Important information about payment changes
Strong Customer Authentication
PSD2 (Payment Services Directive) came into effect January 2018 with the purpose of bringing in new laws to enhance consumer rights and reduce fraud around online transactions.
The introduction of additional security authentication for online payments over €30, known as strong customer authentication (SCA) forms part of this.
3D Secure Version 2 is the protocol that will enable SCA. This comes into effect on 14 September 2019.
What does this mean for the customer?
If the transaction is over €30, or the Sterling equivalent, customers will no longer be able to checkout online using just a debit or credit card. They will be asked for, and will need to provide, additional identification.
What is ‘additional identification’?
There are three categories of information – two of the three will need to be provided
- Something you know – this will be a password or PIN for instance
- Something you have – this would be the device
- Something you are – this is a fingerprint
It will be the bank or card issuer that decides which pieces of information will be required. If they select the phone, a code will be sent to the device and the customer will be required to enter this as part of SCA. This is already common practice with banks and may be used now if they want to confirm a customer’s identity.
What happens if the transaction is below €30?
Two-factor authentication is not applied, payment will be taken as it is now.
Is there a limit to the number of transactions under €30 that can be made?
Yes. The limit is 5 transactions or a cumulative value of €100 since the last application of SCA, this is similar to contactless payments where there are a set number of times a card can be used contactless before the pin has to be entered.
Does this apply to every transaction?
All online transactions over €30.
What happens if a customer uses a site regularly?
Merchants can be whitelisted if a customer uses them regularly so that future purchases do not require the additional security checks.
How is a site whitelisted?
The customer needs to ring their bank or card issuer to get the merchant whitelisted. Merchants cannot request this.
I make regular transactions for the same amount to the same merchant, is SCA applied?
These are recurring transactions. SCA must be applied when the series is set up or to the first transaction in the series if it is initiated by the customer.
I am a foreign student living in the UK. My card is a non-UK issued card. Will SCA be applied to my transactions?
No, SCA won’t be applied if the issuer country is outside the EEA. SCA only applies to transactions where both the card issuer and the merchant PSP are inside the European Economic Area (EEA).
Does SCA affect refunds on tickets?
No, refunds on tickets purchased will be carried out as they are now, SCA is simply a method to ensure the cardholder is the person making the transaction.