EMV 3DS and PSD2

About PSD2

The second European Payment Services Directive (PSD2) is a European directive which came into force across the European Economic Area (EEA) on January 13, 2018. PSD2 was established to established to drive payments innovation and data security by reducing competitive barriers, mandating new security processes and encouraging standardized technology to protect the confidentiality and integrity of payment service users’ personalized security credentials. PSD2 requires banks to support Open APIs to enable consumers to make payments directly from their bank accounts via newly-regulated third-party payment service providers. However, the primary focus of this document is the introduction of the Regulatory Technical Standards (RTS) around strong customer authentication (SCA). These standards will come into effect on September 14, 2019.

For electronic payments PSD2 mandates the usage of Strong Customer Authentication (SCA). It is important to mention that SCA is not exchangeable term with EMV 3D Secure. 3D Secure is just one way (arguably the most convenient and most sophisticated) to apply SCA to payments.

What is Secure Customer Authentication (SCA)?

The security measures defined around SCA introduce requirements that issuers and acquirers must observe when they process payments or provide payment-related services.
In general terms, card issuers will be obliged to perform an SCA check for every electronic payments transaction above €30 that does not meet specified exemption criteria. The SCA check requires authentication using two of the following three factors:
  • Something the cardholder knows (E.g., a password or PIN)
  • Something the cardholder has (E.g., a token, a mobile phone)
  • Something the cardholder is (E.g., a fingerprint or voice match)
The advice to merchants from card schemes and most issuers is to implement the latest version of 3-D Secure, which is rolling out in 2019 as the primary authentication method used to meet SCA requirements.

Out of scope transactions

For the following transactions SCA doesn’t have to be applied, and can be directly sent to authorization, without 3DS:

  • Merchant initiated transactions
  • Mail orders and telephone orders (MO/TO)
  • One leg out - either the Issuer or Acquirer is located outside the EEA. SCA should be applied on a “best efforts” basis.
  • Anonymous transactions – for example anonymous prepaid cards
Important: the transaction has to be marked correctly so the issuer detects it as out of scope

Transaction is NOT out of scope if:

  • First transaction in series with the shopper present
  • Shopper and the merchant changes the subscription agreement
  • One-click payments where the shopper is present

SCA Exemptions

Exemptions are particular transactions that can be exempted from SCA, and they don't necessarily need explicit cardholder authentication. In a simpler way: they can be either authorized without previous authentication, or they will go though a frictionless flow during authentication which means the cardholder doesn't have authenticate themselves with the issuer.

TRA exemptions

Issuers and acquirers may also render a transaction that is under €500 exempt if they have demonstrably low levels of fraud. This requires that transaction risk analysis (TRA) is in place and fraud is kept below set exemption threshold values.
These values are:
  • 0.13% for transactions up to €100
  • 0.06% for transactions up to €250
  • 0.01% for transactions up to €500
It is expected that issuers will apply the TRA exemption as much as possible to reduce the friction and frequency of SCA that their cardholders will encounter during remote purchases. In some cases, issuers may request SCA even if the acquirer has implemented an exemption — if they are suspicious about the transaction.

Low value exemptions

Low value exemption applies if:

  • The value of the transaction is less than €30
  • The number of consecutive transactions since the last SCA is not more than 5 (for the same card)
  • The cumulative amount since the last SCA is less than €100

Since these calculations can be executed only by the issuer, this exemption can be applied only by the issuing bank. The merchant is free to request exemption, but there is no way to accurately assess if the transaction applies for this exemption on the merchant side.

Trusted beneficiaries

This exemption can be applied when the cardholder agrees to add the merchant to a whitelist. The whitelisting is an action that happens between the issuer and the cardholder. It is being done during the cardholder authentication, or directly on the issuers website (online banking)

How do exemptions work

Merchants can request an exemption by marking the transaction with the exemption flag. It is important to know, that in this case:

  • Merchant takes liability for the transaction
  • The issuer has the power to override the exemption request
  • Some acquirers may not allow certain exemptions for their merchants. Merchants should consult with their acquirers to which extent can they use the exemption flags.
  • For more information and technical details, please refer to the EMV 3D Secure Reference