What do PSD2 and SCA mean for marketplaces?

Since September 14th, 2019, new European regulation has required Strong Customer Authentication (SCA) for online payments from European customers.

If your marketplace processes payments from European users, the new regulation might require you to adjust your transaction flow. Otherwise, some payments on your marketplace might fail on your marketplace.

For marketplaces built with a Saas tool, the first step to ensure SCA compliance is to check with their service provider. Sharetribe, for example, is fully SCA compliant.

If your marketplace software provider takes care of legal compliance automatically, you can treat this article as a nice-to-know introduction into the world of payment regulation and payment technology.

But, if you have built an integration to a marketplace payment service provider yourself, you’ll likely need updates to your transaction flow. This article will help you understand what SCA is, what it means for marketplaces and online businesses, and how you can ensure your marketplace complies with the new EU regulation.

We also discuss the benefits of SCA that also marketplaces outside of Europe may want to consider.

Strong Customer Authentication (SCA) is a requirement of the PSD2, the Second Payment Services Directive that establishes revised rules for payment services in the European Union. SCA means that payments from European customers need to be performed with multi-factor authentication.

One of the aims of the PSD2 directive is to guarantee safe authentication in online payments and reduce the risk of fraud. The directive sets out strict security requirements for electronic payments and the protection of consumers' financial data.

SCA is a core security requirement included in the PSD2. It brings an additional security layer to online payments. After September 14th, 2019, customers might be prompted to prove their identity when making online payments by providing at least two separate elements out of these three:

• something they know (a password or PIN code)
• something they own (a card, a mobile phone)
• something they are (biometrics, e.g. fingerprint or face recognition).

In traditional retail, Strong Customer Authentication is already quite common.

For example, brick-and-mortar stores equipped with a card reader typically require both a payment card (something the customer owns) and a PIN code (something the customer knows) to make a purchase. In the online world, this multi-factor authentication is usually achieved through the newest variant of 3D Secure.

3D Secure is a protocol that, under different branded names, belongs to the service offering of most credit card issuers. The 3D Secure protocol ties a layer of authentication to online purchases made with a credit or debit card.

Depending on the features of your marketplace payment service provider and your integration, the protocol might already be used on your marketplace. If it isn’t, 3D Secure will add an extra step to your marketplace’s transaction flow.

Currently, the most common way of authenticating an online card payment relies on 3D Secure—an authentication standard supported by the vast majority of European cards.

Applying 3D Secure typically adds an extra step for the customer to complete the transaction flow. The cardholder is prompted by their bank to provide additional information to complete a payment, such as entering a one-time code sent to their phone or authenticating with a fingerprint through their mobile banking app.

In a nutshell, during a 3D Secure flow, a customer enters their credit card details normally to an online business’ user interface. Before being able to check out, the customer is redirected to a new page where the purchase is verified with a code or a password provided by the customer’s bank.

The requirement for Strong Customer Authentication applies to online payments where both the business and its customers' bank are located within the European Economic Area (EEA). According to Stripe, SCA will most likely also apply in the UK regardless of the outcome of Brexit, as proposed by the FCA.

The PSD2 doesn’t require SCA in so-called “one-leg” transactions, where the payer is from within the EEA but the recipient of the payment isn’t.

Whether your marketplace already complies with SCA or not depends on your integration with a payment service provider.

If you’re not absolutely sure your marketplace’s transaction flow supports Strong Customer Authentication, we recommend checking with your payment service provider first. Read their articles and documentation, and, if necessary, ask them for more information.

Stripe’s new versions of Checkout and Payment Intents API, for instance, trigger 3D Secure automatically in transactions where it’s required. However, your integration might be with the legacy version of Checkout, in which case you should follow the instructions for migrating to the new version.

PayPal says they update their Pro Hosted plans automatically, and offers instructions to install 3D Secure on Pro Direct plans using CardinalCommerce. According to Mangopay's documentation, they trigger 3D Secure by default on payments above 50 euros. Adyen’s documentation lists the integrations that support 3D Secure by default and the integration types that need to be updated in order to comply.

In addition to the differences between payment service providers, there’s another twist making 3D Secure more complicated. Namely, in the wake of PSD2, the widely-used 3D Secure protocol has gotten a new version; 3D Secure 2, or “3DS 2” for short.

Even if your marketplace supports 3D Secure 1, most payment service providers recommend updating to the new 3D Secure 2 version to comply with SCA. According to Stripe, for instance, “3D Secure 2 will be the main method for authenticating online card payments and meeting the new SCA requirements”. Similarly, PayPal’s Braintree guide recommends integrating to 3DS 2.

Adyen, on the other hand, recommends supporting both 3DS 1 and 3DS 2 in order to comply with SCA, as they project that “some European issuing banks may not be ready yet for 3D Secure 2 and still use 3D Secure 1 to comply with SCA”. Stripe recognizes the problem too, so their 3D Secure 2 process falls back to 3D Secure 1 automatically if the new version isn’t supported by the customer’s bank. Mangopay used their "smart routing tool" to process payments through 3DS 1, 3DS 2, or direct authorization during the transition period, after which they say they will route all payments through 3DS 2.

To sum up, we recommend updating to the 3D Secure 2 protocol. Not only will you ensure SCA compliance, but you will also overcome challenges inherent in the 3D Secure 1 protocol.

Adding a layer of security to your transaction flow is a positive thing. Online card payments that only rely on inserting the digits on the card are fragile and liable to fraud. A secure payment system can be a competitive advantage that increases marketplace trust.

Unfortunately, as you probably know, any friction in the transaction flow can lead to customers not completing their checkout. The additional authentication step required by 3D Secure represents an opportunity for your customer to get distracted or have second thoughts about the purchase. If they don’t have the needed password on hand, demanding that they get up from their computer and go find it might just be too much to ask.

A cumbersome payout process might even inspire marketplace users to circumvent the platform altogether. Particularly for marketplaces that rely on customers and providers meeting in the real world—as is the case for most rental and services marketplaces—the temptation to take the payments off the platform is already high.

Furthermore, 3D Secure typically redirects the user to the card issuer's website or opens a pop-up window that is controlled by a third party. The new window is often co-branded by the customer’s bank and payment card company. The marketplace has no control over the user experience.

This can be a major UX hitch and also create concerns about safety.

A few years back, for instance, Visa received some criticism over its implementation of 3D Secure 1 because thousands of cardholders had shunned the verification box for fear of scams. A group of Cambridge scholars further criticized Visa’s implementation for bad design principles. They said it trains people in bad security habits by encouraging them to type in their banking information to an unidentifiable popup window mid-transaction.

Since the discussion around Verified by Visa, there have been more successful implementations of the 3DS 1 protocol. Many payment service providers and card companies now offer it as a default.

Though 3D Secure 2 continues to introduce an additional step to the transaction flow, it offers some mitigation to the challenges present in 3D Secure 1.

Most significantly, 3DS 2 offers the possibility for “frictionless authentication,” which allows the payment service provider to send information to the cardholder’s bank during a transaction. This information can be something like an email address, shipping address, or the customer’s device or browsing information.

These data points help the bank make an accurate risk assessment for each transaction. If the data lets the bank authenticate the cardholder making the payment, the additional verification layer isn’t triggered.

In addition, unlike 3DS 1, 3DS 2 allows using a bank’s mobile app to authenticate payments.

Depending on the customer’s bank and type of smartphone, this might make the transaction significantly smoother. Whereas 3DS 1 might prompt a customer to authenticate against the card issuer's website, 3DS 2 can authenticate through a one-time code sent to the cardholder’s phone or via a fingerprint scan in their mobile banking app. Stripe notes that they expect many banks to start supporting these kinds of smooth authentication experiences with 3D Secure 2.

In addition to allowing for frictionless authentication, 3DS 2 protects marketplaces from liability in certain types of credit card disputes.

Unfortunately, marketplaces sometimes encounter double credit card disputes.

A dishonest credit card dispute happens when a customer books a service, but after getting it, contacts their credit card issuers and claims they didn’t make the card payment themselves.

It's quite common, particularly in the US, that the credit card issuer decides in favor of the customers in the case of disputes. Even if a marketplace is able to provide proof that the service was provided, the card issuer often decides to refund the money.

Previously, when this happened, the marketplace was liable for the dispute. If they couldn’t get the provider to whom the payment was made to refund, they were ultimately responsible for refunding the customer.

Using 3D Secure 2 shifts this liability away from the marketplace. Card issuers are now responsible for covering any payment verified through the 3DS 2 protocol and disputed as fraudulent.

Note that the marketplace remains liable for reimbursement when the customer agrees they made the payment but claims they didn’t receive the product or service. The liability for reimbursement falls to the card issuer only when the cardholder disputes the payment.

Since credit card disputes represent a significant burden for many online businesses, this shift is nevertheless a welcome form of protection for marketplace entrepreneurs.

Regardless of your 3D Secure version, chances are that Strong Customer Authentication will bring about noticeable changes to your customer experience. Therefore, in order to cut “cart abandonments” to a minimum, explaining the change to users is a good idea.

If possible, contact your users and tell them what’s about to happen, when, and how the change affects them.

Your providers, in particular, might express concerns about extra steps in the transaction flow. Seize this as an opportunity to build your platform’s reputation through a clear and honest explanation of the coming changes and the resulting security improvements.

After SCA has been implemented on your marketplace, we recommend that you monitor payments very closely for a while. On a marketplace built with software like Sharetribe, this should be quite easily achieved.

Do you see payments failing after a customer has given their credit card details and clicked “Pay”?

If this happens, it’s very likely that something went wrong during SCA. After all, without 3D Secure, the transaction would have been completed after the customer submits their credit card details.

If this happens on your marketplace, the best course of action is to contact the customer and ask them what happened. That will help you ensure that your platform works as it should and gives you a chance to recoup the failed payment.

If you see a rise in the number of failed payments after implementing SCA—and you have made sure your marketplace platform or the payment integration you’ve built isn’t to blame—contact your payment service provider. They might be able to help you get to the root of the issue.

EU regulation requiring Strong Customer Authentication (SCA) from all online businesses that process payments from European customers went into effect on September 14th, 2019. Similar to the upcoming directive DAC7 impacting tax reporting on marketplaces, this EU regulation is designed to guarantee security and fairness on online platforms.

Marketplaces built with Saas tools like Sharetribe get the necessary update as a part of their subscription plan. If you have built the integration to a payment service provider yourself, we strongly recommend that you make sure your subscription plan and integration type are SCA compliant.

Typically, payment service providers ensure SCA compliance by adding a 3D Secure 2 protocol to the transaction flow. In a 3D Secure flow, a customer enters their credit card details normally to an online business’ user interface. Before checkout, the customer is prompted to verify their purchase via their banking app or with a code or password provided by the customer’s bank. Though 3D Secure 1made this flow possible previously, updated 3DS 2 brings along significant improvements to the UX.

In addition, using 3D Secure 2 shifts the liability of credit card payments disputed as fraudulent from the marketplace to the credit card issuer.

You should give your users a heads up that the transaction flow on your marketplace will change after you implement the necessary changes. We also recommend that you keep close track of payments on your platform to make sure SCA works as it should.

Considering the improved UX and protection against credit card disputes, integrating SCA compliance through 3D Secure 2 provides benefits also for marketplace entrepreneurs outside the EU.