The changes you need to make for SCA depend on the type of transactions you process. Please refer to the following sections to see what you need to do.
Face to Face Transactions
- Chip and PIN transactions already comply with the SCA requirement for two factor authentication. Your customer is in possession of their card and know their PIN.
- Transactions made using a mobile device, like a mobile phone also comply with SCA as the customer is in possession of their phone, and use a fingerprint to uniquely identify themselves.
- Contactless transactions don’t fulfil the requirement for two factor authentication but are exempt from the SCA requirement. However, additional security requirements may be requested by the card issuer. A new decline code is being introduced that will ask the cardholder to complete a chip and PIN transaction where that extra security is required.
What do I need to do?
If you rent your terminal from us, we’ll make the changes for you. Just ensure that you and your staff understand what’s happening and be ready to reassure cardholders that there’s no problem with their card or their account, just that it’s an extra security check requested by their card issuer.
If you own or rent your terminal from another source, contact them immediately to discuss the decline code changes needed for the step up from a Contactless to chip and PIN transaction. Details of the technical requirements for SCA can be found in our PSD2 and Strong Customer Authentication Technical Implementation Guide.
MOTO and Merchant Initiated Transactions
While MOTO and Merchant Initiated Transactions (Stored Credential Transactions, also known
as Credential on File Transactions, where card details are stored for future use), are out of scope for SCA, if the card issuer doesn’t know they’re one of these kinds of transactions, they may request SCA. If the cardholder is unable to provide the necessary authentication, the transaction will be declined.
What do I need to do?
It’s critical that all transactions are flagged correctly.
If you rent your terminal from us or use our E-Commerce Platform, we’ve made all the necessary changes to ensure transactions contain the correct flags.
If you own or rent your terminal from another source or use a third party provider for your ecommerce service, contact them immediately to ensure your transactions are flagged correctly.
Further information on Stored Credential Transactions and details of their technical requirements can be found on our website within our Customer Centre under the Stored Credential Transactions tile. They’ll also need to apply the technical requirements, which can be found in our PSD2 and Strong Customer Authentication Technical Implementation Guide.
Payments made via a website require SCA. These transactions must now support 3D Secure, which is the ecommerce authentication protocol by the Card Schemes, such as Mastercard and Visa. This allows the cardholder to authenticate themselves as the genuine holder of the card. Under PSD2, card issuers are obliged to challenge and potentially decline transactions that don’t comply.
A new version of 3D Secure (3D Secure 2 – 3DS2) is being introduced to comply with new regulations and provide a better customer experience, more security for your business and a frictionless payment experience. Read our blog called ‘3D Secure 2 – A Beginner’s Guide’.
What do I need to do?
If you use our Global Payments E-Commerce Platform (previously Realex Payments), this will support 3DS2 from September 2019. You should have already received communications from us about the changes you need to make to comply with the new SCA requirements. . If you’ve any questions about the changes or would like more information on our E-Commerce Platform, please email firstname.lastname@example.org.
If you use a third party provider for your ecommerce services, you need to review the way in which you accept card payments. Please speak to your solution provider to make sure your solution is up to date with all the flagging requirements and that they’re making changes for the SCA mandate. Our 3DS2 solution may be used alongside your existing gateway solution, if required. You can contact us on the email above for help with this.
Details of the technical requirements for SCA can be found in our PSD2 and Strong Customer Authentication Technical Implementation Guide.