The first Payment Services Directive (EU) 2007/64/EC (PSD1) was implemented in 2009, and introduced the ground rules for electronic payments like credit transfers, credit/debit card, and mobile payments. With PSD2 enforced beginning on December 31st, 2020, the European Commission has updated the existing regulatory framework by adding new security specifications meant to cover all aspects of online payments. The new rules are introducing new benefits:

• Safer internet payment services
• Better protection against fraud and payment problems
• The creation of the right ecosystem for innovative mobile and internet payment services
• Revised and improved customer rights

• Security of payments done by European Union shoppers through mandatory Strong Consumer Authentication component (SCA);
• Access to an account (XS2A) for account information and payment initiation services, allowing bank customers to give access to third-party providers to retrieve data and initiate payments directly from banks accounts;
• Recurring transactions treatment.

The PSD2 requirements are based on three pillars:

• Pillar 1 addresses transparency in terms of pricing, extended customer rights, and stricter reporting standards for banks. It applies to transactions where at least one party - the "one leg out" scenario - is in the European Economic Area (EEA).
• Pillar 2 concerns security, including requirements for strong customer authentication (SCA). This impacts all parties involved in the eCommerce flow.
• Pillar 3 sets out the technological requirements by which banks must allow payment institutes to use their infrastructure to access account data and initiate payments on behalf of customers.

Compliance with PSD2 is to be implemented in two stages: Pillar 1 (transparency) became effective on January 13, 2018, while Pillars 2 and 3 came into force on December 31st, 2020.

• Merchants from EEA that sell to customers within EEA, using the 2Sell and 2Subscribe plans, are impacted by PSD2 regulations and must provide SCA when receiving payments.
• Merchants based in EEA that sell to customers outside EEA, using the 2Sell and 2Subscribe plans, are not impacted by PSD2 regulations and do not need to provide SCA when receiving payments.
• Merchants based outside EEA that sell to customers from EEA, using the 2Sell and 2Subscribe plans, are not impacted by PSD2 regulations and do not need to provide SCA when receiving payments.
• Any merchant using the 2Monetize solution contracted via Avangate BV is impacted by PSD2 and SCA rules, since 2Checkout acts as a reseller registered in the EEA.

PSD2 requires Strong Customer Authentication (SCA), a process by which the issuing bank validates the identity of the payee and allows the transaction to go through.

The SCA comes with two forms of authentication which should be provided by the customer for the payment to be validated by the issuing banks.

When merchants are using the 2Checkout-hosted ordering engines, the customers and shoppers are automatically directed from website to 2Checkout once they're ready to pay.

Since 2Checkout hosts the payment process, ensuring that merchants are ready for the new SCA requirements falls within our responsibilities.

• Having 2Checkout as an ecommerce and payments partner helps take away the worry of these blurry and changing guidelines, because we work directly with all involved parties to reconcile and represent the merchants.
• With 2Checkout PSD2 Payment Institution License granted, the platform and models will be supported, with no changes in the integration needed on your side. Issuer logic will evolve over time, with sophisticated authentication logic maintained by 2Checkout to help you stay ahead of regulation. We have upgraded our checkout pages and payment APIs to support strong customer authentication. We have included the new 3D Secure 2.0 protocol into our APIs and payment pages in a way that keeps changes for merchants at a minimum and minimizes the impact of SCA on the checkout conversion.
• Merchants worry less about the conversions/authorization rates impact with our support for multiple models and entities, as well as intelligent payment routing with a multitude of processors, that fall within the requirement of SCA coverage. We consistently test for high conversions and authorizations by routing the transactions to different flows, and optimize the use of exemptions.
• Having alternative payment methods supported with built-in SCA traits will provide your buyers additional choice without disrupting their flow - e.g. iDeal, Bancontact, SEPA Payments, mobile wallets.
• Having analytics, customization, and advanced ordering engine/ecommerce empowers merchants to understand and reduce friction with proper communication or different flows (e.g. retry pages, change of payment method, abandons recovery, dunning , etc) to manage customer drop offs.

B2C subscription businesses should notify their customers about PSD2, and inform them of the new requirements to authenticate their transaction via 3DS2. B2B business should suggest that their customers check if the "whitelisting merchants" feature is supported by their banks, so that they can skip the authentication and have smoother transactions. Most of the banks in the EU should have had this feature ready by the end of 2020.If you are processing usage-based billing or variable amount recurring billing (which come under merchant-initiated transactions), and 3DS2 verification was done for the first transaction, then those subscriptions can be applied for exemption. However, the customer's bank will still have the final say if that subscription still requires SCA, which could add to friction; you can choose to accept payments via direct debit, for example, to help eliminate this friction.

SCA is the new requirement that comes along with the mandatory implementation of EMV 3DS/ 3D Secure 2.0 for online transactions and purchases, which reduces fraud and makes online payments more secure. SCA and 3DS 2.0 require the use of at least two of the following three elements:

• Something the customer knows (password, passphrase, pin, etc.)
• Something proprietary to customer (smartphone, wearable device, token, etc.)
• Individual biometrics (fingerprints, facial features, voice patterns, etc.)

SCA is required for all customer-initiated online transactions (CIT) within Europe, which means most payment methods (contactless payments included) and bank transfers are done with SCA. For online payments, SCA applies to transactions where both the business and the cardholder's banks are located within the European Economic Area (EEA).

The Revised Payment Services Directive allows payment providers like 2Checkout to request exemptions from SCA and skip authentication for low-risk payments. Payments that require SCA will need to go through the "challenge" flow, whereas transactions that can be exempted from SCA can be sent through the "frictionless" flow.

Direct debits and other alternative payment methods, initiated by the payee only and not the payer, are outside the scope of strong consumer authentication (SCA).

Payments go through the 3DS2 filter provided by 2Checkout via our ordering engines. In our back end, we automatically check to see if the issuing bank supports 3DS 2.0. If it does, the information about the payment is sent along with a request for exemption only when applicable. If the issuing bank labels the payment as exempt from SCA, the customer does not have to go through any extra authentication steps and the payment is authorized. If the issuing bank labels the payment as risky or it needs additional information to verify the customer, they will ask for the payment to go through the extra layer of security provided by 3DS 2.0.

Lastly, if the cardholder's issuing bank does not support the 3DS2 flow, the customers will be redirected via 3DS1, which acts as a fallback solution.

Overall, the new 3DS 2.0 technology aims to improve the user experience and data transfer, as well as providing more data with less friction. This gives us more information so that we challenge potential fraud. Only the riskiest transactions go through additional verification. The rest of the transactions are authenticated in the back end and receive validation.

3DS2 is putting the shopper experience at the forefront of authentication, while merchants benefit from full liability for transactions where fraud is detected.

The European Commission presented the following scenarios in which online payments can be exempt from SCA:

• Low-value transactions
  • For example, a customer could make five payments of €10 and be challenged on the sixth or make up to 10 payments of €10 before they need to authenticate. To be eligible for this exemption it is recommended to have transactions below €30.
  • The cardholder's bank decides which cumulative limit to use, so 2Checkout will continue to monitor how each bank chooses to allow this, whether based on the number of transactions or total value.
• Transaction Risk Analysis
  • If the fraud levels for both acquirer and issuer is bellow different levels, the transaction can be exempt from SCA.
  • The cardholder's bank decides which cumulative limit to use, so 2Checkout will continue to monitor how each bank chooses to allow this, whether based on the number of transactions or total value. The fraud rate limits for payment providers are being applied as follows: Fraud transaction rate → Amount limits
    0.13% → €100
    0.06% → €250
    0.01% → €500
• Recurring transactions
  • Payments are exempted from SCA if the payer-initiated payment transactions come in a series with the same amount and the same payee.
  • However, merchant-initiated transactions are out of scope of SCA. In order to get an exemption for recurring transactions, the payment and customer information should be registered before the initiation of PSD2 and should have the same value, same payee, and same recurring cycle.
  • If a new recurring payment is initiated after December 31st, 2020, the SCA rules will apply for it.
  • For more information on PSD2 and SCA see this article.

Sharing as much information about the customer with the issuer will make it more likely that they decide a frictionless flow (no authentication) is appropriate for that particular transaction.

Each country's National Competent Authority (NCA) has flexibility regarding when and how to enforce the SCA requirement on issuing banks.
Some countries like the UK postponed the SCA final implementation towards September 2021. Other countries will formally maintain the EBA deadline, but allowing progressive ramp-ups with soft decline, applicable to various minimum transaction amounts.
Finally, other countries such as Austria or Bulgaria will not apply fines for a few months.
2Checkout is closely monitoring communication issued by all of these authorities, making sure that all transactions are compliant.

The mass adoption of 3DS 2.0 falls under the responsibility of the card-issuing bank. While some banks are already supporting 3DS 2.0, others will take more time to implement the new technology depending on the country and region (local regulators can give time extensions for the PSD2 compliance, in order for banks to be well-prepared).

If a bank is not yet compliant with 3DS2, 2Checkout will request a 3DS1 authentication request in order to process the transaction. If the bank doesn't have support for 3DS1 or 3DS2 in place and is still processing online transactions, this means they are not compliant with PSD2, are fully liable, and risk significant fines.

For the time being, 3D Secure 1 will still be an available option for authentication online transactions.

In the future, this technology will become obsolete and banks will need to adopt 3DS 2.0 to be compliant with PSD2. In some cases, depending on the region or country, banks will need extra time to implement the new technology. During this time 3DS 1.0 will continue to be provided by banks. As a merchant working with 2Checkout you do not need to do anything to upgrade to 3D Secure 2.

3DS 1.0 has some disadvantages in comparison with 3DS 2.0:

• 3D Secure 1 does not support exemptions or the frictionless flow
• 3D Secure 1 doesn't provide the best customer experience
• 3D Secure 1 will go away sometime in the future (although no date is set yet)

2Checkout supports both versions and will dynamically adapt for each transaction based on what the customer's bank supports, so merchants don't have to worry or make any changes to ensure compliance and the best customer experience.

3D Secure 2.0:

Was introduced in Europe on December 31st, 2020, mandate for all issuing banks

• Capabilities
  • More data is now to the cardholder's bank, to be used for:
    1. Completing "frictionless" authentication with support for exemptions
    2. Sending the transaction through the "challenge" flow (when the cardholder's bank wants more proof to verify their identity).
• Better user experience
  • Mobile ready and embeddable
  • User friendly, with static passwords replaced by tokens and biometrics

• For merchants using the 2Checkout PSP solution with headquarters based outside the EEA but selling to EEA customers, the SCA rules do not apply.
• Any merchants using the 2Checkout Merchant of Record/Reseller solution and selling to EEA customers are impacted by PSD2 and SCA rules, since 2Checkout acts as a reseller registered in the EEA.

If an issuing bank requests SCA on a transaction and the authentication is not validated, the bank will most likely decline the authorization.

No certification of PSD2 compliance is currently in place.

If you are a merchant, you can contact us here.

If you are a shopper, you can contact us here.