Under the revised Payment Services Directive (2015/2366) (PSD2), the European Banking Authority (EBA) and the European Commission were required to develop and adopt regulatory technical standards on strong customer authentication and common and secure open standards of communication. These regulatory technical standards were passed into EU law as Commission Delegated Regulation (EU) 2018/389 (the RTS), which entered into effect on September 14, 2019.
The RTS has direct effect on payment service providers (PSPs), including card issuers and acquirers, in all EU member states. However, certain EU member states, including the UK, have implemented transitional measures for a phased implementation of the rules in the context of card-based payments for e-commerce transactions.
This post discusses the requirements under the RTS for card issuers and acquirers to authenticate payment service users (PSUs), which is referred to as “strong customer authentication” (SCA).
STRONG CUSTOMER AUTHENTICATION
What is SCA?
“Strong customer authentication” is defined under PSD2 as an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data[.]
In other words, it is a process for authenticating a PSU’s identity that involves at least two of the following elements, where knowing one will not result in knowing the others:
- knowledge: something the user knows (e.g., a password or a PIN);
- possession: something the user possesses (e.g., a particular SIM card in a mobile phone or a token or smart card); and/or
- inherence: a biometric characteristic (e.g., a fingerprint, or eye or facial pattern, or the sound of the user’s voice).
Under the RTS, a PSP must also ensure that the security features associated with these elements meet certain security standards, including:
- ensuring sufficient length or complexity for the knowledge elements;
- introducing a minimum key length requirement (e.g., of a token) for the possession elements; and
- relying on robust algorithmic specifications for the inherence elements.
In short, the security and integrity of these SCA elements should be designed so as to mitigate the risk of their being discovered by unauthorized persons. For remote transactions (i.e., where the PSU is absent), so-called “dynamic linking” must also be used. This involves linking the transaction to a specific amount and a specific payee, for instance by the use of one-time passwords.
A PSP subject to the SCA requirements must also ensure the secure delivery or transmission of personalized security elements. The processing and routing of such security credentials (and of the relevant authentication codes used for dynamic linking) must take place in secure environments in accordance with strong and widely recognized industry standards.
When must SCA be applied?
A PSP must apply SCA when a PSU:
(i) accesses its payment account online;
(ii) initiates an electronic payment transaction; or
(iii) carries out any action through a remote channel that may imply a risk of fraud.
In relation to card payments, SCA applies to transactions initiated by the payer through the payee (i.e., a card transaction initiated by the payer at the point of sale, online or in-app).
Card payments initiated by the payee only – exclusion
The EBA has confirmed that card-based merchant initiated transactions (MITs) are excluded from the scope of the SCA requirements. These are characterized by a lack of involvement of the cardholder in triggering the specific individual payment.
An MIT is a payment or series of payments initiated by a merchant without any direct intervention from the cardholder under the terms of a pre-existing authority given by the cardholder to the merchant. The cardholder will be involved in giving the mandate and, for a series of transactions, may initiate the first transaction. The subsequent transactions are then initiated by the merchant only, without any interaction by the cardholder.
MITs are out of scope of the SCA requirements provided that they are governed by a valid mandate given by the cardholder to the merchant, are initiated by the merchant only, and where required SCA was applied when that authority was first given or when it is amended. The initial mandate from the cardholder and any later amendments to the mandate would be subject to the SCA requirements.
Examples of MITs given by the EBA include utilities bill payments, TV and mobile phone subscriptions, digital services subscriptions and insurance premium payments.
Card payments initiated with cards registered on file with the merchant where the cardholder is required to trigger each individual payment (also known as card-on-file payments) will not fall within the scope of this exclusion.
In practice, there may be certain payments in relation to which card schemes, issuers and acquirers could take different views on whether to rely on the MIT exclusion or the recurring transactions exemption (see below). This will affect which party is liable for an unauthorized or fraudulent transaction. If the MIT exclusion applies, the issuer will generally be liable. However, if the parties are relying on an exemption under the RTS that the acquirer has requested, the liability will shift to the acquirer.
Are any exemptions available for card payment transactions?
A PSP may be exempt from applying SCA under certain limited circumstances, set out in Articles 11 to 18 of the RTS. In relation to card payment transactions, the key exemptions are:
- Article 11 – contactless payments at point of sale of €50 or less, provided that they do not exceed a cumulative value of €150, or the number of previous contactless payments is less than five
- Article 12 – payments at unattended terminals for transport fares and parking fees
- Article 13 – trusted beneficiaries, where a cardholder requests that an issuer white lists a merchant so that SCA is not required on subsequent transactions to that merchant. An issuer must apply SCA when the cardholder creates or amends the list of whitelisted merchants
- Article 14 – recurring transactions, involving a series of recurring transactions with the same amount and the same merchant
- Article 16 – low-value transactions, provided that the amount of the remote electronic payment transaction (i.e., card not present) does not exceed €30 and the cumulative amount of previous remote electronic payment transactions initiated by the cardholder since the last application of SCA does not exceed €100, or that the number of previous remote electronic payment transactions initiated by the cardholder since the last application of SCA does not exceed five consecutive individual remote electronic payment transactions
- Article 18 – Transaction risk analysis (TRA) transactions, which have been identified as presenting a low risk of fraud pursuant to certain conditions (see below for more detailed discussion of the TRA exemption)
These exemptions are separate and independent from one another. Only one needs to apply for any given transaction, even if a transaction could qualify for more than one exemption.
Calculating fraud rate for the TRA transaction exemption
The TRA exemption under Article 18 allows a PSP not to apply SCA in the case of low-risk transactions where a transaction risk analysis has been conducted.
This exemption is subject to strict criteria, including that the fraud rate for that type of transaction falls below certain reference fraud rates and the overall transaction value falls below a defined “Exemption Threshold Value.” Reliance on this exemption therefore necessitates ongoing monitoring to help ensure that such values are not exceeded and the fraud indicators remain relevant.
The fraudulent transactions included in the calculation for a given PSP’s fraud rate should be based on the unauthorized transactions for which the given PSP is liable and other fraudulent transactions that have not been prevented by that PSP.
The fraud rate therefore includes not only unauthorized transactions but also fraudulent transactions resulting from the “manipulation of the payer,” which is defined in the EBA’s Guidelines on Fraud Reporting as “payment transactions made as a result of the payer being manipulated by the fraudster to issue a payment order, or to give the instruction to do so to the payment service provider, in good faith, to a payment account it believes belongs to a legitimate payee.”
In addition to SCA, the relevant PSP will also have to perform a real-time risk analysis to identify certain indicators of fraud risk and take into account a number of specified risk based factors including previous spending patterns and the transaction history of the cardholder.
Who applies SCA with respect to card payment transactions?
The PSP that issued the PSU’s personalized security credentials will be the PSP applying SCA. In a cards context, it is therefore generally the issuer that is required to apply SCA, not the acquirer or the merchant. This would be the case even if the process of applying SCA or the decision of whether to apply an exemption is outsourced to the merchant (e.g., in an e-commerce transaction).
The EBA has confirmed that the acquirer can rely on certain types of SCA exemption or to request that an SCA exemption is relied on, but it is the issuer that always makes the ultimate decision on whether to accept or rely on an SCA exemption.
Liability for unauthorized payment transactions
Generally, the issuer bears liability where there has been an unauthorized or fraudulent payment transaction.
However, as discussed above, where the acquirer applies an exemption, the acquirer will bear liability for an unauthorized transaction.
Further, where the issuer has outsourced the actual performance of SCA to either the acquirer or the merchant (or both), if the issuer is required to or chooses to apply SCA and the acquirer fails to apply SCA under such outsourcing arrangement, the acquirer could be considered to bear liability for “failing to accept” SCA.
In June 2019, following lobbying from acquirers, issuers, card schemes and merchants, the EBA published an Opinion on the elements of SCA. The Opinion addressed concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements by September 14, 2019.
The EBA said that it was not able to postpone an application date set out in EU law, but would allow member state regulators to agree with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time to implement SCA in the context of card-based e-commerce transactions.
In August 2019, the FCA confirmed that it had agreed to an 18-month plan proposed by UK Finance, a trade association representing banks and other PSPs, that gives issuers and acquirers additional time to implement SCA. The FCA has confirmed that it will not take enforcement action against firms if they do not meet the relevant requirements for SCA from September 14, 2019. However, this is limited to card-not-present e-commerce transactions where the firm can demonstrate that it has taken the necessary steps to comply with the UK Finance co-ordinated plan. Further, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA fully by March 14, 2021.
Regulators in other EU member states, including Germany, France, Italy and the Netherlands have set out, or expressed support for, analogous transition arrangements. However, the scope and conditions of these differ from country to country.