better protection for consumers and sellers against online fraud.
PSD2: a reminder
The overriding objective of the Payment Services Directive 2 (PSD2), in force since 14 September 2019, is to increase the security of online payments, strengthening the authentication of payers when making purchases with bank cards.
What this means
The main changes
1
Strong authentication becomes mandatory for all transactions, except in exemption cases or transactions outside the scope of the RTS (Regulatory Technical Standard).
2
Triggering authentication is now the responsibility of the issuing banks (your customers’ banks).
3
A new 3D Secure V2 protocol must be used to transit more data and apply for exemptions.
Conditions for valid strong authentication
Strong authentication must be based on at least 2 of the following 3 criteria to be valid:
Knowledge
Information that only the user knows (examples : PIN, password)
Possession
Information that only the user possesses (examples : a card, a mobile phone)
Inherence
User identity recognition information, biometric identification (fingerprint, iris or voice recognition)
Transactions that are not affected by strong authentication
Transactions outside the RTS scope are by nature exempt from authentication
- MIT – Merchant-Initiated Transactions
- MOTO – Mail Order/Telephone Order : Payments by mail or telephone
- One-leg transactions: Inter-regional payments
Strong or frictionless authentication?
How to make the right choice
With the introduction of the new 3DS v2 protocol, it is the issuing banks that decide whether to trigger strong authentication. However, as a merchant you can indicate your preference.
Authentication: You want the transaction to be strongly authenticated.
Frictionless journey: You want the transaction to be free of strong authentication, thus promoting conversion.
If you choose the frictionless path, make sure the transaction does not involve a risk of fraud beforehand.
This is because:
- you bear the responsibility for non-payment in case of fraud,
- you take the risk that the issuing bank will tighten its rules and refuse your requests for future exemptions
The more thorough and effective real-time risk analysis you perform on your exemption applications, the more you will be perceived as a trusted partner by the issuing banks. A reliable RTS (Regulatory Technical Standards) compliant risk analysis will subsequently ensure a better fraud rate and more exemptions.
Promoting frictionless transactions
All our modules have been PSD2 compliant since 2019. On a day-to-day basis, we are very attentive to any changes implied by the directive and do what is necessary to ensure the transactions carried out by our merchants are enriched with the data points required under 3-D Secure 2. We also provide them with a range of tools that allow them to easily configure their preference.
Smart 3-D Secure
Smart 3-D Secure uses machine-learning to target risky payments and optimise your conversion based on your risk profile. This technology relies on a continuously optimised rule-based system and risk analysis carried out on each transaction to trigger the right request: “strong authentication” or “frictionless path”.
Manual Threshold Option
Choose the amount below which you request a frictionless path
(up to €250 maximum).
We also offer a range of features to help optimise your fraud rate.
98%
frictionless requests accepted
for our clients FastPass on their BPCE traffic
Technical glossary
This glossary can help you explain to your customers the issues involved in the implementation of PSD2 on online purchases.
PSD2 (European Payment Services Directive 2)
A directive with two parts: one on the opening of banking data to encourage innovation and competition; the other on the security of online payments to minimise fraud.
RTS (Regulatory Technical Standards)
Technical requirements introduced under PSD2, involving changes to the authentication model and method used to secure online payments.
Strong Customer Authentication (SCA)
A strong authentication request that must be based on at least two independent elements linked to the buyer: knowledge (eg. password), possession (eg. telephone), inherence (eg. biometrics)
3-D Secure v2 (3-DS v2)
Technical protocol that replaces 3-DS v1 with new fields to be integrated by the merchant, the TAP/PSP and the issuer. Among other features, this allows you to convey your exemption requests.
TRA (Transaction Risk Analysis)
Real-time transaction risk analysis leading to a recommendation (exemption request or strong authentication).
Frictionless
The process of not adding an extra step for customers during the payment process. The data exchanged between merchants and banks is sufficient to ensure the customer’s identity.