The European Union (EU) first launched the Payment Services Directive (PSD) in 2007. It was introduced to regulate the payment service industries. Since then, PSPs have worked their way around the strict guidelines mentioned in the directive. Contrary to their expectations, PSD worked in favor of businesses. It encouraged pan-European companies to participate in the ever-growing payments industry. It broke the bank’s monopoly on the online payment industry.

PSD2 SCA Requirements

 The PSD2 directive has been designed with a similar passion for breaking monopolies and encouraging Third-Party Providers to drive the competition in creating secure and quick online payment systems. So, people concerned about SCA requirements in the PSD directives should treat these conditions as opportunities. 

 Understanding SCA

 SCA stands for Strong Customer Authentication (SCA).

All sellers working with businesses located in the European Economic Area (EEA) will be required to comply with PSD2 SCA requirements.

 SCA obliges merchants to adopt a strong customer authentication process. 

The authentication process will be based on three core elements. These elements are independent of each other and are designed to protect the transaction data. These elements are – 

· Knowledge – The authentication process must test something that only the user should know. For instance, a PIN code or a private question (e.g., ‘What was the name of your last pet?’). Mere credit card data such as CVV are not considered as ‘knowledge’ anymore. 

· Possession – The authentication process should involve something that the customer owns. For instance, only the customer will have access to his or her email address. So, the authentication process must involve the user’s email address to verify transactions. 

· Inherence – Inherence is something the user intrinsically possesses, for instance, a biometric feature (fingerprint, retina scan, etc.)

To verify electronic payment transactions, at least two of these elements must be used by the seller in the authentication process.  

 Impact of SCA

 The introduction of SCA requirements was almost inevitable. More people are shifting towards online purchases, and the debate surrounding user data confidentiality has never been louder. The introduction of independent authentication factors will – 

· Reduce processing costs for vendors as there will be zero fraudulent transactions 

· Reduce instances of online fraud 

· Businesses complying with PSD2 regulations will find it easy to conduct business with companies located in the EEA. 

· Overall, the number of cardholders will increase as public confidence in using online payment services grows.

 Application of SCA 

 SCA compliance will be required for all card transactions involving businesses in the EEA region. 

 If the seller and the consumer’s banks are located in the EEA, all transactions need to be SCA-compliant. 

 The countries that will be directly affected include – 

 · United Kingdom

· Sweden

· Spain

· Slovenia

· Slovakia

· Romania

· Portugal

· Poland

· Norway

· The Netherlands

· Malta

· Luxembourg

· Lithuania

· Liechtenstein

· Latvia

· Italy

· Ireland

· Iceland

· Hungary

· Greece

· Germany

· France

· Finland

· Estonia

· Denmark

· Czech Republic

· Republic of Cyprus

· Croatia

· Bulgaria

· Belgium

· Austria

 If the acquirer is located within the EEA, the business has to comply with SCA requirements. So, all multinational companies involved in business with EEA countries need to meet SCA requirements.

 SCA Exemptions

 Under the new guidelines, some transactions will be exempted from SCA compliancy, 

There are systems put in place to pass or block exemption requests in real-time. Not all sellers will apply for such exceptions. Here are some of the transactions that are exempted from SCA requirements – 

Corporate Payments

 Usually, corporate payments are facilitated using rigorous security methods. These security methods have improved for over ten or twenty years. So corporate card payments that already go through strict protocols don’t need SCA compliance. However, traditional employee corporate purchase will need to be SCA-compliant (e.g., using a company provided Sodexo card to buy groceries)

 Beneficiaries

 Consumers can choose to list the businesses they consider beneficiaries and send them to the issuing bank. SCA compels banks to add specific merchants to these lists so that transactions involving payments to these ‘trusted beneficiaries’ don’t have to through dual verification. 

 Low-value transactions

 If the total value of a transaction is less than €30, it need not go through SCA. But, customers can’t skip the SCA for more than five times. If all the transactions since the last SCA-compliant transaction add up to more than €100, the next transaction will need to go through SCA protocols. 

 Does SCA Apply To Your Business?

 If your business is involved with consumers, banks, or other businesses in the EU, you’ll have to abide by all PSD2 directives. For instance, if your online store is located in the USA but sells to customers in Spain, your payment services provider (PSP) needs to be based in the EU. The PSP would also have to be SCA-compliant. PSD2 is riding the wave of one-click payments. It aims to open up the payment service industry. These regulations will force businesses to invest in new and better technology.