Since 14 September 2019, PSD2 has been in effect. It stands for Payment Services Directive 2, the European legislation for payment traffic. Strong Customer Authentication (SCA) is part of this regulation. SCA applies to all online payments where both the seller and the buyer are located within the European Economic Area.
Update: As of 31 December 2020, SCA is mandatory. If you’re a Buckaroo merchant, you automatically comply with these requirements—no action required.
This new rule is intended to protect European consumers from online fraud, which causes millions in damages. The European e-commerce market is expected to grow to nearly €900 billion by 2022.[1] And with that, online fraud will also increase. The European Central Bank estimates that €1.3 billion in online fraud [2] is currently committed annually using credit cards. As fraud tactics become more sophisticated, legislation must keep pace. Strong Customer Authentication makes payments more secure.
SCA requires that an extra authentication step be performed during online credit card payments. Previously, just a credit card number and CVC code were sufficient. Now, at least two authentication factors are needed to secure the transaction.
Chargebacks are a common problem for online merchants and can lead to lost revenue. Crypto payments offer more peace of mind because of their low chargeback risk. Crypto transactions are irreversible, meaning you don’t need to worry about refunds or fraud.
Traditional passwords (something you know) can now be replaced with a fingerprint (something you are) via your smartphone (something you own). This two-step verification is called Two-Factor Authentication (2FA).
Credit card companies like VISA and Mastercard already offer their own versions of 2FA, known as 3D Secure 1.0. During checkout, the customer is redirected to an environment where they must enter a password or PIN. This often leads to unnecessary drop-offs.
As part of PSD2, 3D Secure 2.0 is being introduced. This allows consumers to complete the authentication step via fingerprint or facial recognition on their phone. This updated version makes it easier and faster to complete a secure payment. The responsibility to implement SCA lies with the issuing bank—the one that issued the credit card. Buckaroo, as a Payment Service Provider, ensures a frictionless payment experience wherever possible. That includes checking whether 3D Secure 2.0 is required, since some transactions are exempt.
SCA is required for all online transactions, but there are exceptions. For example, with low-risk payments, the number of times a customer must authenticate may be reduced. Buckaroo will adapt its checkout process so merchants can benefit from these exceptions without impacting conversion.
When a consumer selects “Pay with credit card,” Buckaroo performs a check to determine whether SCA is required. Whether or not SCA applies depends on the credit card and any exemptions. However, it’s ultimately up to the issuing bank to approve the exemption. The checkout flow (with or without SCA) looks like this schematically:
Online retailers do not need to take any action themselves. Buckaroo will ensure that all necessary changes to comply with the new directive are implemented in the checkout process. Wherever possible, we will apply exemptions to Strong Customer Authentication to maintain a seamless checkout experience.
[1] https://451research.com/451-research-s-global-unified-commerce-forecast-uncovers-dramatic-shifts-in-consumer-spending-patterns
[2] https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudreport201809.en.html
*Note: This blog post is based on the official PSD2 directive.