The online payment industry is one of the most dynamic and rapidly-growing business spheres in the world. The year 2020, with its significant yet not at all positive events, has set new realities, and now humankind is experiencing a harsh shift to digital channels in communication, work, free time spending and, most importantly, shopping for products and services.
Even though the restrictions are rarely too severe now compared to the same time a year ago – May 2020, and in most countries, it is not forbidden to leave the house anymore, the buying habits have already started their change and are continuing the transformation to something absolutely new. The overwhelming majority have turned to another path of the purchasing routine, giving priority to online sales channels. Most of the consumers now know the real taste of online shopping advantages and will never be turning back to the traditional one.
According to the Capgemini Financial Services Analysis, 2020 and World Payments Report 2020 voice of customer survey, during the past year, the usage of digital channels has increased by 53% across all generations, but the physical channel use had a four times smaller increase – only by 16%, which means that the Internet now undergoes the massive influx of users, who represent different ages and have absolutely non-identical levels of technological literacy which includes the understanding which homepage is a potential risk to appear as a fraudulent and which one is not.
Although this is not in the merchant’s or payment system’s responsibility to teach how to spot the potential scum, yet protecting the transactions made by their customers is their direct duty.
Meaning of the security for the payment industry
Historically, money and worthy goods were always a subject of thefts and swindles. The criminal figures always know where to look for whatever crisis is out there. This makes both sides vulnerable – the buyer and the seller. So at any time of the day, at any condition of the economics, literally every time, our money needs to be protected. Suchwise, security is a matter of the very first importance when we speak about the payments, especially the ones made online.
This has led to that both – the payment processing companies and merchants wishing to protect the transactions they are responsible for and introduce various security certificates and anti-fraud systems to spot threats before they come to action.
As the number of users increases so speedily, hence does the count of online shoppers, it might seem that the protection has weakened, but not this time – as of the 1st of January 2021, the whole of Europe was compelled to update their security processes to comply to the new standards issued by the European Union and the payment regulators. What are the new standards — further in the article.
European payment security requirements: PSD2 — What is it?
The Payment Service Directive (PSD) is a set of rules and laws, provisioning the payment industry’s operation, developed to make European payments more secure, support and boost innovations, as well as help banks and financial services adopt the latest technologies.
PSD2 is an abbreviation for the second edition of The Payment Services Directive – the latest version of guidelines regulating the electronic payment service providers in the European Union (EU) and European Economic Area (EEA).
The previous version – the first redaction of PSD – was developed back in 2006 and implemented some years later together with the SEPA – a legal framework for a single euro payment area. And, obviously, coming from the times back then, it required a refreshment, an update which would correspond to the modern realities of the 21st century and it’s existing and expected innovations.
In 2021, PSD2 is a standard for each European payment-related company to comply with, otherwise undertaking any type of money-linked procedures in the territory of Europe are doubted.
Targets of PSD2
There is a vast list of implications and changes in consumer protection introduced together with PSD2, which include:
- protecting all transactions, be it incoming or outgoing, even if one of the PSPs is out and another is in the EEA zone
- the unrecoverable amount in case of the unauthorised payment is reduced to 50EUR (instead of the previously effective 150EUR)
- Unconditional refund right is now provisioned and regulated by the law
- Restrictions of the pre-authorised payments with the not stated exact amount in advance: the payment is not happening until the payer confirms it
- PSP is obliged to introduce dispute resolution and reply to any matter not later than 15 working days
- Member States are obliged to introduce similar regulators to be able to monitor compliance of all their operating PSP’s with the PSD
Besides the above, one of the most significant protection implications under the Payment Services Directive version 2 is the addition of the specific mandate, which provisions the more advanced authentication, is called Strong Customer Authentication (SCA), and is implemented as a tool to improve the payment security of the payers. So, let’s see now, what is that complicated PSD2 provisioned strong customer authentication.
SCA — your new payment flow
SCA is one of the requirements of the PSD2 on payment service providers within the European Economic Area to meet the rules set by the EBA. It ensures that electronic payments are completed only after the successful multi-factor authentication to increase the overall security level of online payments.
Under the provisioned by the PSD2 Strong Customer Authentication (SCA), the PSP has to introduce the two-factor authentication for certain transactions where the buyers are required to identify themselves by using at least two metrics from the following list:
Such a process is required in several cases and the most common would be:
At every five operations or transactions totaling €100 since last SCA was made. Once authentication is completed, the count renews, and SCA is not required as per the rules – until it reaches the previously mentioned limits.
Not “white-listed” companies and payment recipients by the consumer.
There are also cases that do not require the SCA under PSD2:
Small amount operations – under 30EUR
Businesses and recipients white-listed by the client
Low-risk transactions, which depend on the acquirer’s fraud level
Recurring (or subscription) payments
The average user most likely has not even noticed that there are such significant changes in the overall payment process. But how much more protected are the payments now in reality?
Now the flow that includes this complicated authentication enables payment processors, acquiring banks and issuer banks to exchange so much more information about the cardholder that it becomes extremely easy to spot any potentially fraudulent actions.
What is 3DS vol 2 provisioned by PSD2 and what does it mean for the consumer
We will not bring the list of differences of 3ds 2.0 vs 1.0, we will just disclose the definition and why the new version is valuable. 3DS is a security protocol, providing an extra protection layer for online purchases made by any type of card eligible for shopping on the Internet. Such a protocol was firstly deployed by Visa Inc. together with an IT specialist company Arcot Systems, the technology was named “Verified by Visa” and later changed to “Visa Secure.” After that, payment-authentication services based on 3D Secure have been adopted by EMVCo and other payment industry players.
This protocol enables merchants, card issuers, and financial institutions to proceed with transaction authentication and data sharing. This is an additional verification step that helps to protect both – online buyers, as well as the merchants during the checkout – the technology of it, detects, if the cardholder is able to proceed with the payment by being authenticated in a short way, or needs a full procedure of it.
3D is the name of this security protocol and comes from the three-domain model used to provide the additional layer of secure authentication between the financial authorization process and the online authentication process. Those three domains which are used to provide the protection are:
3D Secure 2 impact on the process itself:
After the checkout completion, there is a requirement to enter the passcode provisioned by the security layer.
The shopper is either redirected to the bank link of the issuer or gets authorised within the payment solution.
Generally, there is almost nothing new for the consumer in terms of the authentication appearance, except that there is a possibility that the system will require to complete an additional step to confirm who the cardholder really is – the buyer is transferred to the place where they are to enter their security code or password.
In all other, the process is the same as previously, except the other minor thing. Actually, from the consumer’s point of view should seem only as a positive one — now the payment interface can look way better than it did previously. The new 3DS2 technology allows tailoring the payment window in the design fully corresponding to the website or app style, so it doesn’t even differ from other steps of ordering. And if it does so, the customer is less likely to abandon their card on a payment step due to a lack of trust in the page appearance.
Another good thing is that consumers and their money are now secured much stronger than before – merchants, by being protected by the law and regulator, can save more money from fraudulent transactions and theft, which allows keeping the prices for the items without the rise for a longer time.
Security in e-commerce payments
The demand for the heightened protection of the finances and payments in a given environment is obvious from the business’s side as well as is understandable from the consumer’s perspective. If the business can protect itself by integrating a variety of advanced security tools, what should the user do to keep their money transfers safe? Right, it is much more complicated than it might appear. So this is where online payment regulation is crucially required.
This is a thing to be proud of – the new regulatory requirements that are flexible enough to fit any innovation in and is able to protect merchants, payment service providers, and consumers — all at the same time.
Trust, a sense of security, and confidence are the reasons to partner only with the payment systems with 3D Secure 2 that value safety in the first place. And we are one of such companies.