On September 14, 2019, Strong Customer Authentication (SCA) were supposed to be mandatory for all electronic payments within the EU, but already during the summer there were indications that this would not be the case. In June, the European Banking Authority (EBA) made a statement addressing the concerns that existed in the market about how the SCA requirement would affect e-commerce. It turned out that many, both merchants, card issuers and payment service providers, were not ready to implement SCA for all online payments. In order to avoid negative consequences, EBA decided to allow national authorities to extend the SCA deadline for online payments, which all European countries have now done. In October 2019, EBA announced a new date for the deadline when all players must be ready for the SCA requirement: December 31, 2020.
2020 - a year of preparations
For the entire ecosystem of online card payments, 2020 will largely revolve around preparations for SCA. These preparations are mainly that merchants and payment service providers must implement support for the industry-standardized secure protocol 3D Secure for all card payments affected by the SCA requirement. As a merchant, it is therefore important to ensure that both your acquirer and your payment service provider (often referred to as PSP) are ready to manage 3D Secure by December 31, 2020 to not risk the transactions being denied by card issuers.
Types of transactions that are not affected and exceptions
One of the most debated aspects of the SCA requirement concerns transaction types that are not affected by the requirement and the exceptions that may be made according to the Payment Services Directive PSD2.
"Out of Scope" and "Exemptions"
The types of transactions that are not affected by the requirement are those that are simply not part of the new directive, for these types SCA will not become a requirement. These are called "Out of Scope". There are also types of transactions that are classified as exceptions, where the payment is still affected by the directive, but where merchants together with their acquirer, or the card issuer can request an exception for SCA for that particular transaction. These exempt transactions are called "Exemptions". For both "Out of Scope" and "Exemptions", there are regulations for when the different cases may be applied.
The most common payments for merchants within these areas will be low-sum payments and subscription services. The exception for low sums is relatively straightforward: the acquirer can ask the card issuer to exclude a transaction if the amount is less than € 30. If the card issuer denies the exception, the customer still needs to do SCA via 3D Secure. If the exception is accepted, the purchase will be completed without a 3D Secure question to the card customer. This is called a frictionless payment.
The regulations regarding subscription services and stored cards, where sometimes the merchant initiates the payment, can sometimes be perceived as a bit more complicated. The basic rule is that a customer only needs to do SCA when the card is to be stored and recurring payments are registered for the first time. If done correctly, all subsequent payments can be made without a 3D Secure question to the card customer. However, in order for this to work, transactions must be flagged correctly in accordance with the regulations for payments with stored cards.
Historically in the industry, many subscription services and solutions with stored cards and recurring payments have been different than today since the regulations have been changed to better reflect the requirements that exist. All merchants that offer recurring payments online should therefore be extra vigilant in order to ensure that transactions are managed properly to not risk denied transactions. In this case, both the payment service provider (PSP) and the acquirer needs to manage the regulations for payments with stored cards and subscription services in order for these transactions to be valid according to the PSD2 directive with "Exemptions" and "Out of Scope". Thus, not to risk being denied by the card issuers on repeat purchases.
A new version of 3D Secure
3D Secure as a tool for secure payments has been around for many years and has sometimes been perceived as complicated for the card customers. In order to facilitate the management of the SCA regulations, and to improve the user experience for the card customers, the industry organization EMVco, which is owned by the card networks, has produced a new version of 3D Secure, commonly known as 3D Secure 2 or EMV 3DS. Today, EMV 3DS 2.1 is available, but in the fall of 2020, version 2.2 will allow for even better management of exceptions in the 3DS flow with support for more functions in order to do a frictionless payment.
In 2020, both the new version of 3D Secure and the previous version 1.0 will be valid. However, Bambora's recommendation is to switch to 3D Secure 2.0 as soon as possible as this creates a smoother flow for the customers and because the new version will sooner or later become a requirement from the card networks.
However, for the customers who use Bambora's online payment solution, Bambora Checkout, the transition from 1.0 to 2.0 will take place completely seamlessly. We will implement 3D Secure 2.2 to all our online customers in order to make it easier for frictionless payments.