Need a payment gateway that supports Strong Customer Authentication (SCA) requirements for the EU Payment Services Directive (PSD2)? The EU requirements went into effect September 14, 2019 and like many new regulatory and card acceptance rules changes, some payment gateways are ready, some are not, and some may never get updated. This article addresses online payments and ecommerce transactions only.
Do US companies with a US merchant accounts need to comply with PSD2?
It depends. This is hard to decipher when researching, but the key is, yes must comply if a transaction even ‘passes through’ the EU.
- One leg out (OLO) transactions in any currency (where one of the Payment Service Providers (PSPs) is located inside the EEA and the other PSP is located outside the EEA). For example, a transaction involving US merchant account and an EU card issuer is one leg out and exempt from SCA.
How does PSD2 Strong Cardholder Authentication impact US merchants?
- It’s not required for Ecommerce transactions from EU cardholders to US merchants with US merchant accounts.
- US merchants may experience increased issuer declines if not using SCA.
- US merchants will likely experience increased fraud as the pool of web sites shrinks where criminals can commit fraud and get away with it.
- GDPR regulations for ecommerce transactions from EU cardholders to US merchants with US merchant accounts does apply; choose payment gateways that support both GDPR and 3DS v2.2.0 for maximum compliance and protection.
Which online payments are exempt from PSD2?
- Commercial cards where there is no cardholder name, and thus no way to authenticate an individual.
- Recurring transactions for the same amount- PSD 2 applies for the initial transaction. If the amount changes, PSD 2 applies. PSD 2 applies for Unscheduled Credential On File for each transaction unless cardholder whitelists as per next item.
- White-lists of trusted beneficiaries- cardholders can notify their issuer to allow payments to go through without SCA after initial transaction.
- Transactions under $30.
How can merchants get compliant with PSD2?
Merchants should use a payment gateway that supports 3DS v2.2.0, which supports Strong Customer Authentication or SCA. Visa specifically states in their rules (Table 5-17: Acquirer Support of Visa Secure by Region/Country – Requirements) that acquirers in the EU must process transactions using Visa Secure, which is their version of 3D Secure, a global protocol for securing card not present transactions. Only 3D Secure 2.x, not 1.0, meets the PSD2 requirements, with v2.2.0 being the most current as of this writing. This will get merchants compliant with PSD2.
Which payment gateways support 3DS v2.2.0?
Because the payment gateway may be one of multiple components in the checkout process it may not be on a certification list. One popular payment gateway apparently is not being updated- Authorize.net; users are advised to upgrade to Cybersource per the Cybersource link in resources below.
Historically, Europe rolls out tougher rules first and then the US. Merchants can expect SCA to be a US requirement in the future.
Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Contact us for solutions.
Resources:
- EU US Privacy Shield https://ec.europa.eu/info/sites/info/files/2016-08-01-ps-citizens-guide_en.pd_.pdf
- EU Law https://eur-lex.europa.eu
- UK Financial Conduct Authority https://www.fca.org.uk/firms/revised-payment-services-directive-psd2
- https://www.cybersource.com/en-EMEA/psd2/upgrade/
- Card network rules (links)
- https://www.worldpay.com/en-gb/merchants/psd2
- Infographic: What the GDPR means for payments? (PDF)
- https://www.europeanpaymentscouncil.eu
DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.
Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Call Christine Speedy, 954-942-0483, 9-5 ET.