PSD2 compliant payment gateway

Need a payment gateway that supports Strong Customer Authentication (SCA) requirements for the EU Payment Services Directive (PSD2)? The EU requirements went into effect September 14, 2019 and like many new regulatory and card acceptance rules changes, some payment gateways are ready, some are not, and some may never get updated. This article addresses online payments and ecommerce transactions only.

Do US companies with a US merchant accounts need to comply with PSD2?

Yes. This is hard to decipher when researching, but the key is, yes must comply if a transaction even ‘passes through’ the EU.

  • One leg out (OLO) transactions in any currency (where one of the Payment Service Providers (PSPs) is located inside the EEA and the other PSP is located outside the EEA). For example, a transaction involving US merchant account and an EU card issuer.

How does PSD2 Strong Cardholder Authentication impact US merchants?

  • It’s not required for Ecommerce transactions from EU cardholders to US merchants with US merchant accounts.
  • US merchants may experience increased issuer declines if not using SCA.
  • US merchants will likely experience increased fraud as the pool of web sites shrinks where criminals can commit fraud and get away with it.
  • GDPR regulations for ecommerce transactions from EU cardholders to US merchants with US merchant accounts does apply; choose payment gateways that support both GDPR and 3DS v2.2.0.

Which online payments are exempt from PSD2?

  • Commercial cards where there is no cardholder name, and thus no way to authenticate an individual.
  • Recurring transactions for the same amount- PSD 2 applies for the initial transaction. If the amount changes, PSD 2 applies. PSD 2 applies for Unscheduled Credential On File for each transaction unless cardholder whitelists as per next item.
  • White-lists of trusted beneficiaries- cardholders can notify their issuer to allow payments to go through without SCA after initial transaction.

How can merchants get compliant with PSD2?

Merchants should use a payment gateway that supports 3DS v2.2.0, which supports Strong Customer Authentication or SCA. Visa specifically states in their rules (Table 5-17: Acquirer Support of Visa Secure by Region/Country – Requirements) that acquirers in the EU must process transactions using Visa Secure, which is their version of 3D Secure, a global protocol for securing card not present transactions. Only 3D Secure 2.x, not 1.0, meets the PSD2 requirements, with v2.2.0 being the most current as of this writing. This will get merchants compliant with PSD2.

Which payment gateways support 3DS v2.2.0?

Because the payment gateway may one of multiple components in the checkout process it may not be on a certification list. One popular payment gateway apparently is not being updated- Authorize.net; users are advised to upgrade to Cybersource per the Cybersource web site.

Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Contact us for solutions.

Resources:

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Call Christine Speedy, 954-942-0483, 9-5 ET.

As EMV grows, 3-D Secure importance increases

3-D Secure refers to the XML security protocol called “3 Domain Secure,” (3DS), a program designed to reduce card fraud and shift liability for fraud from online merchants to the card issuing banks. Each card brand has their own name including Verified by Visa (VbyV), MasterCard SecureCode, J/Secure, and American Express SafeKey. Discover recently announced they’ll be introducing their version this year.

emv smart card

EMV chip smart card.

Online financial fraud historically grows exponentially in countries after implementing EMV chip card processing, as thieves seek the weakest link for fake credit card purchases. More advanced fraud analytics and use of 3D secure technology helped reduce the subsequent online fraud.

One of the most oft-cited examples of this trend was the UK’s switch to EMV in 2004 and 2005. Online card fraud jumped from £117 million in 2005 (when EMV was fully implemented) to £155 million in 2006, and then up to £178 million (US$283 million) in 2007.

In the US, CenPOS is the only First Data payment processing solutions partner both EMV Certified and 3-D Secure certified; also the only signature capture terminal, the Verifone MX915. There are lots of companies rolling out EMV capable terminals, but virtually no one has certified the terminals.

CenPOS global sales and integrations reseller, Christine Speedy, 954-942-0483 for more information.