PSD2 (Payment Services Directive 2) is a banking regulation issued in the EEA by the European Banking Authority. It is an open banking initiative that seeks to improve consumer protection, boost competition, and innovation. The new regulation means a strong customer authentication (SCA) will be required for every transaction with limited exemptions.

The Rule of Thumb

SCA is required if both, the issuing bank and the acquiring bank are both part of the EEA. If one of those is not in the EEA, then SCA is not required (this is called one leg out or OLO).

To comply with SCA two out of the following three must be satisfied:

  • Something the customer has (phone, computer, etc)

  • Something the customer knows (password, PIN, etc)

  • Something the customer is (fingerprint, Face ID, etc).

Solution:

EMV 3DS (3DS version 2.1 and up) is the easiest and most common way to comply with PSD2’s SCA requirement. In the case that SCA is not performed on customer-initiated transactions, issuers will decline the authorization; this is because the PSD2 rules say the issuer is liable if SCA is not satisfied.

What Are The Exemptions of PSD2?

PSD2 defines circumstances where merchants could request exemptions for some transactions that will not require SCA (We are looking into supporting these requests in a future release):

  • low-risk transactions

  • less than €30

  • merchant initiated transactions

  • trusted beneficiaries

  • phone sales

  • corporate payments

While they might be helpful, these exemptions can be individually requested in a transaction by the merchant but are ultimately based on the cardholder’s bank to decide what gets exempted or not. In the end, if the transaction isn’t exempted after it’s processed, the issuing bank will be posting a soft decline of the order to enforce SCA to accept the order.

Exemption Details

1. Low-Risk Transactions:

The acquiring bank’s overall fraud rates for card payments do not exceed the following thresholds:

  • 0.13% to exempt transactions below €100

  • 0.06% to exempt transactions below €250

  • 0.01% to exempt transactions below €500

These thresholds will be converted to local equivalent amounts where relevant. This exemption may not be as easy to receive as it may seem. The merchant could have a very low fraud rate, but if their acquirer has a high fraud rate across their complete portfolio, the transaction will not qualify for the exemption, even if the transaction amount is low.

2. Payments below €30:

Transactions below €30 are considered low value, therefore, don’t require SCA. There are limitations to this exemption. It is up to the issuer to keep track of the cardholder of a maximum of 5 consecutive transactions or a cumulative value limit of €100 since the last consumer application of SCA.

3. Merchant Initiated Transactions:

These are subscription models for business transactions. The first initial transaction is required to have SCA then all the following transactions where the cardholder is not present do not require SCA. Ultimately, this is also up to the issuer.

4. Trusted Beneficiary:

When the cardholder is placing their order, customers will have the option to notify the issuer that this is a merchant that they trust. In this situation, it is the possibility that the cardholder will be making future transactions and is requesting that they would not like to perform SCA every time. The card holder’s bank or the payment service provider will be keeping track of this list. This type of exemption has not been broadly implemented by the banks yet, therefore this option will be limited.

5. Phone Sales:

Mail order and Telephone Orders fall outside of the scope of SCA. This is considered a card-not-present transaction. These types of transactions will need to be flagged as such but ultimately the banks will have the final decision. The merchant will mark these in the system as requesting an exemption, while it will be up to the issuer, we expect issuers will allow the exemption.

6. Corporate Payments:

Transactions that are made directly to another company as a B2B method. Example: Access controlled corporate travel management or corporate purchasing system. The merchant will mark these in the system as requesting an exemption, while it will be up to the issuer, we expect issuers will allow the exemption.

Gateways That Support 3D Verify 2.0

ACI Pay.ON

Acquired

Argus Payment (Inovio)

CardPointe

CyberSource

Durango Direct

eMerchant Pay

Fluid Pay

GoPayment

Group ISO

Inovio

Inovio Continuity

LimeLight 2.0

Maverick

Maxx Merchants

Network Merchant Inc

OpenPath

PayEngine

PayScout

If you would like to discuss implementing 3d Verify please reach out to your dedicated Client Success Manager or email clientsuccess@sticky.io

Did this answer your question?