PSD2 is the second EU Payment Services Directive. It aims to create a single market for payments in the European Union. It is designed to make online payments safer, increase consumer protection, and foster innovation and competition by enabling third-party access to account information. It came into force in January 2018.
A vital element of the directive is regarding the introduction of additional security mechanisms for e-commerce transactions, as defined in the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) [Article 98 of PSD2]. This regulation will be applied from the 14th of September 2019, when all e-commerce transactions, except where an exemption applies, are expected to be processed more securely.
This guide will explain what SCA means, how this impacts Nium, and how we are adapting to meet PSD2 requirements and applying supported exemptions to ensure that security, fraud prevention, and user experience are appropriately balanced for our users.
If you have questions about this document or any other elements of PSD2 that may affect your product usability, don't hesitate to contact your Account Manager.
Strong Customer Authentication (SCA) is designed to reduce fraud and make online payments more secure by requiring online merchants to collect two of the following three items from buyers before a transaction can be processed or a financial system can be accessed:
End-users access these platforms through a browser and must adhere to the new authentication requirements.
Host-to-host and machine-to-machine communication channels are out of the scope of the PSD2 SCA requirement (SCA-RTS Article 17). API transactions do not require a new authentication method.
All card payments made using Nium-issued cards are within the scope of PSD2 and SCA requirements.
Nium's online platforms will be updated to support Two-Factor Authentication (2FA) using a "time-based one-time password" (TOTP) authentication mechanism.
This is in addition to a username and password. A password and the TOTP method must be successfully provided before users can access their accounts.
Nium users can download a free TOTP authenticator application; we recommend Google Authenticator but also support FreeOTP, Microsoft Authenticator, and Authy. These are installed on a mobile device, as a browser plugin, or as a desktop application. These apps generate TOTPs that will provide access to your Nium account and your username and password.
Before you can use an authenticator app to generate TOTPs that Nium can accept, you'll have to enroll in the authenticator app by entering a security key or scanning a QR code. Once your chosen authenticator app is enrolled, it will generate time-based 6-digit codes specifically for your account.
Nium online platforms will also support “Trusted Browsers” to make the two-factor authentication process less intrusive by not asking for a TOTP for every login.
If you use an authenticator application, you can mark a specific browser as Trusted.” You can then sign in to Nium’s online platforms from your trusted browser without needing to provide a TOTP code for up to 90 days (in line with SCA-RTS Article 10).
Nium’s API has already benefited from industry-leading security measures to protect our platform from external threats.
We are strengthening this to restrict API access to pre-approved IP addresses. Our client experience team and account management team will contact you to ensure that your respective IP Addresses are whitelisted on your account.
We are not changing our APIs for PSD2; you do not need to make any changes to your systems if you use APIs.
Under PSD2, SCA is required for most card transactions unless an exemption applies as per the SCA-RTS. This means that a cardholder has to authenticate to perform a transaction. This is typically done using 3D Secure — when a user enters a one-time security code to complete a transaction with their card. The security code can be requested either by the merchant (website, card acquirer) or the card issuer and can be sent to a mobile phone or generated by an authenticator app.
As per the SCA-RTS, certain transactions are exempt from SCA, so no authentication is needed for exempt transactions. Based on the way our customers use Nium cards, all Nium card transactions should be exempt. The section below summarises
various exemptions defined in the SCA-RTS and how these exemptions apply to Nium transactions.
As per the SCA-RTS, certain transactions are exempt from SCA, so no authentication is needed for exempt transactions.
The section below summarises various exemptions defined in the SCA-RTS and how these exemptions apply to Nium transactions.
|Whitelisted trusted beneficiaries
PSD2 SCA-RTS defines a transaction as not requiring SCA if the payment initiator has whitelisted a merchant. In other words, customers will never need to enter a code to make a payment to a beneficiary that has been whitelisted by the
PSD2 SCA-RTS defines that SCA is not required for
subsequent transactions to the same payee and of the
same amount as the first transaction. In other words,
online subscriptions like Netflix do not require SCA
after the first payment.
PSD2 SCA-RTS defines a transaction as not requiring SCA if a user transfers money between accounts held by the same person/company.
PSD2 SCA-RTS defines that a transaction does not require SCA if a transaction is less than €302 or the cumulative amount since the last authentication is less than €100 or the cumulative number of transactions
since the last authentication is not greater than 5.
PSD2 SCA-RTS defines that a transaction does not require SCA if performed by legal entities (non-consumers) “through the use of dedicated payment
processes or protocols.” Based on clarifications issued by the UK FCA
and through legal advice obtained by Nium, this exemption would also include “the use of proprietary automated host-to-host (machine-to-machine) restricted networks, lodged or virtual corporate cards, such as those used within access-controlled corporate travel management or corporate purchasing system” (FCA Clarification). This exemption is based
on the premise that the equivalent levels of security as SCA are met.
|Transaction risk analysis (TRA)
PSD2 does not require SCA if the issuer has a low Transaction Risk Analysis (TRA) defined as:
- very low fraud rates
- transaction value is under €500
Based on the above exemptions, Nium’s strategy for card transactions is as follows:
Nium has applied for Article 17 exemption with the respective regulatory bodies on the basis that transactions done through Nium are for corporate use, make use of virtual
cards, and in 95%+ of the cases, cards are single-use only.
Nium understands that the above exemption may not be absolute, and in some cases, a merchant/acquirer may still require SCA. On this basis, all of Nium's cards will be 3D
Secure enabled. This means that if a merchant/acquirer requests an authentication attempt, the transaction would NOT be rejected (as happens today). However, as 3D Secure authentication is not feasible in a corporate environment (with many users creating thousands of cards that may be used for payments in 30+ days), we will be applying a “Frictionless Flow” through risk-based authentication mechanisms (in line with SCA-RTS Article 18). This means a transaction would be evaluated to determine if it is low risk (predefined list of merchants, similar spending pattern). If it is low risk, no SCA would be applied. If the transaction does not meet these criteria, it will be rejected.
Nium also has the capability of making use of the SCARTS Article 13 exemption. This means a set of trusted beneficiaries can be whitelisted, so SCA would not be
applied for these beneficiaries. However, at this point, Nium will not use this technology.
We are confident that our partners will continue to experience the high merchant acceptance rates that they are used to when using Nium cards without the need for any
changes to their existing systems or any additional costs.
Updated 7 months ago