On Sept. 14, the Regulatory Technical Standards (RTS) went into effect in the Netherlands. These standards flesh out certain technical requirements that payment service providers must adhere to since the advent of the Payment Services Directive (PSD2). These include strong customer authentication, or Strong Customer Authentication (SCA).
author: Kuijpers, Margot
In some countries within the European Economic Area, such as France, Denmark and the United Kingdom, the implementation of SCA has been delayed. This is not the case in the Netherlands, but De Nederlandsche Bank did announce earlier this year that parties will be given extra time to implement SCA with respect to online credit card transactions. It is unclear how much additional time parties will get for this.
In this blog, I will briefly discuss what SCA means, in which cases SCA's requirements must be met and what we will notice about this in the Netherlands.
Strong Customer Authentication is an authentication process that validates the identity of the payment service user, guaranteeing a high level of security. Its purpose is to deter fraud. To comply with SCA, payment service providers must use two-step authentication, or Two Factor Authentication (2FA). That means they must combine at least two of the following factors in the validation process:
Science (e.g., a password or PIN)
Possession (for example, a debit card or a phone)
Inherent property (for example, a fingerprint or facial recognition)
The two factors together should result in an authentication code, which can be used to verify the identity of the payer.
SCA must be used when someone wants to access their payment account or initiate an online payment, use a remote communication device, initiate an online remote payment transaction, or use a payment service from a payment service provider under PSD2. Payment service providers include both account information service providers (think household bookkeeping providers) and payment initiation service providers. Besides payment service providers, it is also important for online shops to be familiar with these new requirements, because online payments that do not comply with SCA can be refused by banks.
Incidentally, there are cases where SCA is not necessary, such as:
Payments between accounts of the same natural or legal person;
Payments of small amounts (under 30 euros);
Subscriptions or repeat payments (only the first must be made through SCA);
Payments initiated from the vendor (direct debits);
Trusted recipients (this can be specified by the payer);
Checking balance and payment transactions for the last 90 days (first time access must be given through SCA though);
Contactless payments (under some conditions);
Payments through unstaffed POS terminals for transportation tickets and parking fees;
SCA is already widely used in the Netherlands. Banks use it to access checking accounts and to initiate online payments. So we in the Netherlands are already fairly accustomed to a second step in the authentication process. In addition, the authentication process of iDeal, a widely used payment service in the Netherlands, also already meets SCA requirements. So little will change there.
With respect to credit card transactions, SCA is even less obvious, which is presumably why De Nederlandsche Bank is giving extra time to parties that are late in implementing SCA for credit card transactions. The "old" method for online credit card payments, which uses the combination of the credit card number and the CVC code, does not comply with SCA. This is because it only uses information from the possession category, which is insufficient for SCA. VISA and Mastercard have developed an authentication method called "3D Secure 2.0. This authentication method does meet SCA's requirements, making it a reliable way to initiate credit card payments. This authentication method is being used by more and more payment service providers, such as PayPal and Adyen.
The measures will mainly be taken by the payment service providers themselves, but it is also important for web shops to check as soon as possible whether all online payment methods they offer through their web shop meet SCA's new requirements.
This article can also be found in the PSD2 dossier
More articles by SOLV Lawyers
