Two-factor authentication becomes mandatory for many online transactions

From 14 September 2019, online retailers must have in place Strong Customer Authentication (SCA) methods for customer-initiated online payments in the EU above the value of €30 (however, if there are more than five consecutive payments under €30, or they total over €100, SCA will also apply).

What is happening?

Recurring direct debits or fixed amount subscriptions will not require SCA, as these are merchant-initiated and identification is verified on set up.

This requirement has been brought in by the second Payment Services Directive (PSD2), which came into force in January 2018, as mentioned in the first edition of Retail Compass.

Why does it matter?

If a payment does not have SCA, banks must decline it. Retailers will therefore have to ensure that adequate measures are in place to allow for online transactions to go through.

SCA allows for three different methods of verification, out of which at least two must be used for a transaction to proceed:

• something a customer knows (eg PIN or a password),
• something they have (eg a bank card or mobile phone), and
• something they are (eg a biometric, such as a fingerprint or facial recognition).

A common technology used to authenticate card payments online is 3D Secure (3DS). This prompts the customer with an additional window as the payment is being processed, further verifying their credentials. However, user experience of 3DS is poor and it still carries some fraud risk. Many banks are preparing for the launch of 3DS 2.0, which will allow for customer verification through biometric means and also improve the check-out experience for customers.

What action should you take?

1. Put in place an adequate process of verification for qualifying transactions to ensure compliance. This includes the use of 3DS technologies.
   
   
2.  Record and monitor the necessary payment information (eg details of payer and payee, time and date, and amount paid), and provide to the relevant authorities or customers when requested, including for disputes against specific payments.
   
   
3. Review your arrangements with third-party payment providers, and ensure they offer technologies that allow for easy and PSD2 compliant customer payments.