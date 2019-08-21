21 Aug 2019 | 10.36 am

The EU’s Payment Services Directive 2 comes into force on September 14, bringing with it new responsibilities on e-commerce firms and financial institutions to bolster payment security. The main aim of the new regulations is to combat fraud, but they also open up the payments sector to third-party providers who can manage your online payments for you (previously, banks had sole control over your account information with them).

Irish retailers have been slow to get their online payment systems in line with PSD2, so much so that the Central Bank has granted a grace period – yet to be delimited – for e-commerce businesses to get their websites in order after September 14.

Although PSD2 became law in Ireland in January 2018, research commissioned recently by Stripe suggests that more than half of small businesses either don’t know what SCA is, won’t be compliant by September 14 or don’t know when they’ll be compliant yet.

PSD2 will require businesses selling online within the European Economic Area to implement Strong Customer Authentication (SCA) for transactions over €30. This means that they need to introduce a two-factor authentication process into their checkout procedure before a customer can complete a purchase online.

Some businesses already have two-factor authentication processes built into their online payment platforms but many don’t. The PSD2 thus introduces an extra step into the payments process, which is good for security but it can be bad for business – e-shoppers are impatient at the best of times, with international research suggesting that between 70% and 85% of carts are abandoned on a website before purchasing.

How SCA regulations will affect your business changes depending on the type of purchase, when you charge a customer (i.e. during or after checkout) and what bank your customer uses. Payments platforms such as Stripe, PayPal and Fire have already tweaked their software to accommodate the PSD2 regulations, and banks are following suit. Online vendors may need to update your existing software to implement these changes.

PSD2 Exceptions

There are exceptions to the regulations. SCA will not normally be required for transactions below €30 or for regular payments of the same amount to the same payee, such as you’d see with subscriptions, although they will still require SCA for the initial set-up payment.

Card providers such as Visa and MasterCard have tended to use software called 3D Secure to help authenticate shoppers. A revamped 3D Secure 2 promises a quicker and smoother two-factor authentication protocol. It’s also the only compliant SCA solution available for card payments.

Cardholders can also whitelist a business they trust, thus making them exempt from future SCA. However, the card issuer can veto this whitelisting application. Merchant-initiated transactions (e.g. a cancellation fee or monthly bills) can also be exempt from SCA. Stripe has indicated that its system will be able to handle such exemptions and the other main payment processors will too.

The regulation requires companies and banks handling online payments to validate the customer’s identity through any two of the following three categories: something that the customer knows (e.g. a one-time PIN or password sent your system sends them to complete the transaction), something the customer has (e.g. a card or a mobile phone to send the PIN to) or something the customer is (e.g. fingerprint, face recognition).