Are you ready for strong customer authentication?

The revised Payment Services Directive (“PSD2”) makes significant amendments to the laws that govern payment services in the EU. This includes the introduction of enhanced security protocols called strong customer authentication (“SCA”), for online transactions worth over €30. Merchants in the UK are applying this to transactions over £30.

What is SCA?

SCA requires a dual authentication process, whereby two independent sources of validation are combined to approve a customer’s purchase. The authentication factors must be derived from two of the following three defined categories:

  1. knowledge (e.g. a password or PIN);
  2. possession (e.g. a phone or bank card); or
  3. inherent characteristics (e.g. a thumbprint or facial recognition).

British retailers and hospitality providers who take card payments in person, for instance in stores or hotels, will already be applying two-step validation for physical card transactions over £30. Such validation occurs through the chip and pin process by the combination of possession of the card and knowledge of a PIN number being required to approve purchase, rather than using contactless payment (which does not require a PIN to be used). However, the UK currently does not require SCA for online purchases, which can be completed solely through possession of a card. It is hoped that the introduction of PSD2 will boost customer protection and reduce opportunities for fraud at the point of purchase.

Which transactions must comply with SCA?

The new regime will only apply to “customer-initiated” transactions, in which both parties are in the European Economic Area (“EEA”). There are also a number of exceptions to two-factor authentication. Direct debit payments, for example, will not require SCA after the initial transaction, as they are then considered “merchant-initiated”. Another exception is a ‘trusted beneficiary’, whereby customers have the option to pre-approve a business that they trust, in order to avoid having to authenticate future purchases.

Despite these exceptions, most online card payments and bank transfers will be covered by the new rules. Regulated Payment Service Providers (“PSPs”), such as banks, building societies and credit card providers, are responsible for ensuring the application of SCA and its exemptions. Currently, many retailers rely on 3D-Secure protocols to provide authentication, including ‘Verified by Visa’, ‘SecureCode’, and ‘J/Secure’. This is likely to continue post-SCA implementation, with new versions of 3D-secure protocols made available to aid compliance with the regulations.

When must businesses implement SCA?

The original deadline for businesses to implement SCA was September 2019. However, the European Banking Authority has agreed a 15-month extension to the implementation of the new regime in the UK. Businesses therefore have until January 2021 to become compliant. This is likely to have been seen positively by a large number of retailers.  According to Andrew Cregan who advises the British Retail Consortium on its payment policy, the extension “avoids a payments cliff-edge where 25%-30% of ecommerce transactions would have been at risk of failing after September”.

The consequences of non-compliance?

In the UK, the FCA will be monitoring compliance with the new regime. Payment providers and banks are legally required to ensure PSD2 is followed. Failure to do so could result in significant fines and the FCA also has the power to remove a payment provider’s licence. In order to protect themselves, providers will likely decline transactions that do not meet the SCA criteria. As a result, merchants currently operating online storefronts will likely risk losing transaction volume if they do not ensure that their online transactions are PSD2 compliant.

Will Brexit impact SCA?

The underlying legislation for SCA, namely PSD2, has already been adopted by the UK. Therefore, on the day that the UK leaves the EU, PSD2 will continue to be in force. Further, as a policy issue, fraud prevention is of significant importance to the e-commerce sector and it is likely that the UK will continue to support measures such as SCA after leaving the EU. As a result of these factors, Brexit is unlikely to impact the requirement on businesses to comply with SCA.

Keep reading

OffshoreAlert – Marbella – 19-21 June 2024
We are excited to that our sponsors Grant Thornton UK LLP, Kevin Hellard and Colin Diss are attending and sponsoring OffshoreAlert Marbella! Get ready to experience an unforgettable blend of business and pleasure at OffshoreAlert Marbella 2024! Set against the stunning backdrop of the Kempinski Hotel Bahía in Estepona, Spain, this premier event will take place from June 19-21. Join us to
‘Project Prevenirea și Perturbarea’ (Project Prevent & Disrupt (PSP)), Press Release, STOP THE TRAFFIK
With funding from the UK Home Office and British Embassy Bucharest, as well as the International Fraud Group, STOP THE TRAFFIK (STT) launches ‘Project Prevenirea și Perturbarea’ (Project Prevent & Disrupt (PSP)), a programme aiming to disrupt sexual exploitation between Romania and the UK. Right now, the Romania to UK route is heavily run by
IFG Flagship Fraud Conference. At the Epicenter! Hong Kong, 25th April 2024!
We were delighted at the success of our Spring Conference which was hosted in Hong Kong by Mishcon de Reya LLP in association with Karas So LLP at the Asia Society. A Welcome Address was given by our IFG Chairman Gary Miller and Kevin So, Partner at Karas So LLP which then followed Ken Peng as our Keynote speaker. We had four great panels
Black Swan free-standing orders available in Cyprus!
Introduction ‘Black Swan’ freestanding injunctions in aid of foreign substantive proceedings, have been available in the BVI since 2010, making the BVI a very appealing jurisdiction for claimants seeking to safeguard their interests. However, in May 2020 the Eastern Caribbean Court of Appeal in Broad Idea International Limited v Convoy Collateral Limited BVIHCMAP2019/0026, directly overruled Black Swan. Then,