New payment legislation that will come into force could mean you’re left in an uncomfortable situation of dealing with declined card transactions.
Read this guide to find out why this is happening so you can reassure your customers and spare them any embarrassment.
What is Strong Customer Authentication (SCA)
In 2018, the European Payment Services Directive II (PSD2) took effect and with it introduced new laws aimed at reducing online fraud and protecting consumer rights. An important element of PSD2 is the introduction of SCA for in-store and online transactions which is a requirement for payments to be validated using a two-factor authentication process.
Whilst PSD2 came into force in September 2019, the FCA announced that it will not enforce the full requirements of PSD2 immediately to give both financial institutions and merchants further time to prepare to support the legislation. The requirement within PSD2 relating to SCA will come into force on 1st January for Europe but not until 1st September for the UK.
PSD2 outlines that secure authentication uses two independent form factors in both the face to face and online transaction. These factors can be something the customer knows (i.e. a unique passphrase), something the customer is (i.e. a fingerprint scan) or something the customer possesses (i.e. a mobile phone). A Chip and PIN transaction in store already adheres to SCA, with contactless transactions subject to usage and value limits before further authentication is required. A new decline code has been introduced that will ask the cardholder to complete a Chip and PIN transaction where that extra authentication is required.
If merchants are not SCA compliant then card issuers may be obliged to decline certain transactions. In turn, many businesses could see a spike in card declines if they don’t put the right measures in place.
Once SCA has come into force, your business and customers will benefit from increased levels of security and a reduced risk of fraud.
What this guide contains
- What’s happening
- When it’s happening
- What to do
- How to inform your customers
- Customer notice – download and print
- Other useful resources
Will SCA apply to all transactions?
The Bira SCA Toolkit:
What do you need to do?
Making sure your staff know what is happening is key, for example for face to face transactions let them know that some of your customers that are paying by contactless may be asked to insert their card and enter their PIN. In this instance it would be useful for you or your staff to let the customer know that there are no problems with their card, it is simply an extra security check requested by their card provider. You could print and display the signage (anchor link to bottom of the page to download POS) to help explain SCA to your customers.
The changes you need to make for SCA depends on the type of transactions you process. Please refer to the following sections to see what you need to do for different payment methods.
- Chip and PIN transactions – these already comply with the SCA requirement for two factor authentication. Your customer is in possession of their card and they know their PIN
- Transactions made using a mobile device – devices like mobile phones also comply with SCA as the customer is in possession of their phone, and use a fingerprint or facial recognition to uniquely identify themselves.
- Contactless Payments – are exempt from the regulation. However, there are limits to the use of this exemption and additional security requirements may be requested by the card issuer. A new decline code has been introduced that will ask the cardholder to complete a Chip and PIN transaction where that extra security is required.
What do I need to do?
Contact your terminal providers to discuss the decline code changes needed for the step up from a Contactless to Chip and PIN transaction. For Bira members on the Global Payments card processing scheme, there is no requirement for you to contact them, Global Payments will ensure these changes are made.
Then it’s really down to ensuring that you and your staff understand what’s happening and are ready to reassure cardholders that there’s no problem with their card or their account, just that it’s an extra security check requested by their card issuer.
- While MOTO (Mail Order Transactions) and Merchant Initiated Transactions (Stored Credential Transactions, also known as Credential on File Transactions, where card details are stored for future use), are out of scope for SCA, if the card issuer doesn’t know they’re one of these kinds of transactions, they may request SCA. If the cardholder is unable to provide the necessary authentication, the transaction will be declined.
What do I need to do?
It’s critical that all transactions are flagged correctly.
If you use the Global Payments E-Commerce Platform - previously Realex Payments, their Global Payments Credential on File Solution and Channel flags provides you with all the tools you need to correctly identify MOTO and MIT transactions.
If you use a third-party provider for your ecommerce services, you need to review the way in which you accept card payments. Please speak to your solution provider to make sure your solution is up to date with all the flagging requirements and that they’re making changes for the SCA mandate. The Global Payments 3DS 2 solution may be used alongside your existing gateway solution, if required. You can contact Global Payments on the email above for help with this.
For mail order/telephone order (MOTO) transactions you’ll need to ensure your Online Terminal supports the correct flagging to make sure these transactions remain out of scope of SCA.
- Payments made via a website require SCA. These transactions must now support 3D Secure, which is the ecommerce authentication protocol by the Card Schemes, such as Mastercard and Visa. This allows the cardholder to authenticate themselves as the genuine holder of the card. Under PSD2, card issuers are obliged to challenge and potentially decline transactions that don’t comply.
What do I need to do?
If you use the Global Payments E-Commerce Platform - previously Realex Payments, their Global Payments 3D Secure Solution provides you with all the tools you need to perform authentication using both 3DS 2 and 3DS1. You can dynamically switch to the most appropriate solution depending on Issuer support.
If you use a third-party provider for your ecommerce services, you need to review the way in which you accept card payments. Please speak to your solution provider to make sure your solution is up to date with all the flagging requirements and that they’re making changes for the SCA mandate. The Global Payments 3DS 2 solution may be used alongside your existing gateway solution, if required. You can contact Global Payments on the email above for help with this.
New Authentication Fees from September 2019
Visa are introducing a fee for Visa Secure, their 3D Secure 2 solution, from September 2019. This mirrors what Mastercard charge for using their Identity Check service. From 1st September 2019, the current Mastercard identity Check Fee will change to include Visa ecommerce transactions as well. The fee will remain the same.
More details of the technical requirements for SCA can be found on the Global Payments website here.
How to inform your customers
This legislation, particularly for Contactless payments, could lead to potentially embarrassing situations for your customers if you aren’t aware of why they’re being asked for this authentication. So you and your staff can be fully aware of what’s happening and what to say to your customers, we’ve created this useful download for you to print out and leave by your tills.
Why not print a few extra few to hand out to some of your neighbouring shops?
In summary
- Remember, these changes are being made to increase consumer protection, improve payment security and prevent fraud, which will benefit your business.
- It’s important that you understand what the SCA requirements are and that your staff are prepared.
- If you own or rent your terminal from another source or use a third party provider other than Global Payments for your ecommerce service, contact them immediately to ensure they’re making the necessary changes.
In partnership with Global Payments