We will continue to update this page as soon as more information and integration details are available from our payment gateway partners. If you have any question, reply in the Community post or reach out to your gateway provider directly.
PSD2 is an extensive revision of the European Union’s Payment Services Directive regulations. It comes into effect on September 14, 2019. The PSD2 regulations significantly change how payment services operate in Europe, and are intended to foster competition and consumer choice with respect to payment service providers.
The objectives of the PSD2 legislation include:
- Standardize regulations and integrate the market for payment services across EU countries.
- Ensure fair competition and transparency.
- Open payment services ecosystem and reduces bank monopoly on their customer’s data. It will allow third-party service providers to retrieve customers' account data from the bank with account holders' consent.
Strong customer authentication
Strong customer authentication (SCA) is one of the mandates of PSD2 that is most applicable to Zuora customers in the European Union. SCA requires that merchants use two-factor authentication to reduce the risk of fraudulent transactions. As a growing number of transactions take place online, especially on mobile devices, SCA will help to make it easier for customers to pay and reduce the risk and cost of payments fraud.
With SCA, all electronic transactions will need authentication using at least two of three possible methods:
Something only the user knows, such as password
Something only the user possesses, such as a token or mobile phone
Something the user is, such as a biometric (fingerprint recognition)
Benefits of SCA
SCA can introduce the following direct and potential benefits to your business:
- Reduce the risk of fraudulent transactions.
- Lower the chargeback rate because of the increased authorization approvals.
- Lower the customer churn rate by providing a secure environment with minimal impact on customer experience.
- Increase customers' confidence in online transactions.
SCA is made a requirement for all online transactions by PSD2. However, some exemptions are applicable to a given payment attempt, which means end customers may not need to provide additional authentication for their transactions. Typical exemption use cases include:
After carrying out transaction risk analysis (TRA), the acquirer or issuer decides that the transaction does not need to be challenged. TRA may be applied to transactions up to €500.
The exemption applies if the transaction value is less than €30. But the issuer must keep track of the accumulated amount and the number of transactions. The issuing bank must overrule the exemption once a card exceeds a certain threshold.
The SCA exemption applies to a series of transactions of the same amount made to the same business. SCA will be required for the customer's first payment, and the subsequent charges may be exempted.
Cardholders have the option to whitelist merchants as a “trusted beneficiary” when completing authentication for a payment. The issuer or payment service provider will not require strong customer authentication on subsequent payments for the same merchant. This exemption depends on if the issuing bank has adopted the whitelisting feature.
Merchant-initiated transactions (MITs) are the transactions that are initiated using the previously stored card information when the cardholder is not present. Technically, MITs are out of the scope of SCA. However, submitting an MIT is considered to be requesting an SCA exemption in practice. Like other transaction, it is still the bank who should determine whether authentication is needed.
Using 3DS2 for SCA compliance
A new standard called 3DS2 (3D Secure 2.0) is now being promoted as a solution for SCA under PSD2. 3DS stands for 3D Secure, an open standard used by major credit card brands to authenticate cardholders. 3DS can dramatically reduce fraud and increase authorization approvals and is one of the primary ways for Payment Services Providers to comply with the SCA mandate.
3DS2 requires merchants to send additional data with each transaction so that the bank can validate if the transactor is the actual cardholder. If the data matches what the bank requires, the transaction will continue as a frictionless flow and no further user input is required.
The following table describes the difference between 3DS and 3DS v2 and why it is important:
|3DS (3DS v1)||3DS2 (3DS v2)||Why is it important?|
|For payment cards only||Also supports mobile and digital wallets||Greater flexibility and support for mobile e-commerce.|
Designed for web desktop
|Streamlined for mobile interaction models/devices||3DS2 adoption expected to be greater because it is easier to use.|
|Higher false declines||
Modified authentication flow and reduced false declines
|Customers are more likely to abandon a transaction or use a different payment method.|
|No merchant opt-out or exceptions||Lower-value transactions exempted from validation, depending on the merchant's fraud rate||Greater flexibility and alignment of the protocol to the risk of a particular transaction.|
|10 data points captured||Up to 150 data points captured||
The issuer can make better decisions about the validity of the transaction with more data, preventing both fraudulent transactions as well as false positives.
Zuora's support for PSD2
Zuora integrates with different payment gateways and processors, and provides PCI compliant hosted Payment Pages. To help you prepare for PSD2, Zuora integrates into the 3DS solutions for all applicable payment gateways.
See the following articles for more information: