The Second Payment Services Directive (PSD2) was officially published by the European Commission in December 2015 and follows on from the First Payment Services Directive (PSD1), which was implemented in 2009. PSD2 went live in January 2018 and has implications for all companies in Europe that deal with payments, including the need for strong customer authentication (SCA).
SCA requirements come into force on September 14th 2019 for any transaction conducted where both the issuing bank (e.g. your credit card provider) and the merchant are based in the EEA (European Economic Area). All such transactions must be Strongly Authenticated by at least 2 of 3 possible factors:
• Something you have (e.g. the credit card/ mobile device)• Something you know (e.g. a pin number/ password)• Something you are (i.e. a biometric ID such as face scan, thumbprint)It is expected that this will become mandatory worldwide by the end of 2020.
Within the cards payments space, there is already a scheme in place to ensure SCA called 3-D Secure (3DS).
3D Secure authentication is an additional security layer for E-commerce transactions. Consumers recognise it as Verified by Visa, Mastercard SecureCode or Amex Safekey. This is the little window that appears at checkout after entering card details which sometimes requires the customer to enter a password or a one-time code sent to their mobile phones. To address some of the challenges customers used to face, a new version of 3DS has just been released. This should result in a more seamless customer experience and regular, low-risk transactions being authenticated without the need for passwords to be entered.
All businesses, regardless of size or type of industry, and all banks need to comply with this regulation.