Online payments, as we know them, are changing. After September 14, 2019, all businesses and financial institutions in the EU and EEA states must comply with the regulatory technical standards (RTS) of the revised EU Payment Services Directive (PSD2), which has been in effect since January last year, and is tightening the rules and requirements for payment and card management. EBA – European Banking Authority will not enforce any action for companies doing business in Europe as of September 14, 2019, if they take the necessary steps to achieve compliance. The FCA – Financial Conduct Authority (UK) has opted for an 18-month extension and other national regulators will announce the mandatory implementation deadline at a later date.
What is PSD2 – Cardholder Authentication?
It is a directive (PSD) of the European Parliament that requires all payment providers to provide secure customer authentication (SCA), when performing payment services in the internal market, as a way to prevent card payment fraud.
How is strong customer authentication implemented?
With “3D Secure” – represents three domains that are part of the transaction:
1. Something that the user is (e.g., biometrics),
2. Something the user has (card, smart device),
3. Something the user knows (password, PIN, one-time code).
The new directive enforces the use of 3D Secure for online payments and contactless POS payments.
3D-Secure provides 2FA (Two Factor Authentication):
- the first authentication is the CVV – Card Verification Value Code (is a three or four digit number on the back of the credit card);
- the second authentication is a bank prompt (SMS with a code to be entered on the bank’s website).
Contactless POS payments already have SCA implemented, meaning that the terminal requires a PIN for every five contactless transactions or when the amount of contactless payments exceeds € 100.
For online payments, 3D Secure is required for every payment (one-time and periodic payments) over € 30.
- Customers without 3D Secure-enabled cards will no longer be able to make online purchases for amounts greater than € 30;
- For any recurring payment over € 30, an immediate payment will be required (not required until now) – the amount will depend on the merchant (minimum value is 1 cent);
- Merchants will not be able to make initial recurring payments over € 30 without the customer, as 3D-Secure will be required. 3D Secure will not be required for all the following payments. Some limits may still be set.
- All merchants will need to have 3D Secure enabled.
The Banking Association of Slovenia has announced that from October 18, the amount that can be paid with a contactless card without entering a PIN will change. It will raise form 15€ to 25€. Therefore, if the amount is a maximum of 24.99€, the PIN won’t be necessary unless the customer reaches the maximum number of such purchases. The change applies to all Maestro, Mastercard and Visa cards.
POS terminals will be upgraded by the end of October, but the security element of an additional limit, which depends on the individual bank or savings bank and is set as the sum of the successive contactless payments made without entering a PIN remains. When this amount is exceeded, a PIN number must also be entered for amounts below 25€.
Exceptionally, you will also be required to enter a PIN for payments below 25€, if required by the POS terminal. According to our information, cards without the contactless payment will no longer be issued by the banks.