What PSD2’s Strong Customer Authentication Means for Mollie Merchants
SCA UPDATE: EUROPEAN BANKING AUTHORITY HANDS DOWN NEW DEADLINE
The regulation landscape in payments is changing. Take, for instance, PSD2, or what’s known as “the Second Payments Services Directive”. Its purpose is to make payments easier and safer in the European Economic Area (EEA) by bringing more parties into financial services and payments by telling banks they have to share their data with these third parties. With bank data, companies can offer a whole host of services to consumers, making it easier for them to pay for things. For example, consumers could give a chatbot permission to make payments on their behalf, or authorise their favourite webstore to show their bank balance on the checkout screen when shopping. A key part of this is, of course, ensuring payments are safe and fraud is prevented, and PSD2’s security measures, the Strong Customer Authentication (SCA) rules, come into place on September 14th, 2019. We, Mollie, would like to let you, the merchant, know how they’ll affect your experience on our platform, and what we’re doing to ensure payments continue to run smoothly.
What is Strong Customer Authentication (SCA)?
Currently, when making payments online in many instances, consumers have to use something—a password, a fingerprint, a secondary device—to authenticate the payment. These add security layers to the payments processes. The SCA guidelines make these types of authentication measures mandatory for every payment made online by a consumer. The guidelines state that online payments need to be authenticated by at least two of the following criteria:
– Something a consumer has. For example, their phone.
– Something a consumer knows. For example, a PIN code.
– Something a consumer is. For example, physical proof they are who they say they are, like a fingerprint or even their face (many phones today are equipped with fingerprint scanners and face scanners).
Complying with these rules is largely in the hands of the issuer (your consumer’s bank, most of the time), and it’s up to them to decide whether a payment made by your customer will be authenticated or not. There are a number of SCA exemptions that don’t require authentication. For example, SCA is not required for transactions below €30, unless the exemption is used five times on the same card or if the total exempted amount of low-value payments goes over €100. Recurring payments for fixed amounts, like those done for Netflix or a gym membership, also don’t require SCA. These were included in PSD2’s SCA rules in order to safeguard against customers abandoning carts online because of having to go through more security steps to make purchases.
Since payments that fail to meet SCA requirements will be rejected by banks, we’re doing everything we can to keep it all running as smooth as possible.
*Note: SCA applies to credit and debit card-accepting businesses in the EEA that also have customers in the EEA.*
SCA and merchants explained
Exactly what are we doing to ensure our merchants are SCA-okay? First off, we’d like to back up a bit and mention that the overwhelming majority of payment methods already on offer at Mollie are SCA-compliant.
Secondly, we’re also going to support the second version of the leading security protocol for credit and debit cards used in Europe, 3D Secure.
3D Secure is a two-factor, SCA-okay authentication method, and also just happens to be the main approach used to comply with SCA rules in Europe, which makes sense, as it’s been taken up by Europe’s two leading card providers, Visa and Mastercard. We currently support 3D Secure 1.0 for Visa, Mastercard/Maestro, and American Express cards.
In addition to supporting the first version of 3D Secure, at Mollie we have measures in place to enable 3D Secure 2.0 for Visa and Mastercard/Maestro and take care of those exemptions we mentioned earlier. These exemptions allow for frictionless authentication, which means issuers can okay payments without the use of additional authentication methods, like a password or a fingerprint. Speaking of fingerprints, 3D Secure 2.0 allows for the use of biometrics—fingerprints, facial recognition—in instances where further authentication is needed, which also makes the payments experience more seamless and secure for consumers and merchants than in its first iteration.
Currently, we’re also working on accommodating 3D Secure 2.0 for American Express as well, to make sure all credit and debit cards we offer are covered by the latest version of this leading authentication protocol.
To recap, Mollie provides the following SCA coverage:
The lion’s share of our payment methods is already SCA-compatible.
We support 3D Secure 1.0 and will soon support 3D Secure 2.0, including exceptions.
Additionally, we’ll keep you updated on any additional changes we’re making that may affect you regarding SCA.
| Payment Methods | SCA-compliant |
| ———- | ———- |
| Apple Pay | ✓ |
| Bancontact | ✓ |
| Belfius Pay Button | ✓ |
| Cartes Bancaires | ✓ |
| Credit Cards | ✓ |
| EPS | ✓ |
| Giropay | ✓ |
| iDEAL | ✓ |
| KBC/CBC Payment Button | ✓ |
| Klarna | ✓ |
| PayPal | ✓ |
| Paysafecard | n/a* |
|Postepay | ✓ |
| Przelewy24 | ✓ |
| SEPA Bank Transfer | ✓ |
| SEPA Direct Debit | ✓ |
| SOFORT banking | ✓ |
* Paysafecard and gift cards are anonymous prepaid payment methods, they’re SCA-exempt.
Browse all there is to know about PSD2 and our industry:
– PSD2 – What changes will you notice?
– The Rise of PSPs Part 1: Doing it bigger and better than banks