Security in ecommerce remains an important topic for customers as well as merchants. Many customers fear identity theft and misuse of their payment information. This topic is also relevant for shop owners, because payment defaults caused by fraudsters are very unpleasant. By introducing the Payment Services Directive 2, also known as PSD2, the EU aims to prevent such scenarios.
The PSD2 obliges payment service providers in the EU to implement new requirements. It has various aspects, among which multi-factor authentication (MFA) is particularly relevant for online merchants.
When will the PSD2 take effect?
The regulations are scheduled to take effect on 14 September 2019. Recently, the Financial Conduct Authority (FCA) in the UK has announced that it will give payments and ecommerce industry extra time to implement changes. On 13 August, the FCA announced:
The FCA has today agreed an 18-month plan to implement SCA with the e-commerce industry of card issuers, payments firm and online retailers. The plan reflects the recent opinion of the European Banking Authority (EBA) which set out that more time was needed to implement SCA given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.
We will update this blog post when there is more information available on this topic.
What does multi-factor authentication mean?
Up until now, customers have been able to pay online, for instance, just using their password. Multi-factor authentication, on the other hand, requires customers to use a combination of at least two independent authentication methods when shopping online. So, there might be another step in the payment process.
For example, a password must be combined with a physical object such as a smartphone. In order to pay, the customer then enters a code in addition to his password, which is sent to him via SMS. This verifies the identity of the buyer. If a hacker captures a customer’s password, he will not be able to execute an order.
The authentication factors must come from two of these areas:
- Something the customer knows – such as a password, a PIN number or the answer to a security question (“What was the name of your first pet?”).
- Something in the customer’s possession – such as a chip card or a particular smartphone.
- Something inherent to the customer – such as his fingerprint or voice.
Whether multi-factor authentication is required for an online purchase depends on several factors. For example, it is not required if the order value does not exceed EUR 30, or if a payment company considers the risk to be low based on available data.
What do ePages merchants need to know?
The good news is that you don’t have to take any action in your shop. The payment service providers are responsible to comply with the changes. They have to ensure that the requirements are implemented until the deadline. For payment methods that are directly embedded in the ePages shops, such as Amazon Pay, we will take the necessary measures from the shop side until the target date.
Nevertheless, merchants are advised to contact the payment service providers they offer and ask them how they have implemented the necessary changes to comply with the PSD2.
What will change for shop customers?
For your customers, the PSD2 means that in certain cases another precautionary measure can be added to the ordering process in your shop. As this rule applies to every online store in the EU, customers will most likely quickly get used to it.
Note: This article contains initial legal information but makes no claim to completeness and accuracy. Under no circumstances can it replace legal advice in individual cases.