PSD2 Strong Customer Authentication clock continues to tick. The deadline is now less than 9 months away. The new SCA rules go into effect from 14th September 2019.How prepared are you for PSD2 Strong Customer Authentication (SCA)? Recent Mastercard research conducted in Q4 2018, revealed that “75% of online merchants in Europe are potentially unaware of [SCA]”, and some issuers and acquirers are more prepared than others.
SCA rules will require that payers take additional security steps to identify themselves to their bank before being able to complete a payment. This extra step will add friction to the customer check out experience and may impact conversion rates. SCA regulations make issuers legally responsible to carry out SCA. Merchants need to be in a position to request exemptions that exist for specific transactions. Otherwise, EU issuers will be required to apply SCA to all remote electronic payments that are deemed as in-scope by the regulations.
These rules are part of a global reboot of e-commerce security, and e-commerce markets globally are in the process of shifting to a more secure low fraud environment. This is a new normal reality.
Fortunately for merchants relying on card payments, a PSD2 SCA compliant solution exists in the shape of 3DS version 2. Otherwise known as EMV 3-D Secure or EMV 3DS. This the updated version of the original version 1. The latest and most important update of the specification - EMV 3DS v2.2.0 - was published by EMVCo in December 2018. It is important for merchants to understand the implications of this latest specification.
EMVCo states that:
...key updates include improved communication between merchants and issuers, enabling SCA to be applied. While the previous version of the EMV 3DS Specification enables PSD2 compliance, the latest updates provide additional features for merchants and issuers to maximise the benefit of the available exemptions.
The first point is that v2.2.0 contains specifications for handling the exemptions that are permitted by the SCA regulations. SCA exemption is a major topic in its own right. We have previously summarised the key exemptions available, so we will not expand on this topic in this article. What is important is that merchants check that whoever they are planning to rely on to provide the EMV 3DS service is aiming to run v2.2.0. Exemption options will be limited without it.
The complete end to end EMV 3DS infrastructure includes 4 components as follows:
- Web browsers connect to a 3DS Server hosted by either merchant, PSP, acquirer or another 3rd party. Native mobile apps need 3DS SDK client which then connects to a 3DS Server
- 3DS Server then connects connected with an issuers ACS or Access Control Server via a Schemes DS or Directory Server
So merchants really need to concern themselves with the 3DS Server and 3DS SDK components and check that whoever they are relying on to provide these components are going to be able to support 3DS version 2.2.0.
The path to full certification is a long one. First, vendor solutions need to pass independent testing and then complete functional testing with EMVCo. Then, these need to be certified by the card schemes.
So far EMVCo has issued approval letters for 15 different 3DS Server products. These are certified for EMV 3DS version 2.1.0 only. The functional testing environment for EMV 3DS v2.2.0 has not started yet and is somewhat behind schedule. An EMV 3DS solution must first be certified for version 2.1.0 before it can be certified for version 2.2.0.So as we approach the September deadline, there is clearly going to be a squeeze, and it is quite possible that not all solutions will be fully certified by all schemes in time.
So key message here is that merchants should not take for granted that their chosen EMV 3DS provider will be in a position to support SCA exemptions by September, and should check and track EMVCo approved products.
Stay SCA informed with EDC. Visit our dedicated SCA page at https://edgardunn.com/sca/
The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).