What is PSD2?
The Revised Payment Services Directive (PSD2) is defined by the European Banking Authority and aims to regulate new stakeholders and improve the security of exchanges. Among these rules is the RTS-SCA (Regulatory Technical Standard - Strong Customer Authentication) rule which requires strong customer authentication as of March 31st 2019.
What is the scope of the RTS-SCA rule of the 31st of September 2020?
The whole range of networks like CB, Visa, Mastercard and Amex is affected by the RTS-SCA rule.
Are all transactions affected by the RTS-SCA rule?
MOTO (Mail Order Telephone Order) transactions, payments initiated by the merchant and unrelated to the customer as well as cardholders or merchants outside the European economic area are not subject to this RTS-SCA rule.
PSD2 - Who manages the compliance of AMEX transactions?
AMEX has already launched their compliance programme to authenticate AMEX transactions through their SafeKey programme. You may already have received a letter from them.
PSD2 - What happens on the 14th of September if my transactions are not authenticated?
Starting from September 14th, you have to begin your RTS-SCA regulation compliance process. You have until March 31st 2020 to authenticate all your transactions. Starting from this date, you risk denied authorisation for non-authenticated transactions.
If you do not think you will be ready by the 31st of March, please contact your bank.
PSD2 - What about 3-D BYPASS (3-D liberty)?
3-D BYPASS is an option offered on 3-D Secure and which is still available. This option allows you to dynamically bypass the 3-D Secure feature by populating the BYPASS instruction in the request. However, please note that using this option may result in denials of authorisation for non-authenticated transactions.
PSD2 - How can I check that 3-D Secure works properly?
The 3DStatus (Sips 1.0) and HolderAuthenStatus (Sips 2.0) fields give the result of the 3-D Secure authentication.
The main values are:
- SUCCESS: successful cardholder authentication.
- FAILURE: the cardholder authentication has failed.
- ERROR: technical issue during authentication.
- CANCEL: the cardholder aborted the process during authentication.
- ATTEMPT: the cardholder did not need to authenticate.
Some fields are visible in the automatic response, in the transactions reports (from version TAB20-V3 onwards in 2.0 and TABLE_V14 in 1.0) and via Sips Office Extranet.
PSD2 - When will 3-D Secure v1 come to an end?
No ending date has been officially published yet.
PSD2 - Do I need to start 3-D Secure in big bang mode?
We advice you to launch 3-D Secure progressivly. The 3-D Secure can reduced your conversion rate (the client abandons during the payment).
How to launch the 3-D Secure?
- When the payment pages are hosted by Sips (Sips Paypage and Walletpage), the 3-D Secure activation applies to all the transactions. However, you can deactivate the 3-D Secure on the less risky requests thanks to the 3D bypass option.
- When you host the payment pages (Sips Office), implement the 3-D Secure process while executing it on the more risky transactions.
Whatever Sips integration mode you use, here are the steps we advice you to follow:
- Apply the 3-D Secure on risky transactions only
- Monitor your conversion rate : measure the percentage of code 97 received (the client abandons while paying)
- If the conversion rate remains acceptable, progressively increase the 3-D Secure application until you apply it on all the transactions
Staring from March 31st 2019, if your transactions are not authenticated, you might receive “soft decline” type of answers (field acquirerResponseCode valued with A1) from the issuer.
PSD2 - What are the benefits of the 3-D Secure programme?
You benefit from the liability shift to the holder’s bank in the event of a fraud-related dispute. The liability shift is subject to rules based on the CB/Visa/Mastercard schemes. This information is returned in the response and in the transactions reports.
What happens for duplicated transactions on the 31st of March 2020?
From the 31st of March 2020, duplication operations remain possible on a transaction made on Internet even if it has not been subject to a strong authentication.
Attention must be paid to the fact that from this date, and in order to be compliant with the PSD2, any payment initiated by the payer via Internet or my mobile, requires strong authentication (3dsv2). Otherwise, you expose yourself to a refusal of authorisation for the reason of an unauthenticated transaction.
Duplications made subsequently will not be subject to strong authentication because the cardholder is not present.