From September 14, 2019 an PSD2 rule will come into force, namely the Strong Customer Authentication or SCA. Back in 2015, the EU decided they wanted to implement initiatives, which would make it more difficult to commit fraud on someone else’s card.
The SCA step means that you (as a card holder) will have to identify yourself with an extra step in a payment process. On practical terms that means 2 of 3 methods:
- Something you are (e.g. Touch ID, Face Detection, Iris Scan).
- Something you know (e.g. a static login/password or a PIN)
- Something you have (e.g., a card / card details, a phone, a token, an OTP SMS code)
SCA is not only relevant online, but also in the physical world. When a card holder uses chip and PIN, the card = something you have and the PIN = something you know. With contactless transactions in the physical world, you will use the PIN when the amount of the purchase exceeds the usual limit of 350 kroner (€50 limit). And if a wallet is used e.g. Apple Pay, Google Pay, Mobile Pay, then you use your phone (something you have) and you are logged into your wallet with fingerprints, faceID or code (something you are or something you know). So, in the physical world, SCA is something that we know and something we are used to.
In the online world, the picture is somewhat different. Some web shops have already introduced the extra step of 3D secure, but that is far from everyone.
There are a number of Exemptions and if one of them can be used the card holder will not have to go through the SCA/2-step authentication. I will briefly mention some of them here:
MIT – Merchant Initiated Transaction. A transaction made when the cardholder is not present. This may be when your phone bill is paid or when your Netflix or Spotify subscription is paid.
Low Value transactions. As I mentioned above, there is a limit on transactions before SCA is required. In the physical world it is € 50 and in the online world it is € 30.
Risk Based Authentication (RBA). There is a way where the limit is set to € 100, € 250 and € 500 Euro if your Acquirer or Issuer can prove that they have very little fraud, overall and therefore want to have the limit raised for their web shops or their cardholders.
Industry code exception. There are certain industries within transportation and parking that are automatically exempt from SCA, even if the card holder is present. So, you will not have to go through a 2-step verification procedure when driving out of a parking garage, even if you have not used a PIN and the amount is over DKK 350.
One legged transaction. If your customer comes from outside the EEA, the transaction is considered “One legged” and is therefore not in scope for SCA.
None of the above Exemptions can be controlled from the web shop, this is controlled in the payment infrastructure. Then your web shop sells goods for a (total) under € 30 or approx. 220 kroner, the transaction will automatically be marked with “law value” and go through the system. And if you set up recurring payments with your acquirer, these transactions will get a MIT stamp.
White Listing. It is still unclear how Issuer Banks will implement White Listing in Denmark and it is therefore also unclear whether the web shop / Merchant will have to register actively. But broadly speaking, White listing is a function where the cardholder (via their mobile, – or Netbank) can choose to indicate that your particular web shop is OK and all transactions here should therefore have this exception and not need the extra security step (SCA). It is also likely that as a web shop you can offer your loyal customers a link to register your shop on their white list. The list is always displayed and maintained through the card holder’s bank / issuer.
What about “Saved Cards”?
Saved Cards are smart because your customer does not have to remember their card details, you do that for them … but it is a cardholder transaction (i.e. not MIT) and therefore falls under SCA. Therefore, if there is no other exception that applies, then your customers will have to go through an additional security step. Fortunately, it is enough if your customer logs into your profile (something you know) and then verifies the payment with 3D secure (an OTP SMS code). But it WILL mean an extra step for your customer and therefore communication is so important. If your customers expect to enter a code, they will feel comfortable with the flow and probably understand that this step will make it less likely that they will experience fraud on their own card.
Payment methods like MobilePay, Apple Pay and Google Pay are considered SCA transactions, in the online world as well, as your customer logs into their App to verify the purchase. Therefore, you may want to consider whether your flow will be better if your customer has to swipe or approve with fingerprint or face recognition, rather than entering an SMS code. But be aware of the fact, that the issuers and/or Visa/Mastercard might not support this Exemption from September 14th.
What happens if a transaction is not “stamped” with SCA or an exception?
To summarize, all transactions – as of September 14, 2019 – must have a “stamp” included in the payment system, showing that they are either an SCA transaction or that this transaction is under an Exemption.
If this is not the case, then it is up to your client’s bank (issuer) what to do. The vast majority of banks will reject such a transaction. I have seen figures from e.g. Mastercard, which states that up to 30% of issuers will reject non-SCA compliant transactions, but my assessment is that it is far higher in Denmark than 30%.
As a web shop, the only thing you can do is to carefully consider your flow, as well as get 3D secure implemented on credit and debit cards, as well as Dankort Secured by Nets in Denmark. Make sure you are ready on September 14, because if you are not ready, you will see a large part of your transactions being rejected.
This blog post was written beginning August 2019 – SCA rules interpretation at the local financial institutions changes weekly, so if you read this later, some items may have changed. However, I will endeavour to update the content.
If you find I am missing something or you know about an update I should include, please do not hesitate to write to me at firstname.lastname@example.org.
 One Time Password