2020 has been quite the year, to say the least, and we can’t wait for it to finally come to a close. Before we collectively break out the bubbly, though, there’s one thing European merchants need to make sure they’ve taken care of: compliance with Strong Customer Authentication, or SCA, as dictated by Payment Services Directive 2 (PSD2).
If you haven’t perused our previous blog posts about PSD2 and SCA (see our posts about working with your gateway on PSD2 and what you need to know about SCA), here is a quick summary of what you need to know so you’re ready to start accepting transactions seamlessly in the new year.
What is PSD2, and when does it go into effect?
PSD2 is an EU regulation that governs electronic and other non-cash payments. The main provision of PSD2 is Strong Customer Authentication, or SCA, a process that seeks to make online payments more secure by reducing fraud, all while increasing authorization rates.
While PSD2 was originally supposed to go into effect on September 14, 2019, the deadline was extended to December 31, 2020 (note that the UK Financial Conduct Authority [FCA] delayed PSD2 enforcement to September 14, 2021). This means merchants who conduct business in the EU must ensure they’re compliant with SCA by the end of 2020.
How do I know if I’m required to comply with PSD2 and SCA?
PSD2 applies to all online transactions where both the issuing and acquiring banks are located in the European Economic Area (EEA). You should also be aware that similar regulations are expected to be adopted in Australia and New Zealand in January 2020.
How do I make sure I’m compliant?
To meet SCA requirements, you must present your customers with a 3D Secure (3DS) flow when they make an online purchase. This allows you to authenticate both the customer’s identity and validate that they are the valid holder of the credit card they’re using to complete the purchase.
You will need to build this additional authentication into your checkout flow in order to continue to process certain transactions once PSD2 goes into effect. Starting December 31, 2020, card issuers will start declining payments that require SCA but which have not been authenticated via 3DS.
Does PSD2 apply to all transactions?
No, not all transactions are subject to PSD2 requirements. Here are some specific highlights:
PSD2 applies to one-time transactions, including the initial sign-up transaction for a subscription, that are made via credit cards and alternative payment methods.
PSD2 does NOT apply to Merchant-Initiated Transactions (MIT), such as recurring subscription charges.
Most alternative payment methods such as PayPal, Amazon Pay, and Apple Pay are already PSD2-compliant and meet SCA requirements, while cash payments are PSD2-exempt
For renewal purchases, Recurly will request to have these transactions exempted from SCA by flagging them as “MIT.” This includes existing subscriptions that started prior to December 31, 2020. It is still prudent, though, to ensure you have a well thought-out dunning process in place in case MIT SCA exemptions are rejected by card issuers and your subscribers need to come back “in-session” to complete the SCA flow.
What is Recurly doing to help prepare for PSD2?
Recurly is doing everything we can to make the transition as seamless as possible for our merchants. Our goal is to make it as easy as possible for our customers by providing a solution which will minimize the amount of work development teams need to complete.
We’re actively working with the payment gateways and payment partners we support. Check out our gateway-specific update guide.
Wait, I have more questions!
No worries! We’ve got you covered. Read our complete guide for an overview of PSD2 and SCA; it includes a host of frequently asked questions.
Need more guidance? We recommend reaching out to your gateway first, but as always, our friendly support team is also here to help.