New EU regulation introduces legal requirements to authenticate customers for all online payments

July 20, 2020

These new regulations mean that any business accepting online payments will be required to adhere to the requirements referred to as Strong Customer Authentication (SCA) in order to accept payment online.

What’s driving this new European legislation?

Presently, Card Not Present payments - the payments we accepting online, by email or invoice - account for two thirds of all fraud and are increasing at an alarming rate.

The new EU regulatory requirements - as defined by Strong Customer Authentication - are in response to this increasing fraud and are designed to make it safer for you and your customers buying online.

What payments will fall under these regulations?

On the 14th of September this year, new requirements for online payment authentication will be introduced throughout Europe as part of the second Payment Services Directive (PSD2).Any online payment that is initiated by the customer - such as an eCommerce transaction - by card or bank transfer will be required to meet Strong Customer Authentication requirements.

Contactless e.g. low value payments, in-person payments are not impacted by these regulations.

How can I authenticate my customer and adhere to these new requirements?

Authentication of an online payment must be achieved by demonstrating you have obtained two of three things:

1. Something your customer knows e.g. PIN
2. Something the customer has e.g. Phone
3. Something biometric e.g. Fingerprint

What can I do to meet these requirements?

The most effective way to meet these requirements will be to add 3D Secure 2.0 to any of your online payment or eCommerce payment flows.

3D secure 2.0 - which is supported by the Card Issuers e.g. Visa and MasterCard - enables sellers to authenticate their customers in a manner that meets the new European regulations.

3D Secure 2.0 builds upon 3D Secure which was a lot like Chip and Pin for online payments. Perhaps you have paid for something online in the past and have been required by Visa or MasterCard to provide characters from a password in order to authenticate your purchase? That was the first version of 3D Secure and formed the basis of it’s newer, more secure sibling, 3D Secure 2.0.

What happens if I don’t comply with the Strong Customer Authentication requirements?

The decision to honour any payment is ultimately made by the Issuing Bank e.g. the cardholder's bank. In instances where payments do not meet these new European regulations, payment missing authentication will most likely fail and you will be required to request that your customer resubmits their payment.