PSD2 - What traders in the Wallee need to know about the new regulation
A few months have passed since our last PSD2 update. Herewith we provide you with the latest information around PSD2, SCA and its exceptions, as there has been more clarity communicated in recent weeks on open issues, how they should be handled and how they are currently handled from wallee side and how it will be handled in the future.
Overview - What about SCA / PSD2?
PSD2 is a new European requirement to reduce fraud and increase the security of online payments that enforces Second Factor Authentication (SCA). This means that customers using credit cards must not only enter the credit card number and card verification value (CVV)but also add an additional factor (something they know, own or are). See below for more information.
Issuing banks must start rejecting payments that require SCA and do not meet these criteria. Based on the latest developments, we expect late enforcement. You can find an overview in our current overview.
How does this affect payment processing?
Strong customer authentication consists of two independent elements. These elements must be derived from the two of the following three categories: Knowledge, Possession and Inherence. Examples are: Password (knowledge), mobile phone (possession) or a fingerprint (inherence).For more information around 2FA, see our PSD2 blog post. For online card payments, these requirements apply to transactions where both the company and the cardholder's bank are based in the European Economic Area (EEA).
Currently, the most common method of authenticating an online card payment is based on 3D Secure. 3D Secure adds an extra step to the authorisation request as the merchant is identified by the issuer with an SMS OPT, password or similar.The card industry has been working hard to revise the 3D Secure standard to meet the PSD2 requirement and to take the opportunity to provide a better user experience for merchants. 3DS 2.0 is now being rolled out in stages. Over the next few days, Wallee merchants who process cards directly with an acquirer rather than through a PSP will be automatically migrated to the new 3DS standard. As soon as the issuer supports 3DS 2.0, the transaction will automatically be challenged by the new standard.
Impact for Wallee traders
As a Wallee merchant, there are no changes you need to make as we automatically activate for 3DS 2.0. However, if you have not already activated 3DS in your Connector, there is a possibility that you will see further decreases in your payments.Therefore, we recommend that you activate 3DS in your Connector.
Exceptions to strong customer authentication
Much has been written and discussed about exemptions for SCA and how to deal with them. There are still many unanswered questions. We therefore focus on the most important exemptions and how to deal with them. Please note that in case of anexemption, the liability is completely transferred to the traders. They will most likely not be able to fight even non-fraudulent charge backs. The European Payments Council assumes that "in case of an [unauthorised] payment, the payer can claim a full refund from his PSP if there was no SCA measure and if the payer did not act fraudulently".
Payments under €30
Low-value transactions are generally exempt. However, it is not that simple, as issuers will have to request authentication if the exemption has been used five times since the last successful authentication of the cardholder or if the total of previously exempted payments exceeds EUR 100. Therefore, all issuers will track the number of exemptions and decide whether authentication is required.
Impact for Wallee traders
We recommend that you activate 3DS for all your Connectors as well as for low-value transactions. We will automatically try to make use of this exemption. As mentioned earlier, customers can always be challenged even for low-value transactions.Last but not least, you lose the liability shift on all exempted transactions. In other words, you are responsible for all fraud-related chargebacks on exempt transactions. If you receive an exemption, you also lose the ability to shift liability to the issuer.
Trader-initiated transactions (MIT)
Payments with tokens when the customer is not present in the checkout process can be qualified as merchant-initiated transactions. Since in the subscription use case (fixed or variable amount) the customer is not present, a second factor challenge cannot be performed. In such cases, these payments technically fall outside the scope of SCA. Strictly speaking, PSD2 does not apply to these payment types, but for the sake of simplicity we treat them here as exceptions.
Please note that after 14 September, you must ensure that you apply SCA when creating merchant tokens intended for MIT use. Finally, you will need to obtain the customer's consent (also known as a "mandate") to top up their card at a later date.
Impact for Wallee traders
Based on the context of the Wallee API, you indicate on the transaction object whether the customer is present or not. This information helps us mark the transaction as MIT and apply for an exemption. For one-click payments,where you simply hold the card at the checkout for quicker use, you will find that SCA comes into effect as soon as the regulation is in place.
MOTO Payment
Card data collected and entered over the phone is outside the scope of SCA and does not require authentication. Similar to exempted payments, MOTO transactions must be identified as such - with the cardholder's bank making the final decision to accept or reject the transaction.
What happens if an exemption is not accepted?
It is important to understand that the issuer, not the regulator, has the final say on exceptions. Banks return new rejection codes for payments that failed due to lack of authentication. These payments must then be resent to the customer with a request for strong customer authentication.
Impact for Wallee traders
If we receive a soft rejection from an issuer, we have the corresponding instruments with charge flows. In other words, in the case of MIT, based on the configuration, the merchant receives a charge flow email to update their payment information and make an SCA transaction that is [hopefully]accepted by the issuer.
"One leg out" transactions
Especially for our Swiss merchants, a few words about the applicability of PSD2 in Switzerland. SCA is only required if both the issuing bank of the cardholder and the acquirer of the merchant are located in the EEA area. If one of these parties is located outside the EEA, the SCA regime does not apply. It has also been clarified that only the geographical location of the acquiring and issuing bank is relevant and not the payer or merchant. What sounds very good at first glance also carries great risks at second glance. Some issuers may not have the necessary logic to identify these types of situations, especially in the short term after the regulation comes into force. We therefore recommend traders with a large international client base to tackle these transactions with 3DS.
Summary
There is a lot of confusion around PSD2. Recent reports and reactions from regulators do not add to the clarity. In our opinion, too much fuss is being made about exceptions. As 3DS 2.0 is expected to drastically reduce the frequency with which a cardholder is asked to be an active participant in the authentication process, the amount of friction will also be drastically reduced.
Given all the additional data elements available to issuers to inform risk-based background decisions, it should be assumed that if a cardholder challenge is required, sufficient signals/flags have been set to cause concern. In other words, if the issuer suspects fraud, it is probably fraud. So why not use this built-in risk algorithm while protecting your business from potential fraud losses?
We continually do our best to regularly challenge the way we process transactions with industry leaders to improve authorisation rates and reduce the burden on merchants.
New to wallee
If you do not have a wallee account you can easily start to create an account.
Support
If you have any remaining questions, do not hesitate tocontactus.
