Christian Diegelmann, EPG: Why working with exemptions could offset SCA setbacks

Christian Diegelmann (CEO of Euro Payment Group (EPG) in Frankfurt and Malta) discusses the possible impact on conversion rates once strong customer authentication (SCA) is enforced – something noteworthy for those operating in the gaming industry. 

Diegelmann provides a rundown of the revised Payment Services Directive (PSD2) and associated SCA measures, before explaining why the successful handling of regulatory technical standards (RTS) exemptions will become a key component for an operator focused on providing the best payments experience for its customers.

The revised PSD2 was published in November 2015, entered into force on 13 January 2016 and applied since 13 January 2018. The Directive brought fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment service providers (PSPs) when carrying out remote electronic transactions.

In its fulfilment of PSD2, Article 98(1) mandated the European Banking Authority (EBA) to develop RTS for SCA, which were published on 13 March 2018 and will apply as of 14 September 2019.

However, many European supervisory authorities such as the Malta Financial Services Authority (MFSA) and the Federal Financial Supervisory Authority (known as BaFin) in Germany have decided not to raise objections to credit card payments made on the internet without SCA immediately after this deadline, with no time limit set for relaxing such provisions.

Thereafter, SCA will apply to all payment transactions initiated by a payer, including card payment transactions initiated through the payee in the European Economic Area (EEA) and apply only on a best-effort basis for cross-border transactions with one leg out of the EEA. 

Thus, most card payments and all bank transfers will require SCA, but recurring direct debits are deemed “merchant-initiated”, so they are out of scope. Except for contactless payments, in-person card payments are also not impacted by the RTS.

As you may be aware, SCA requires PSPs to devise an authentication method using at least two of the following three elements – something the customer knows (knowledge), something the customer has (inherence) and something the owner is (ownership). In practice, this might mean a password or pin, a phone or bank card, and a fingerprint or face recognition.

According to regulations, SCA must be applied to access to payment account information and to every payment initiation, including within a session in which SCA was performed to access the account data, unless an exemption under the RTS applies. Companies would therefore do well to familiarise themselves with the most relevant RTS exemptions, including:

  1. Recurring transactions. When the customer makes a series of recurring payments for the same amount, to the same business. SCA will be required for the customer’s first payment, subsequent charges may be exempted.
  2. Low-value transactions (e.g. online gaming/gambling, digital content). Where payer initiates remote electronic payment transactions provided: (a) amount does not exceed €30; and (b) cumulative amount of previous remote transactions initiated by the payer since the last application of SCA does not exceed €100; or (c) number of previous remote transactions initiated by the payer since the last application of SCA does not exceed five consecutive individual remote electronic payments.
  3. Low-risk transactions. A PSP will be allowed to do a real-time risk analysis to determine if to apply SCA to a transaction. This may only be possible if the payment provider’s or bank’s overall fraud rates for card payments do not exceed the thresholds contained in the Annex to the RTS.

While it should be stressed that differences in how Member States and individual ASPSPs support exemptions are expected, the successful handling of the above exemptions will become a key component for building a better payment experience with minimised resistance.

Along with this smart handling of exemptions, providing the most friction-free authentication method is key to preventing a significant hit to conversion.

Currently, the most common way of authenticating an online card payment relies on 3D Secure (3DS) – an authentication standard supported by most European cards. Applying 3DS adds an extra step after the checkout where the cardholder is prompted by their Account Servicing Payment Service Provider (ASPSP) to provide additional information to complete a payment. 

However, 3D Secure 2 (3DS2) could soon become the main method to authenticate online card payments by introducing a better user experience (UX) to smoothen the checkout flow and, hopefully, reduce customer drop-off.

The main message is that it’s not all doom and gloom, even for those operating in a tricky industry such as gaming. Many European payment methods will follow the new SCA rules without any major changes to their UX, because they have already built in 2-factor authentication (2FA).

Card-based payments on GAFA – an acronym for US technology powerhouses Google, Apple, Facebook and Amazon – already support payment flows with such built-in authentication.

It should also be noted that while many gaming deposits are made on mobile, where SCA would apply even to ‘Card on File’ transactions, players will often be placing bets using funds already held in a wallet within the operator’s website, in which case SCA could be out of scope.

The new regulations bring potential advantages and setbacks, for both the merchants and the users. Merchants should embrace the extra security and reduced risk of fraud, while minimising the inevitable impact to the customer journey through RTS exemptions and leveraging new payment aggregators to increase their strategic information on consumers.