The EU’s Payment Services Directive 2 comes into force on September 14, bringing with it new responsibilities on e-commerce firms and financial institutions to bolster payment security. The main aim of the new regulations is to combat fraud, but they also open up the payments sector to third-party providers who can manage your online payments for you (previously, banks had sole control over your account information with them).
Irish retailers have been slow to get their online payment systems in line with PSD2, so much so that the Central Bank has granted a grace period – yet to be delimited – for e-commerce businesses to get their websites in order after September 14.
Although PSD2 became law in Ireland in January 2018, research commissioned recently by payments gateway Stripe suggests that more than half of small businesses either don’t know what SCA is, won’t be compliant by September 14 or don’t know when they’ll be compliant yet.
According to Stripe, on 8 August 2019 the Irish regulator announced a temporary enforcement extension for Irish cards. Although they don't anticipate a disruption of payments services on September 14, the exact length and scope of the delay has not yet been defined. Across the European Union, only Denmark, France, Hungary and the UK have issued a tentative date to fully require SCA for online payments from their state's credit cards, and that date is March 2021.
PSD2 will require businesses selling online within the European Economic Area to implement Strong Customer Authentication (SCA) for transactions over €30. This means that they need to introduce a two-factor authentication process into their checkout procedure before a customer can complete a purchase online.
Some businesses already have two-factor authentication processes built into their online payment platforms but many don’t. The PSD2 thus introduces an extra step into the payments process, which is good for security but it can be bad for business – e-shoppers are impatient at the best of times, with international research suggesting that between 70% and 85% of carts are abandoned on a website before purchasing.
How SCA regulations will affect your business changes depending on the type of purchase, when you charge a customer (i.e. during or after checkout) and what bank your customer uses. Payments platforms such as Stripe, PayPal and Fire have already tweaked their software to accommodate the PSD2 regulations, and banks are following suit. Online vendors may need to update your existing software to implement these changes.
PSD2 Exceptions
There are exceptions to the regulations. SCA will not normally be required for transactions below €30 or for regular payments of the same amount to the same payee, such as you’d see with subscriptions, although they will still require SCA for the initial set-up payment.
Card providers such as Visa and MasterCard have tended to use software called 3D Secure to help authenticate shoppers. A revamped 3D Secure 2 promises a quicker and smoother two-factor authentication protocol. It’s also the only compliant SCA solution available for card payments.
Cardholders can also whitelist a business they trust, thus making them exempt from future SCA. However, the card issuer can veto this whitelisting application. Merchant-initiated transactions (e.g. a cancellation fee or monthly bills) can also be exempt from SCA. Stripe has indicated that its system will be able to handle such exemptions and the other main payment processors will too.
The regulation requires companies and banks handling online payments to validate the customer’s identity through any two of the following three categories: something that the customer knows (e.g. a one-time PIN or password sent your system sends them to complete the transaction), something the customer has (e.g. a card or a mobile phone to send the PIN to) or something the customer is (e.g. fingerprint, face recognition).
Payment Gateway
Bharat Sharma, founder and CEO of Monsoon Consulting, an eCommerce, enterprise and content agency, commented: “Any business taking payments online will most likely have an individual contract with all its payment service providers and a dedicated account manager or support contact. There are a few questions that need to be asked.
“Start by requesting an update on 3DS 2.0. and whether you need to install a newer version of the payment gateway extension on your website If yes, when can it be downloaded and installed? Also, find out if there are there any major feature or option changes to be aware of. If current Admin Panel settings are no longer valid or deprecated, you need to be aware of this as soon as possible.
“It is essential to test all elements of the payment gateway (refunds, for example) as taking payments smoothly and efficiently is the most important part of the checkout process."