If you're currently one of our customers using SagePay as one of your payment gateways, you will have received a notification from SagePay about the upcoming implementation of the EU Payment Services Directive 2.
Payment fraud has been steadily increasing for nearly a decade and shows no signs of slowing down. One of the key components of the European Commission's new directive is intended to turn the tide on this trend by placing strong customer authentication (SCA) requirements on participants to reduce fraud.
From the 14th September 2019, the expectation is for all ecommerce transactions to be processed via secured industry protocol such as 3D Secure.
Strong Customer Authentication then requires at least two independent authentication factors to be used to verify the customer's identity.
The factors are divided into three categories:
- Something the customer knows, such as a PIN or password
- Something the customer has in their possession, such as a payment card or smartphone
- Something inherent to the customer such as a fingerprint or voice print
Every electronic payment will need to be authenticated by at least two of these factors.
This process is called Multi Factor or Two Factor Authentication. You may already be using Two Factor Authentication with other online services. Any time that you have been sent a text message by an app or website containing a special password or confirmation code, you have been using Two Factor Authentication.
Whilst some industry pundits have raised concerns that the introduction of this requirement will cause problems for consumers, many of us have been using multi-factor authentication for a long time.
Getting your website ready for PSD2
Today, when a payment is taken online the customer may be redirected to a 3D Secure Authentication page. Whether or not this happens is based on the bank's assessment of whether or not this is "high risk" transaction. After September 2019, redirection to this authentication will become the default for all transactions.
According to SagePay, although authentication will be performed, it is expected that only 5% to 10% of authentications will result in the cardholder having to be re-directed to their banks 3D Secure page to enter 2FA (challenge authentication). The majority of the authentication requests will result in a frictionless authentication, where the cardholder is not re-directed to their banks 3D Secure page to enter 2FA.
So, what will be different after PSD2?
If you have a Gravit-e Version 7 (or above) website with a SagePay payment gateway and 3D Secure already enabled, then there is nothing for you to do at this stage. We will be in touch to ask you to complete some test transactions prior to the September implementation date, but this purely a "belts and braces" test to avoid any unexpected problems post September.
If you are running Gravit-e Version 6 or below, your payment gateway code may need to be upgraded in readiness for September 2019 and PSD2. We will be in touch with affected customers soon to confirm this.
Ah, I'm not a Gravit-e customer - can I still get help with PSD2?
Of course! If your current website provider is unable to provide you with help and guidance on this, or any other matter, we'd be happy to speak to you and see what we can do to help.