Strong Customer Authentication(PSD2)

What you need to know about SCA in one minute

On September 14, 2019, a new requirement for all online payments is being introduced in the EU, stating that all transactions (with certain exceptions) should be verified by the consumer. The change is part of an initiative to harmonize European payments and ensure consumers are protected. This requirement is known as SCA - Strong Customer Authentication – and is part of the EU regulation called PSD2 (Payment Service Directive 2). Read more about what the new requirements mean for web shops and consumers in our FAQs below - or press the following links for an elaboration in either DanishNorwegian or Swedish.

 

  The Danish Financial Supervisory Authority (FSA) has announced a transition period of 18 months for the implementation of SCA making the 14th September the target date for the rules to apply, but will not yet be enforced. However, we recommend that all merchants continue to work towards implementing measures to become SCA compliance.

What does strong customer authentication mean for E-commerce?

An electronic transaction will be defined as having gone through Strong Customer Authentication if at least two of the following three factors have been provided by the consumer:

 

How to evaluate whether my transactions need SCA or not?

 


 

In order to know what transactions are required to go through SCA or not, you need to identify if your transactions are initiated by the cardholder (consumer) or the merchant.
 
Cardholder-initiated transaction
A cardholder-initiated transaction (CIT) is when the cardholder or consumer plays an active role in the initiation of the transaction. This includes all one-off transactions where the cardholder is actively selecting products or services on your website and proceeding to the checkout.
If you are offering your customers to save their card, DIBS will of course ensure that this is supported, and will add SCA where needed. Please see above table where 1-3, 4A and 5A are CIT scenarios.

 

Merchant-initiated transaction
A merchant-initiated transaction (MIT) refers to transactions where the cardholder plays no active role, commonly referred to as recurring or card-on-file payments. There must be an agreement in place between the merchant and consumer regarding how much should be charged, for what product or service and when. MIT transactions can be charged on a regular or irregular basis. The MIT transaction is then initiated by the merchant based on the agreement, see scenario 4B and 5B. The initial transaction and agreement must always be “signed” with SCA - Scenario 4A and 5A.

 

How to ensure Strong Customer Authentication on all my transactions?

In order to ensure Strong Customer Authentication on all of your transactions, you need to activate and send transactions through the SCA protocol that is attached to Card schemes that consumers pay with today (e.g. Visa and Mastercard). For Visa and Mastercard the SCA protocol is called 3D Secure, which you may already be familiar with. In the 3D Secure process, the consumer is often requested to perform an action to confirm that they are making the transaction. This action is the SCA element in the payment process, for example, a consumer may be asked to enter a password that is sent to their phone.
If you are a customer of DIBS and wish to read a technical guide on how to enable this for your webshop, click on the platform that you are on:

 

DT platformD2 platform

If you are a customer on our Easy platform, you do not need to take any actions. 
 
In doubt about which platform you are on? Check it below:

 

Frequently asked questions

This is important because the Payment Services Directive 2 (PSD2) is a regulatory demand in the EU, as of the 14th September 2019. More importantly, PSD2 dictates that all remote electronic transactions must have Strong Customer Authentication (SCA).This includes E-commerce transactions, which might be rejected by Card Issuers if SCA requirements are not complied with.

3D Secure is the security protocol developed to protect cardholders online through additional security checks on payment transactions by their Card Issuer. 3D Secure (version 1) is delivered by individual card payment schemes (e.g. Visa has “Verified by Visa” and MasterCard has “SecureCode”) and is recognizable to consumers, as these brands are shown on the 3D Secure processing page after they click “confirm” on payments.
The step-up challenge today differs by country and card issuer, common step-up actions include mobile application based confirmation (e.g. Mobile BankID in Sweden) or an SMS One Time Password (e.g. in Denmark) to the consumer’s phone containing a code that they type into the browser to complete the transaction.

Not every type of transaction must go through SCA every time, recurring/subscription transactions are examples of payments that are processed without the Cardholder present. Where Merchants and Consumers have made an agreement for an ongoing product/service, SCA is only required on the first transaction or the setup of the mandate.
Example: Music or TV streaming subscription

Card on File transactions are not necessarily Recurring transactions. Recurring transactions differ from Card of File because there is an agreement in place and thereafter each transaction does not require specific actions of the consumer. For Recurring transactions, the initial mandate needs to be signed with SCA (i.e. 3D Secure for Card), but subsequent payments can be sent straight to Authorization. These transactions can be referred to as Merchant Initiated Transactions, and will required different flags in the Authorization message – see technical guidance.

No, your subscribers do not need to re-enroll in your subscription program. All subscriptions that has been set up before the 14th of September 2019 will continue without having to go through the SCA protocol again.

 

Yes, there are other types of transactions that are considered out of scope of SCA, these include;

1. Mail Order/ Telephone Order (MOTO)

2. One-leg out transactions
Transactions where either the acquirer or issuer is outside of the European Union - are considered out of scope from SCA, since EU regulations does not apply to parties outside the EU.

3. Anonymous transactions
Transactions through anonymous payment instruments (e.g. prepaid cards) are also considered out of scope from SCA.

Got a lot of questions - or perhaps just one?