It’s estimated that by 2024, 74% of fraudulent card transactions worldwide will involve card-not-present (CNP) transactions. The PSD2 regulatory framework is designed to protect customers and financial institutions operating in the digital payment ecosystem from fraud, especially CNP fraud.
Who falls under the umbrella of PSD2 SCA compliance? Well, it's not just the traditional players in the banking industry. Thanks to PSD2, new players like Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) have entered the scene. PISPs act as intermediaries between customers' banks (or where their money is) and sellers of goods or services. AISPs, upon user permission, consolidate all user financial information (such as deposits, loans, and direct debits) in one place.
If your company falls into these categories, you need to adhere to the PSD2 SCA requirements when providing the following services:
If the payment or information instruction is initiated and processed in the regulation’s area, it must follow PSD2 SCA guidelines. For US companies, this could apply, for example, if they have a European-based entity or are looking to provide the specific services mentioned to EU citizens.
Organizations are required to decline transactions that do not meet SCA requirements. There are exemptions for small transactions (less than €30), where the financial institution can prove it is a low-risk transaction or where the customer has whitelisted the service provider, such as for a direct debit of a phone or electricity bill.
To comply with the PSD2 SCA requirements, organizations must ensure that their customer authentication meets the regulatory technical standards (RTS) set out for PSD2 SCA. This involves implementing MFA for relevant transactions and adhering to other specifications detailed in the RTS. These include:
Beyond regulatory compliance, PSD2 SCA brings other significant benefits to financial institutions and their customers, including improved customer security, fraud reduction, and a better user experience.
First and foremost, PSD2 SCA enhances customer security by raising the bar for authentication. With MFA in place, it becomes much harder for attackers to impersonate users and carry out fraudulent activities. While there are still issues around allowing knowledge factors (namely passwords) in MFA as they can be easily phished or brute forced, mandating MFA is a major step towards a more secure online world for consumers.
Fraud committed through account takeover, which uses a victim’s card or bank details to purchase items, can create significant distrust between the customer and the firm involved, even if neither party was at fault. Reducing payment fraud fosters greater trust in online transactions, making customers more comfortable with making purchases and boosting revenue opportunities for service providers.
The PSD2 SCA regulation recognizes the importance of maintaining a user-friendly process. Nobody wants frustrated customers abandoning their shopping carts due to cumbersome authentication requirements or forgotten passwords. The specification for being accessible and user-friendly means companies complying with PSD2 SCA should consider how their authentication stream impacts the user and how it can be as frictionless as possible.
Earlier this year, the European Commission presented a study on the application and impact of PSD2. The study follows a period of open consultations into revisions of PSD2 legislation. It is widely expected that a PSD3 framework will be announced, but its timing and the extent of the revisions have not yet been made public.
The PSD2 regulates financial transactions in the EU and other countries such as the UK and Norway. Its strong customer authentication (SCA) requirement obliges financial institutions, banks and payment service providers to maintain strict MFA authentication procedures for operations such as payments over €30 or requests for account information. The PSD2 SCA requirements aim to improve online consumer trust by reducing fraud and account takeover attacks, yet without a significant trade-off of user experience.
HYPR’s True Passwordless solution for customer authentication allows firms to fully comply with the PSD2 SCA and transaction signing directives, including cryptographic signing of every transaction and unique dynamic linking. With HYPR, you can ensure SCA regulatory compliance while removing friction from your CIAM security process. To learn more, read our PSD2 SCA guide or contact our team.