26 April 2019
Over the last few years, strong authentication systems have been gradually introduced on e-commerce sites and marketplaces, depending on the number of transactions. From now on, all transactions over 30 euros must be subject to double authentication, by the Payment Services Directive 2 (PSD2). This regulation aims to reduce online payment fraud and make banking more secure to protect consumers. What is strong authentication? How to be in order? Here are some explanations.
Strong authentication is part of a range of measures included in the European Payment Services Directive 2 (PSD2). Entering into force in January 2018, – but deployed in 2021 – this regulation covers two main objectives:
The deployment schedule was spread out over time because European directives such as PSD2 require transposition into all national legislation. The regulations, on the other hand, are immediately applicable in local law and are intended to harmonise the various standards put in place under the PSD2.
The Regulatory Technical Standards (RTS) were prepared by the European Banking Authority (EBA) and adopted by the European Commission to define in concrete terms – and thus harmonise – the strong customer authentication process to be implemented by the Member States.
Well aware of the scale and complexity of such compliance, the Banque de France had decided in 2019 to grant an additional three years to ensure that all actors affected by strong authentication could benefit from a secure solution by 2022.
As payment guarantors, the technical regulatory standards define strong customer authentication as a combination of at least two authentication factors, including:
Thus, to validate a banking transaction, the customer must open the application of his bank, thanks for example to the facial recognition (inherence) to fill in a code received by SMS which proves that he has his phone (possession). Using two authentication factors is more secure than using only one.
Initially, in force only for payments of more than 2,000 euros, strong authentication has gradually become mandatory for smaller amounts. In France, since 15 April 2021, it has been mandatory for payments of more than 100 euros. By 15 May 2021, it will be required for payments over 30 euros.
It is not up to the marketplace operator to decide when to use strong authentication, but to the card issuer, i.e., the issuing bank. Thus, Member States shall ensure that a Payment Service Provider (PSP) applies strong customer authentication in the following cases:
To alleviate this burden, the NTRs have also defined nine “waivers”. Only the PSPs of the payer and the payee can make use of these waivers, depending on the nature of the payment made online. The idea behind these derogations is to strike the right balance between the interest of strengthening the security of online payments and the need for user-friendliness and accessibility of payments in the e-commerce sector.
These exceptions to the principle of strong customer authentication were defined based on the level of risk, the amount, the recurring nature, and the means used to execute the payment transaction.
Among the exemptions, three directly concern online payments. Thus, strong authentication is optional for:
For this last point, the value of the transaction depends on the fraud rate notified by the PSP. Here are the different thresholds for the application of strong authentication, depending on the amount:
The current average fraud rate is around 0.16% for French operations and around 0.3% for cross-border operations.
Good to know: The choice of whether to grant an exemption is ultimately up to the bank issuing the card.
If there is one area where Lemonway does not compromise, it is payment security. Therefore, we welcomed these regulatory standards as positive news that will increase the level of security and confidence of end customers. Due to our position in the payment chain, we are not directly involved in the choice and definition of authentication criteria. However, our experts are at your disposal for any information request!