The way online and in-person payments are verified is changing, due to a new EU regulation called PSD2 - or Payment Services Directive 2. Within that regulation is a new set of requirements on how payments are authenticated by banks and payment service providers. This set of requirements has its own acronym - SCA (Strong Customer Authentication).
In this article we’re looking at the changes in payment regulations for UK and Irish organisations, and what that means for Spektrix users.
NOTE: the information below is not relevant for US or Canadian users.
What are the new requirements?
Strong Customer Authentication (SCA), a new customer authentication standard that is required to reduce the risk of payment and banking fraud. Payment Service Providers, Banks and Merchants in the UK are required to use SCA from 14 March 2022 to make the processing of online and contactless card payments, bank transfers and access to bank account information less prone to risk.
How do they work?
SCA is used to reduce risk for banks, merchants and customers by gathering additional authentication from customers when they perform high-risk card transactions, bank transfers or access their bank account information.
Strong Customer Authentication is performed using at least two of the three following elements:
- Knowledge - something the customer knows, such as a password or a PIN
- Possession - something the customer has, such as a card or a phone
- Inherence - something the customer is, such as a fingerprint or facial recognition
Where a transaction, transfer or access to banking information is deemed low-risk, then a Payment Service Provider or Bank may choose to exempt the payment from needing Strong Customer Authentication.
When will these changes be enforced?
In Europe, including the Republic of Ireland, SCA was enforced from 31 December 2020.
In the UK, SCA will be enforced from 14 March 2022.
The eagle-eyed of you may notice that the deadline for UK payments has been delayed. The Financial Conduct Authority announced on 20th May 2020 that this would be delayed from the original date of 14 September 2020. Despite this, as a merchant you should still follow the steps below so that you’re ready for SCA - even if your acquiring bank (who process your transactions), or a customer’s issuing bank (who provide the customer with their credit or debit card) are not yet ready.
What do I need to do to comply with these requirements?
The biggest priority is making sure you have 3D Secure enabled both on your Opayo account.
Enabling 3D Secure
If you go to your Opayo portal and the 3D Secure tab in the Settings menu, you can see if that is already enabled.
If this is off, you should see the option to switch it on in this section. If not, then get in touch with the Spektrix Support team and we can contact Opayo, who should then be able to enable it on your behalf.
NOTE - Barclays Merchant Services Customers: to enable 3D Secure you will also need to contact your merchant bank to request your merchant category code (MCC) and name at authorisation details. Once you have these details please pass them on to the Spektrix Support Team who will be able to contact Opayo on your behalf.
Setting up 3D Secure rules
Your Merchant Bank should already ensure 3D Secure checking takes place in all circumstances before SCA comes into effect, however we also advise that you set up a 3D Secure rule in Opayo so that any transactions which fail their 3D Secure checks are rejected. By setting up this rule and making sure any 3D Secure authentication failures are declined by Opayo, you can retain control and visibility on when and where transactions are authorised.
More information on how 3D Secure works with Spektrix, including how to set up rules, can be found in this article.
NB - If you do set up 3D Secure rules you need to ensure you are covering all transaction ranges and you are always ticking the box to enable 3D Secure checks. Unticking this box means transactions in that range aren't being checked for 3D Secure and are therefore noncompliant with PSD 2.
Issuing banks within the EEA (which issue cards to your customers) should already ensure that all cards support 3D Secure before SCA. However, you may want to continue to accept payments from cards not in the 3D Secure scheme, as non-EEA banks are not required to comply with SCA; without accepting these payments you may find an increase in rejected payments from overseas customers.
Updating your PIN pad software
In order to comply with the regulation changes to contactless payments, you will need to make sure you can run a successful TMS call on your PIN pad(s). A TMS call is a form of software update, and in most cases these happen automatically. Information on how to manually run TMS calls can be found in our Installing a PIN Pad article. If your network permissions prevent you from getting these to run automatically, then you should periodically run them, not only for SCA but also any other important updates and patches from Opayo.
I've heard there's a new version of 3D Secure that makes us more compliant and life easier for the customer? Please can I have that?
Absolutely! There’s no action you need to take to enable 3D Secure 2. Spektrix has added this to your your online card payment flow, you just need to switch on 3D Secure in Opayo as we've advised. The benefits of 3D Secure 2 include ‘frictionless’ authentication, better mobile responsiveness, and the ability to use fingerprint and face ID as part of the authentication process.
Do I have to make any changes to make phone payments/Continuous Authority payments comply with the new regulations?
MOTO (Phone/Mail order) payments are exempt from the SCA regulations. If you use Continuous Authority to make auto-renewable and ‘customer not present’ payments for things like Memberships, these will also be exempt as they fall under exemptions for ‘Merchant-Initiated’ transactions.
All of this advice is related to Opayo, but Opayo isn’t my Payment Service Provider
If you take payments on Chip & PIN machines that aren’t linked to Opayo (such as iZettle PIN pads) then you will need to contact the PIN pad provider separately to ensure they’re compliant.
If you accept payments with PayPal, all changes will be handled by them in time for the regulation taking affect.
If you have any further questions, or would like to discuss anything regarding PSD2 or SCA in more detail, then please don’t hesitate to get in touch with the Spektrix Support team.