Important information about payment changes
Strong Customer Authentication
PSD2 (Payment Services Directive) came into effect January 2018 with the purpose of bringing in new laws to enhance consumer rights and reduce fraud around online transactions.
The introduction of additional security authentication for online payments over €30, known as strong customer authentication (SCA) forms part of this.
3D Secure Version 2 is the protocol that will enable SCA. This comes into effect on 14 September 2019.
If the transaction is over €30, or the Sterling equivalent, customers will no longer be able to checkout online using just a debit or credit card. They will be asked for, and will need to provide, additional identification.
There are three categories of information – two of the three will need to be provided
- Something you know – this will be a password or PIN for instance
- Something you have – this would be the device
- Something you are – this is a fingerprint
It will be the bank or card issuer that decides which pieces of information will be required. If they select the phone, a code will be sent to the device and the customer will be required to enter this as part of SCA. This is already common practice with banks and may be used now if they want to confirm a customer’s identity.
Two-factor authentication is not applied, payment will be taken as it is now.
Yes. The limit is 5 transactions or a cumulative value of €100 since the last application of SCA, this is similar to contactless payments where there are a set number of times a card can be used contactless before the pin has to be entered.
All online transactions over €30.
Merchants can be whitelisted if a customer uses them regularly so that future purchases do not require the additional security checks.
The customer needs to ring their bank or card issuer to get the merchant whitelisted. Merchants cannot request this.
These are recurring transactions. SCA must be applied when the series is set up or to the first transaction in the series if it is initiated by the customer.
No, SCA won’t be applied if the issuer country is outside the EEA. SCA only applies to transactions where both the card issuer and the merchant PSP are inside the European Economic Area (EEA).
No, refunds on tickets purchased will be carried out as they are now, SCA is simply a method to ensure the cardholder is the person making the transaction.