Last Updated: 26th September 2019
In 2018, the UK Government passed into legislation the EU Directive known as PSD2 (Payment Service Directive 2). This directive aims to provide better protection for consumers paying online whilst also paving the way for new developments in making online and mobile payments.
The elements covering better consumer protection for online payments are covered by the introduction of Strong Customer Authentication and were to become mandatory on 14th September 2019. In August, the Financial Conduct Authority announced an 18 month delay before compliance was to become mandatory.
The deadline for compliance is now March 2021.
What is Strong Customer Authentication?
Strong Customer Authentication for PSD2 is provided by a development of 3D Secure known as 3D Secure 2.0.
What is 3D Secure?
Many people will be familiar with the current version of 3D Secure through the implementations provided by the two main card issuers, Visa and MasterCard. Visa refer to their 3D Secure implementation as "Verified by Visa" whilst MasterCard call their 3D Secure system as "MasterCard SecureCode".
When 3D Secure is enabled via your website checkout, the customer is redirected to their own bank's website to enter a password (or typically, 3 random characters from their password) as an additional verification that they are who they claim to be.
Typically, this looks something like this (in the case of using a Visa card - Mastercard's equivalent is similar):
Enabling 3D Secure through your website's checkout has, to date, been optional. There are good reasons for using it, not least of which is that, in general, when using 3D Secure, liability for fraudulent transactions moves to the bank if the transaction went through the 3D Secure verification process.
What is 3D Secure 2.0?
3D Secure 2.0 extends the verification process to use 2-Factor Authentication (also known as 2FA). Two-factor authentication requires the customer to confirm their identity using two of the following three classes of verification:
- Something They Know (for example, a password or a PIN number)
- Something They Have (for example, a card reader or SmartPhone)
- Something They Are (for example, fingerprint, voice or facial recognition)
Exactly how a particular bank chooses to verify its customers is down to their own preferences - for example, one bank may offer voice recognition whilst another may not.
Are There Exceptions?
Whereas the use of 3D Secure has been optional in the past, the use of 3D Secure 2.0 will become mandatory. There are, however, exceptions:
- Transactions below €30 (unless the customer has initiated more than five consecutive low value transactions)
- Recurring payments (such as subscriptions)
- Whitelisting (where the customer has added their regular suppliers to a "trusted merchants" list)
- Low Risk Transactions (where the bank has determined that the particular transaction is low risk based on a real-time risk assessment)
- Transactions where the merchant or customer are outside the European Economic Area (or, presumably, the UK after Brexit)
In essence, it is down to the issuing bank to decide whether the particular transaction needs to be verified so the website's checkout and Payment Service Provider will always need to assume that the transaction needs to be verified - it is simply that, in some cases, the bank will return an approval without asking the customer to verify their identity.
In order for the bank to make a risk assessment, the Payment Service Provider (for example, SagePay or Pay360) may need to provide more information on the transaction - such as delivery address, nature of the goods etc. and so this may require them to make changes to their APIs.
What Happens Next?
The Payment Service Providers have published information on the implications of Strong Customer Authentication for their individual services. SagePay, for example, have confirmed that their "VSP Server" integration, as used by all axis vMerchant websites, requires no change.
In the meantime, if you are not currently using 3D Secure in your checkout process, we strongly recommend that you do so now - as well as minimising any disruption when SCA becomes mandatory, it does bring the added benefit of shifting liability for fraudulent transactions to the issuing bank. Enabling 3D Secure is usually done via your Payment Service Provider's online portal.
The aim of Strong Customer Authentication for Online Card Payments is to reduce instances of online fraud and so these changes should benefit both merchants and customers alike. We can expect, however, in the short term, that there will be some disruption as online shoppers adjust to new checkout processes and set themselves up with the means to verify their identity on every transaction.
SagePay have published a Frequently Asked Questions article at