September 2019, and more specifically the date of the 14th, was marked by the entry into force of the technical standards of PSD2, the second Payment Services Directive. In particular, it makes Strong Customer Authentication (SCA) via dual authentication mandatory for electronic payments over 30 euros. Like e-merchants, many restaurant owners are affected by these changes.
What PSD2 aims to do
The PSD2, with this SCA obligation, aims to promote innovation and competition, while reinforcing consumer security and reducing the rate of fraud on the payer side. Its objectives are clearly defined (see on this subjectarticle 98 of the directive) :
" (a) Ensure an appropriate level of security for payment service users and payment service providers through the adoption of effective, risk-based requirements;
(b) ensure the security of funds and personal data of payment service users;
(c) ensure and maintain fair competition among all payment service providers;
(d) ensure business model and technology neutrality;
(e) enable the development of innovative, accessible, and easy-to-use payment methods."
The means of strong authentication provided by the directive
The SCA involves authenticating via at least 2 of the following:
- What the customer has (smartphone, smart card, connected device...);
- What he knows (PIN code, password...)
- What it is, what characterizes it personally (voice recognition, fingerprint...)
Before this directive, strong authentication was of course recommended, but it is now mandatory for online purchases. Without 2 of the above mentioned conditions ("two factors authentication"), the customer will not be able to make an online payment. Note that these elements must be independent of each other. The issuing bank, i.e. the buyer's bank, will be responsible for triggering the strong authentication based on its risk analysis.
Towards the 3D Secure 2 protocol
Dual authentication is at the heart of the 3D Secure 2.0 protocol, which replaces the 3D Secure protocol as we knew it before - sending an SMS to confirm a purchase.
This evolution should push payment industry players to invest in new biometric technologies. Indeed, one of the most pronounced concerns of e-retailers is the decrease of the conversion rate during online shopping. The customer experience may indeed be less fluid, as long as authentication is not facilitated. Today, good examples of dual authentication already in place include Apple Pay.
Exceptions to dual authentication
PSD2 provides for exceptions:
- Payments under 30 euros
These are operations of limited amount and for which the risk is considered to be low.
- Recurring transactions, instalments and subscriptions
This is less of a concern for restaurateurs, but PSD2 allows recurring transactions of the same amount to be exempt from strong authentication, starting with the 2nd transaction.
- The "MOTO" transactions
MOTO(Mail Orders and Telephone Orders) transactions, i.e. those made by e-mail or telephone, are exempt, as they are not considered an electronic payment.
- White lists
Each customer has the possibility to add "trusted beneficiaries" to a white list. This list is kept by the bank. In this case, authentication via 3D Secure is not necessary.
- Payments by professional card
Any payment made with a business card will not be affected by the CAS requirements.
- Inter-regional transactions
If the payment issuer or card acquirer is not based in Europe, the transaction is also exempt from dual authentication. However, there is nothing to prevent you from deciding to implement it.
What is the impact for restaurateurs?
As soon as you accept online payments (for your online ordering or Click and collect for example), you must take into account this new legislation.
Fortunately, there are currently options available for PSD2. For example, by using Innovorder's software suitesoftware suite, you can benefit from strong authentication thanks to Stripe's integration with the solution.
