PSD2 compliant payment gateway

Need a payment gateway that supports Strong Customer Authentication (SCA) requirements for the EU Payment Services Directive (PSD2)? The EU requirements went into effect September 14, 2019 and like many new regulatory and card acceptance rules changes, some payment gateways are ready, some are not, and some may never get updated. This article addresses online payments and ecommerce transactions only.

Do US companies with a US merchant accounts need to comply with PSD2?

Yes. This is hard to decipher when researching, but the key is, yes must comply if a transaction even ‘passes through’ the EU.

  • One leg out (OLO) transactions in any currency (where one of the Payment Service Providers (PSPs) is located inside the EEA and the other PSP is located outside the EEA). For example, a transaction involving US merchant account and an EU card issuer.

How does PSD2 Strong Cardholder Authentication impact US merchants?

  • It’s not required for Ecommerce transactions from EU cardholders to US merchants with US merchant accounts.
  • US merchants may experience increased issuer declines if not using SCA.
  • US merchants will likely experience increased fraud as the pool of web sites shrinks where criminals can commit fraud and get away with it.
  • GDPR regulations for ecommerce transactions from EU cardholders to US merchants with US merchant accounts does apply; choose payment gateways that support both GDPR and 3DS v2.2.0.

Which online payments are exempt from PSD2?

  • Commercial cards where there is no cardholder name, and thus no way to authenticate an individual.
  • Recurring transactions for the same amount- PSD 2 applies for the initial transaction. If the amount changes, PSD 2 applies. PSD 2 applies for Unscheduled Credential On File for each transaction unless cardholder whitelists as per next item.
  • White-lists of trusted beneficiaries- cardholders can notify their issuer to allow payments to go through without SCA after initial transaction.

How can merchants get compliant with PSD2?

Merchants should use a payment gateway that supports 3DS v2.2.0, which supports Strong Customer Authentication or SCA. Visa specifically states in their rules (Table 5-17: Acquirer Support of Visa Secure by Region/Country – Requirements) that acquirers in the EU must process transactions using Visa Secure, which is their version of 3D Secure, a global protocol for securing card not present transactions. Only 3D Secure 2.x, not 1.0, meets the PSD2 requirements, with v2.2.0 being the most current as of this writing. This will get merchants compliant with PSD2.

Which payment gateways support 3DS v2.2.0?

Because the payment gateway may one of multiple components in the checkout process it may not be on a certification list. One popular payment gateway apparently is not being updated- Authorize.net; users are advised to upgrade to Cybersource per the Cybersource web site.

Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Contact us for solutions.

Resources:

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Call Christine Speedy, 954-942-0483, 9-5 ET.

EBA publishes an Opinion on the elements of strong customer authentication under PSD2

The European Banking Authority (EBA) published today an Opinion on the elements of strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). The Opinion is a response to continued queries from market actors as to which authentication approaches the EBA considers to be compliant with SCA. The Opinion also addresses concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements that apply as of 14 September 2019.

Today’s Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant. The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.

The Opinion also responds to the concerns about market preparedness, by clarifying that the EBA is legally not able to postpone an application date that is set out in EU law. The Opinion also explains that sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in 2015, which gave clear indications that existing authentication approaches would need to be phased out, and because PSD2 already granted an additional 18-month period for the industry to implement SCA.

However, the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers (PSPs) and, therefore, not directly subject to PSD2 and the EBA’s technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September 2019.  

The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time. This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.

This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner.

In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.

Background

The revised Payment Services Directive was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.

SCA is defined in the Directive as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.” The Directive also provides that SCA is to be applied to all electronic payments, unless one of the exemptions applies.

The EBA had been mandated to support the Directive by developing regulatory technical standards (RTS) setting out the details on strong customer authentication and common and secure communication (RTS on SCA and CSC), including its exemptions, and to regulate the access to customer payment account data held in account servicing payment service providers.

The RTS were developed in 2015/16, consulted on during 2016/17, adopted as Commission Delegated Regulation (EU) 2018/389 on 27 November 2017, published in the Official Journal on 13 March 2018, and will legally apply from 14 September 2019. The RTS deliberately refrains from referring to any particular authentication approaches in the industry, in order to ensure that the RTS remains technology neutral and future-proof.

Legal basis

The EBA issued the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.

EBA paves the way for open and secure electronic payments for consumers under the PSD2

The European Banking Authority (EBA) published today its final draft Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication. These RTS, which were mandated under the revised Payment Services Directive (PSD2) and developed in close cooperation with the European Central Bank (ECB), pave the way for an open and secure market in retail payments in the European Union.  

Following 18 months of intensive policy development work and an unprecedentedly wide number of stakeholders’ views and input, these final draft RTS are the result of difficult trade-offs between the various, at times competing, objectives of the PSD2, such as enhancing security, facilitating customer convenience, ensuring technology and business-model neutrality, contributing to the integration of the European payment markets, protecting consumers, facilitating innovation, and enhancing competition through new payment initiation and account information services.   

The EBA received 224 responses to its Consultation Paper, in which more than 300 distinct concerns or requests for clarifications were raised. In the feedback table published today as part of the RTS, the EBA has summarised each one of them and provided its assessment as to whether changes have been made to the RTS as a result of such concerns.   

In particular, one of the key concerns addressed by these final draft RTS relates to the exemptions from the application of strong customer authentication on the basis of the level of risk involved in the service provided; the amount and recurrence of the transaction; and the payment channel used for the execution of the transaction. In this respect, the EBA has introduced two new exemptions: one based on transaction-risk analysis based on defined fraud levels and the other for payments at so called ‘unattended terminals’ for transport or parking fares. The exemption on transaction risk analysis is linked to a predefined level of fraud and is subject to an 18-month review clause after the application date of the RTS.   

In addition, the EBA has also increased the threshold for remote payment transactions from EUR 10 to EUR 30, and has removed previous references to ISO 27001 and to other specific characteristics of strong customer authentication, so as better to ensure the technological neutrality of the RTS and to facilitate future innovations.    

With regards to the communication between account servicing payment service providers (ASPSPs), account Information service providers (AISPs) and payment initiation service providers (PISPs), the EBA has decided to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. This is linked to the PSD2 no longer allowing the existing practice of third party access without identification (at times referred to as ‘screen scraping’ or, mistakenly, as ‘direct access’) once the transition period provided for in PSD2 has elapsed and the RTS applies.   

However, in order to address the concerns raised by a few respondents, the final RTS now also require that ASPSPs that use a dedicated interface will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers, provide the same level of contingency measures in case of unplanned unavailability, and provide an immediate response to PISPs on whether or not the customer has funds available to make a payment.  

Legal basis and background

The draft RTS have been developed according to Article 98 of the revised Payment Services Directive (EU) 2015/2366 (PSD2), which mandates the EBA, in close cooperation with the ECB, to draft Regulatory Technical Standards (RTS) specifying the requirements of the strong customer authentication (SCA), the exemptions from the application of SCA, the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials, and the requirements for common and secure open standards of communication (CSC) between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers (PSPs). The PSD2 provides that the RTS will apply 18 months after adoption of the RTS by the EU Commission as a Delegated Act.

Related documents:

Related links: