This client alert was authored by Simon Deane-Johns and Trevor Salter.
From 14 September 2019, certain electronic and remote payments must be subjected to two-factor, or “strong customer authentication” (SCA), under regulatory standards covering the European Economic Area (EEA) relating to the second EU Payment Services Directive, which took effect in January 2018 (PSD2). Retailers are uncertain whether these new European anti-fraud measures will cause consumers to abandon online purchases. Some transactions may be impacted although others may be exempt.
The New Rules
The impact of the new rules is difficult to predict. In particular, SCA would apply to retailers accepting online payments from consumers based in the EEA, even if the retailer itself isn’t EEA-based, but only the payment service provider (PSP) issuing the security credentials, such as the card-issuing bank, ultimately decides whether an exemption applies. Taking that decision away from the retailer and their own PSPs (i.e., their “merchant acquirers”) means that the retailer may be unable to predict whether a customer faces an extra security step and, if so, the proportion of transactions that might be abandoned if the customer is not ready or willing to undergo that check. SCA could also affect online card payments, as well as payments in e-money and online bank transfers, in a range of circumstances that might not fit exemptions or that are hampered by legacy systems. With online sales rapidly approaching 20% of total retail sales in the UK, this represents a significant challenge for all existing and future retailers, not to mention the impact on consumers’ online shopping experience.
Whether a transaction is caught by SCA first depends on whether PSD2 applies. Some payment services and transactions may be completely out-of-scope of PSD2 based on currency and/or geographic location of the participants, or may be in-scope, but specifically excluded. Even if a transaction is in scope and not excluded under PSD2, a transaction may be subject to certain exemptions under the SCA standard.
Scope of PSD2
Scope of SCA
Payment transactions that are in scope of PSD2, and which do not benefit from an exclusion, may be subject to SCA when initiated. In a retail context, SCA must be applied where the payer initiates an electronic payment transaction or carries out any action through a remote channel that carries a risk of payment fraud or “other abuses”. While in-person card payments at an attended point of sale might on their face be out-of-scope (as not being solely “electronic” or remote transactions), the SCA standard assumes that chip-and-PIN card readers and 3D Secure (a technical security standard created by the card networks) are generally available. So, to the extent that a physical point-of-sale is not chip-and-PIN enabled or a 3D Secure environment, there may be some risk that the SCA standard still applies even though it is a card-present transaction.
The SCA standard generally applies to online transactions, but the regulated PSP that issues the payer’s security credentials, such as the card-issuing bank, may decide not to apply SCA, depending on the payment method and type of transaction. The SCA exemptions may be summarized as follows:
a) Remote low-value transactions: up to €30 per transaction (cumulative limit of five separate transactions or €100);
b) Series of recurring transactions: this could include, for example, subscriptions – as long as the recurring transactions are for same amount and payee (but SCA must be applied to the first transaction in the series);
c) Whitelisted merchants: Customers can add merchants to a whitelist of “Trusted Beneficiaries” maintained by their issuing bank, but the merchant is not allowed to prompt the customer to do this;
d) Corporate transactions: through a regulator-approved, dedicated process only available to non-consumers (although member states might treat micro-enterprises as consumers);
e) Contactless payments: up to €50 (cumulative limit of five separate transactions or €150);
f) Unattended payment terminals: but only for purposes of paying transport fares or parking fees;
g) Low-risk transactions: as determined by the card issuer, depending on the average fraud levels of the issuer and the acquirer processing the transaction, rather than the merchant or channel, with different limit for cards and credit transfers.
In addition, the EBA has issued guidance in the form of an opinion and a Q&A on its interpretation of the SCA standards and exemptions (although the courts would be the final arbiters). For instance, the EBA has issued a non-binding interpretation that transactions initiated only by the payee (referred to in the industry as “merchant initiated transactions”) are outside the scope of the SCA “to the extent that these transactions are initiated without any interaction or involvement of the payer”:
The original payment authorization would still need be subject to the SCA if done remotely, and such “payee initiated transactions” are subject to certain liability constraints under PSD2.
Despite Brexit, the same rules are likely to apply in the UK. The UK FCA has already proposed regulatory technical standards for SCA which will apply in the UK from 14 September 2019 in the event of a no-deal exit by the UK from the EU.