Please note, this article is not relevant for U.S. or CA-based organisations.
The way online and in-person payments has recently changed, due to a new EU regulation called PSD2 - or Payment Services Directive 2. Within that regulation is a new set of requirements on how payments are authenticated by banks and payment service providers. This set of requirements has its own acronym - SCA (Strong Customer Authentication).
In this article we’re looking at the changes in payment regulations for UK and Irish organisations, and what that means for Spektrix users.
What are the new requirements?
Strong Customer Authentication (SCA), a new customer authentication standard that is required to reduce the risk of payment and banking fraud. Payment Service Providers, Banks and Merchants in the UK are required to use SCA from 14 March 2022 to make the processing of online and contactless card payments, bank transfers and access to bank account information less prone to risk.
How do they work?
SCA is used to reduce risk for banks, merchants and customers by gathering additional authentication from customers when they perform high-risk card transactions, bank transfers or access their bank account information.
Strong Customer Authentication is performed using at least two of the three following elements:
- Knowledge - something the customer knows, such as a password or a PIN
- Possession - something the customer has, such as a card or a phone
- Inherence - something the customer is, such as a fingerprint or facial recognition
Where a transaction, transfer or access to banking information is deemed low-risk, then a Payment Service Provider or Bank may choose to exempt the payment from needing Strong Customer Authentication.
When were these changes enforced?
In Europe, including the Republic of Ireland, SCA was enforced from 31 December 2020.
In the UK, SCA was enforced from 14 March 2022.
What do I need to do to comply with these requirements?
The biggest priority is making sure you have 3D Secure enabled both on your Opayo account.
Enabling 3D Secure
If you go to your Opayo portal and the 3D Secure tab in the Settings menu, you can see if that is already enabled.
If this is off, you should see the option to switch it on in this section. If not, then get in touch with the Spektrix Support team and we can contact Opayo, who should then be able to enable it on your behalf.
NOTE - Barclays Merchant Services Customers: to enable 3D Secure you will also need to contact your merchant bank to request your merchant category code (MCC) and name at authorisation details. Once you have these details please pass them on to the Spektrix Support Team who will be able to contact Opayo on your behalf.
Setting up 3D Secure rules
Your Merchant Bank should already ensure 3D Secure checking takes place in all circumstances before SCA comes into effect, however we also advise that you set up a 3D Secure rule in Opayo so that any transactions which fail their 3D Secure checks are rejected. By setting up this rule and making sure any 3D Secure authentication failures are declined by Opayo, you can retain control and visibility on when and where transactions are authorised.
More information on how 3D Secure works with Spektrix, including how to set up rules, can be found in this article.
NB - If you do set up 3D Secure rules you need to ensure you are covering all transaction ranges and you are always ticking the box to enable 3D Secure checks. Unticking this box means transactions in that range aren't being checked for 3D Secure and are therefore non-compliant with PSD 2.
Issuing banks within the EEA (which issue cards to your customers) should already ensure that all cards support 3D Secure before SCA. However, you may want to continue to accept payments from cards not in the 3D Secure scheme, as non-EEA banks are not required to comply with SCA; without accepting these payments you may find an increase in rejected payments from overseas customers.
Updating your PIN pad software
In order to comply with the regulation changes to contactless payments, you will need to make sure you can run a successful TMS call on your PIN pad(s). A TMS call is a form of software update, and in most cases these happen automatically. Information on how to manually run TMS calls can be found in our Installing a PIN Pad article. If your network permissions prevent you from getting these to run automatically, then you should periodically run them, not only for SCA but also any other important updates and patches from Opayo.
Do I have to make any changes to make phone payments/Continuous Authority payments comply with the new regulations?
MOTO (Phone/Mail order) payments are exempt from the SCA regulations. If you use Continuous Authority to make auto-renewable and ‘customer not present’ payments for things like Memberships, these will also be exempt as they fall under exemptions for ‘Merchant-Initiated’ transactions.
What is ZVA and how does this affect payments from stored cards?
If you have Card Holder Wallets enabled in your Spektrix system, customers can opt to store their card details in the system so that they can use them again next time they make a purchase without having to enter the details again.
When a customer adds a new card to their Wallet in the My Account section of your website, they may be asked to complete a 3D Secure (3DS) challenge when storing a card here if their bank requests one. This is called a Zero Value Authorisation (ZVA) which increases the security of customer cards stored in cardholder wallets.
When a customer completes this authorisation, you will see an additional row against stored card authorisations in the 'Transactions' section of MySagePay. This will be visibly different from the rows for payments. It will include:
- Type = "Authenticate"
- Amount = "0.00"
- Vendor TX Code = A random xxx digit code made up of letters and numbers
In order for ZVA to work, your MySagePay settings will need to be configured to perform 3DS checks and not accept 3DS failures for £0/€0. Skipping this step won't break anything, but doing it will increase card security for your customers. There’s more about this in our SagePay and Spektrix article.
All of this advice is related to Opayo, but Opayo isn’t my Payment Service Provider
If you take payments on Chip & PIN machines that aren’t linked to Opayo (such as iZettle PIN pads) then you will need to contact the PIN pad provider separately to ensure they’re compliant.
If you accept payments with PayPal, all changes will have been handled by them in time for the regulation taking affect.
If you have any further questions, or would like to discuss anything regarding PSD2 or SCA in more detail, then please don’t hesitate to get in touch with the Spektrix Support team.