of the transaction and select an appropriate response:
- If the data is enough for the bank to trust that the real cardholder is making the purchase, the transaction goes through the “frictionless” flow and the authentication is completed without any additional input from the cardholder.
- If the bank decides it needs further proof, the transaction is sent through the “challenge” flow and the customer is asked to provide additional input to authenticate the payment.
Although a limited form of risk-based authentication was already supported with 3D Secure 1, the ability to share more data using 3D Secure 2 aims to increase the number of transactions that can be authenticated without further customer input.
Example flow of authenticating a payment using 3D Secure 2 with fallback support for 3D Secure 1
Even if a transaction follows the frictionless flow, your business will benefit from the same liability shift as for transactions that pass through the challenge flow.
Better user experience
Unlike 3D Secure 1, 3D Secure 2 was designed after the rise of smartphones and makes it easier for banks to offer innovative authentication experiences through their mobile banking apps (sometimes referred to as “out-of-band authentication”). Instead of entering a password or just receiving a text message, the cardholder can authenticate a payment through the banking app by just using their fingerprint, or even facial recognition. We expect many banks to support these smoother authentication experiences with 3D Secure 2.
The second improvement in user experience is that 3D Secure 2 is designed to embed the challenge flow directly within web and mobile checkout flows—without requiring full page redirects. If a customer authenticates on your site or webpage, the 3D Secure prompt now by default appears in a modal on the checkout page (browser flow).
Source: Stripe – https://stripe.com/en-fr/guides/3d-secure-2
How does this affect you and what actions are required of you as an online merchant?
As always, this depends on the platform that you use to sell online. The chances are that you will only have to take any significant action to comply with PSD2 if you host your own website (e.g. WordPress). In most other cases, it will be the responsibility of the website service provider to update their payment processes, and many have already done so. Your responsibility is only to check that the payment processing will be compliant. You can usually do this by browsing their forum or by asking their support team. A few examples include Squarespace, Wix, Shopify, Big Commerce, Etsy, eBay, Amazon, Eventbrite.
If you have a web hosting package and accept payments via a WordPress website for example, you will need to establish what payment gateway you use to receive the payments and if it has been implemented in a compliant way. At time of writing, Stripe are ahead of the curve, and the official Stripe plug-in for Woocommerce is already compliant. Do check your own implementation is up to date and compliant. If you use any PayPal off-site payment methods, no changes should be required as the payments are not processed on your website, but at present (5 August 2019), PayPal Pro (on site payments) is still not compliant.