Strong Customer Authentication is here – are you prepared?
The European payments directive that requires Strong Customer Authentication (SCA) on transactions originating in the EEA has finally become law in the UK.
SCA is a modern way to provide customers with a frictionless payments experience across all technological devices. To be compliant, payment organisations must rely on robust mechanisms included in their payment processes which will vet transactions to verify if customers are making genuine transactions. Here are some key pointers to help ensure you are prepared for the changes which came into place on 14 March 2022.
How will banks undertake Know Your Customer (KYC) checks as part of SCA?
Banks use information from various categories to complete their KYC checks for transaction approval:
Biometrics using fingerprints, facial or voice recognition
Identity confirmation using a PIN, a personal data point (your first school or mother’s maiden name) or a passphrase
Confirmation of payment using the customer’s device such as mobile phone, wearable device, token or smart card
What technology is recommended to ensure compliance with SCA?
3D Secure 2 (or 3DS2) is the recommended technology to ensure compliance with SCA. It was established by Visa and Mastercard to allow communication between digital merchants, payment networks and financial institutions to analyse and share transactional data. It helps merchants to securely process payments while protecting the card issuer from fraudulent transactions, particularly at a time where there is a shift towards mobile and invisible commerce.
3DS2 is an authentication protocol accessible through a more significant number of devices and platforms, including integration with mobile numbers. It uses two-factor authentication where a secure passcode is used for verification to enable a real-time, secure, information-sharing process that merchants can use to send specific transactional attributes that the issuer can use to authenticate customers more accurately without asking for a static password or slowing down payments.
What are the benefits of 3DS2?
3DS2 is designed to enable a better customer experience having minimal impact on conversions offering benefits including:
It easily facilitates mobile transactions, providing customers with a quick frictionless experience including using biometric authentication and other methods to speed up payments.
It helps quickly collect data to identify risks and protect against fraud with specific data points collected, sent to a 3DS Server, and routed to the card issuer Access Control Server (ACS) for approval.
It enables card issuers to analyse more than 150 data fields, such as browser IP address, browser language, delivery timeframe, shipping indicator, merchant category code and respond with a frictionless approval, device fingerprint, challenge, or fallback.
It reduces risks caused by unauthenticated payments to allow consumers to directly authenticate with banks, shifting the fraud screening responsibility from merchants to the banks while avoiding chargeback issues.
It provides a lot of transactional data so that banks can confidently and quickly approve transactions.
It eliminates the need for customers to self-enrol – 3DS2 disables the enrolment procedure where a window would pop up redirecting the customer from the checkout page to the bank’s website.
How can merchants implement 3DS2?
The best way to implement 3DS2 for your payment authentication process is by using a payment gateway solution like TRU Security. This is an out-of-the-box solution that is SCA ready. Using Artificial Intelligence (AI) for AML, fraud detection and enhanced 3D Secure 2 as standard, TRU Security will detect fraud and cyber threats through continuous behavioural authentication.
If your business operates in Europe and accepts online card payments, implementing 3-D Secure 2 (3DS2) is an essential update to your payment systems, required by all the card schemes (Visa, Mastercard, Amex, Discover/Diners) for online transactions. Your business needs to be up and running on 3DS2 to comply with EU laws and avoid card declines.
Providing a frictionless payment process offers a tangible advantage that will help your customers make purchases quickly and effortlessly. According to Visa, 3DS2 will see around 95% of transactions go through automatically, drastically reducing the requirements for additional verification typical before introducing this technology.
What changes will customer see from SCA and 3DS2?
Banks will have sent recent correspondence to warn customers that they may soon start to notice an increase in the number of times they’re asked to authorise online card payments in whatever way customers usually have to do this.
Typically, the correspondence will not speak about SCA ability but indicate that extra checks are being introduced to help reduce fraud by checking it’s the cardholder who is making the payment in order for the bank to be compliant with new payment regulations, and reinforcing their commitment to keep customer money safe.
Each bank will offer their own advice. This is an example of guidance issued by Santander bank in the UK:
All online card payments need to be checked to see if extra verification is needed but some retailers may need more time to put this in place. We hope it won’t be long before everyone’s ready, if a retailer isn’t ready, there could be times when your card is declined. If this happens:
check that you have enough money in your account.
ask the retailer if they offer a different payment method.
The UK Financial Conduct Authority has warned that any firm that fails to comply with the requirements for SCA – unless with an approved exemption – may be subject to supervisory or enforcement action, where appropriate. This follows months of growing transaction ‘soft declines’ related to the absence of authentication from 3DS2. If you haven’t made the switch already, it’s never been so critical to do so.
Security is our top priority at Trust Payments and we strive to ensure that all data is kept secure at all times. We keep all customer data safe with AES256 encryption, SSL Certificates, and a minimum of TLS1.2 between your website and our datacentres.
Our systems are scanned quarterly using the Qualys PCI Platform, an independent Qualified Security Assessor (QSA) and approved vendors – Omnicybersecurity (UK) & Forgenix (US) – to ensure compliance with the security requirements of the card schemes.
We follow a number of rigorous security procedures on a daily basis including, but not limited to, continuous monitoring of our perimeter, dark web monitoring, and internal checks to ensure that CIA triad is maintained at all times.
Trust Payments Ltd 2022
Trust Payments Ltd, No.1 Royal Exchange, London, EC3V 3DG. A company registered in England and Wales with Company Number 11976895.
Trust Payments (MALTA) Limited, Reg. No. C 56013, Ewropa Business Centre, Triq Dun Karm, Birkirkara, BKR 9034, Malta VAT number: MT23440004