Securing ecom payments through 2-factor authentication
Strong customer authentication is mandatory for many online and card payments – but not for all. Let us give you an overview.
Strong customer authentication: Is it necessary?
Useful or annoying – opinions differ when it comes to strong customer authentication. In online banking and online shopping, double protection of transactions by at least two independent factors is now usually mandatory.
And 2-factor authentication is also becoming increasingly popular in other areas. According to a survey by Web.de one in two Germans is already familiar with corresponding logon procedures outside of digital payment processes – for example, when accessing their email inboxes, social media accounts, or customer accounts.
The fact is: Dual access checks increase security for all parties involved. But from the customer's point of view, strong authentication also comes at a cost in terms of convenience. Moreover, given the complex regulations, it is often hard to understand when, where and why additional security checks are carried out. In the interest of customer satisfaction, store operators should keep on top of things. This blog post answers basic questions and helps optimize the payment mix in terms of security and customer convenience.
SCA, 2FA, PSD2 3D-Secure: What’s what?
Is 2FA the same as 3D-Secure? And what does PSD2 have to do with SCA? You need to know the following abbreviations to follow the conversation.
- In 2015, the EU Commission issued its revised Payment Services Directive. The revised Payment Services Directive, or PSD2 for short, was transposed into German law by 2021.
- PSD2 aims to make digital payments in Europe even more secure. This is why strong customer authentication (SCA) is mandatory for many payment transactions throughout the EU and has been the case in Germany since 2021.
- 2-factor authentication 2FA is a method for strong customer authentication as set out in law. Customers must identify themselves in two steps based on at least two independent factors.
- With 3D-Secure, leading credit card organizations already introduced a two-step registration process in 2016, which is in use worldwide under various brand names, e.g. as "Verified by Visa" or "Mastercard Identity Check". 3D-Secure has since undergone further technical development and complies with PSD2 requirements.
How does 2-factor authentication work?
Strong customer authentication is designed to ensure that the real card or account holder is indeed behind a digital payment. During the 2FA process, at least two of the following factors are checked dynamically, i.e. in two successive steps:
- Knowledge. The customer knows the correct answer. The knowledge factor includes, for example, PIN, passwords or personal security questions.
- Possession: The customer possesses the correct object. The possession factor includes, for example, a smartphone, smartwatch, bank or credit card, token (virtual card) or TAN generator.
- Inherence: The customer has the right characteristics. This category includes distinctive biometric identifiers such as fingerprint, iris or face scan, voice recognition, or biometric signature.
Many combinations are possible: This list already shows that a large number of 2FA variants exist in practice. Anyone paying via wallet on their smartwatch, for example, can use biometric security functions such as fingerprint or face ID. Anyone using a physical credit card in an online store usually has to additionally approve the transaction in the banking app. Other payment services send a one-time code via SMS to the stored mobile number. And to make things even more confusing, additional authentication is by no means required for every transaction.
Do all online payments have to be approved via the 2-factor process?
No, a legal obligation for strong customer authentication generally only exists for "customer-initiated" electronic payments within Europe. For online stores, that means: Card payments and bank transfers from European customers usually have to go through a 2-factor verification process.
In contrast, there is no obligation for strong authentication for
- Direct debit: Direct debit-based payment methods are considered "initiated by the merchant" and thus do not fall within the scope.
- MOTO transactions: Catalogue and telephone orders (mail order/telephone order) are not considered electronic payments and are also not subject to SCA.
- Subscriptions or recurring transactions: As a rule, these are "merchant-initiated" payments, i.e. payments exempt from SCA obligations.
- B2B transactions: Business transactions are exempt from SCA if corporate accounts or corporate credit cards are used.
- Interregional transactions: There is no SCA obligation for cards and accounts outside the EU.
Other exceptions: To not make digital payment transactions unnecessarily difficult, the legislator has also provided for exceptions for small payment amounts, as well as for transactions with a low risk of fraud and default. However, it is the cardholder's bank, not the payee, that decides whether an exception applies. Customers can also deposit a list of trusted recipients with their bank or with payment services such as Paypal. Payments to online stores on this "whitelist" are then also released without 2-factor authentication.
How do I ensure PSD2-compliant payment processing at checkout?
State-monitored and certified payment service providers such as secupay take care of the PSD2-compliant processing of your payment transactions, including all exceptions and special rules. For example, we perform a real-time risk analysis to identify low-risk transactions and automatically support all possible strong customer authentication waivers. As a professional partner, we offer all common payment methods from a single source, enabling you to create a payment mix at checkout that is individually tailored to risk and service aspects.