UPDATE! The SCA deadline imposed by the EC to has been extended by 18 months, meaning the new compliance date for Strong Customer Authentication (SCA) is March 2021.
What is PSD2?
Payments Services Directive (PSD2) is a directive from the European Commission (EC) that deals with the changing payments landscape that affects anyone doing business in the EC. The goal is to create more competition in the banking sector and to clear up who is responsible for what when it comes to payment.
It applies to payment providers within the European Union (EU) and European Economic Area (EEA). The EU countries are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.
The EEA also includes Iceland, Liechtenstein and Norway.
Please note that UK businesses will need to adhere to PSD2 as dictated by the Financial Conduct Authority in the UK, even in the event of a no-deal Brexit.
What is SCA?
One of the new regulations is Strong Customer Authentication (SCA) for payments taken from European customers. SCA requires that checkout flows need to authenticate:
- Something the customer knows (e.g. password or PIN)
- Something the customer has (e.g. phone, credit card)
- Something the customer is (e.g. facial and fingerprint recognition)
The most common interpretation is that you need to offer two-factor authentication at checkout. So not only a credit and debit card but also a password or PIN.
SCA applies to both online and offline transactions, except for contactless payments.
Stripe has an excellent summary of SCA here.
What is 3D Secure (3DS)?
The most common implementation of SCA today is ‘3D Secure’ (3DS).
3DS is a form of two-factor authentication and therefore reduces fraud and chargebacks to the merchant. It’s not possible for a fraudster to make transactions even if they have a clone of a credit card - they will need more information than that.
Common implementations of 3DS you might recognise are consumer-facing brands like Visa Secure, Mastercard Identity Check, or American Express SafeKey. The 3DS standard was developed by EMV, a consortium of credit card transaction processors like Europay, Mastercard and Visa (that’s what EMV stands for).
How does 3DS work?
In 3DS, there is an additional step in checkout where you must enter a password that you’ve agreed with your card issuer (i.e. your bank).
This is most commonly done by allowing the customer to set a password the first time they checkout with a given debit or credit card, then this password is used to authenticate the user in future.
One problem with 3DS is that this extra step page during checkout is often left unconsidered and uses a different URL, linked to either the card issuer or the card company, rather than the merchant websites. This is confusing to many users and it’s also hard to tell if the page is genuine or not.
Monzo, a UK bank, has a notably better way of authenticating customers. During the 3DS step, the page simply asks the customer to open their Monzo app on their phone and from there they can approve the transaction.
Either way - 3DS is a way of authenticating a payment so that even if a card is cloned it can’t be used. Since the 3DS authentication mechanism does not rely on the merchant storing anything, there’s less chance of fraud even in the case that a merchant’s systems are compromised.
Outside of the US, banks have been encouraging the use of 3DS by offering lower processing fees to merchants or even mandating 3DS for merchants that sell high-value items. In most cases, if they are a merchant that forgoes using 3DS they must accept full fraud and chargeback liability.
Why is 3DS not used in the USA?
Our European and British readers will be used to having to complete the extra 3DS step.
The US has a much larger and more fragmented banking system and these changes encountered more resistance from customers in the mid-2000s. Instead, inferior mechanisms like CVC (card verification code) and Address Verification System (AVS, where the customer needs to enter their zip to authenticate a transaction) are still used.
Will that change? Probably. International merchants in the US will have to enable 3DS due to PSD2 anyway. And the 2nd generation of 3DS will eliminate usability problems by using contextual data from the transaction (order size, customer addresses, IP and MAC addresses, order histories and location etc) to approve transactions.
Where there is doubt, the bank will add the usual 3DS password page to challenge the customer. The good news is that even in this case, 3DS 2.0 will support modals within the merchant’s checkout, which are less confusing and easier to brand.
Does every transaction require SCA/3DS?
No - low-risk transactions can skip SCA so long as certain thresholds of fraud are not crossed.
Some implementations of 3DS will automatically approve transactions that are deemed not risky.
Does Shopify support SCA/3DS?
Not yet - but Shopify have said they will by compliant ahead of the deadline.
This covers both Shopify Payments and 3rd party gateways (used by % of Shopify merchants).
Do you need to do anything?
If you are using Shopify Payments, happily, no. Shopify will automatically enable SCA ahead of the PSD2 deadline.
If you are using 3rd party payment gateway then yes… you will need to get set up with Cardinal Commerce, a 3DS vendor, which Shopify will allow you to do through your store admin. However, it is up to your payment gateway to update their connection to Shopify and to add support for Cardinal Commerce. You will then need to add your credentials to a Cardinal Commerce login page to connect to their 3D Secure solution. You will see alerts in the Shopify admin to take action on this point.
Should I switch to Shopify Payments?
Naturally, Shopify is encouraging merchants to switch to Shopify Payments, which does make the process more straightforward and includes a host of extra features, but Shopify Payments is not available to all businesses e.g.
- Those outside the United States (including US territories except Puerto Rico), Canada, United Kingdom, Australia, Ireland, New Zealand, Singapore
- Those selling certain types of product e.g. some beauty lines
- Those that already have payment gateways plumbed into internal ERP systems
- Those with multi-currency requirements beyond the scope of Shopify Payments
- Enterprise businesses that won’t be able to switch in time.
Merchants with third party gateways will need to ensure their gateway completes the Cardinal Commerce 3DS implementation mentioned above.
Stay tuned for developments.
We're building the greatest ecommerce team in the world. If you're interested in joining our London or New York offices, have a read about what we can offer below.