What is PSD2 and SCA Strong Customer Authentication?

PSD2 refers to the "Payment Services Directive" (Directive 2015/2366 of the European Parliament and of the Council on payment services in the internal market). EU legislation regulates the provision of payment services and electronic payment transactions, transposed into Spanish law through Royal Decree-Law 19/2018 on payment services and other urgent financial measures. PSD2 renews and updates previous legislation by enhancing SCA (Strong Customer Authentication) in payments that have been incorporated with the new features that the digital transformation has brought with it, such as mobile payments, e-commerce and regulating the new parties that provide financial services, among others.

PSD2 came into force on 14 September 2019, and as of 31 December 2020 the SCA (strong customer authentication) was also applicable to any transactions carried out as e-commerce.

How does it affect customers?

One of the main objectives of Strong Customer Authentication (SCA) is to increase the security of card purchases. To access the online banking, Apps or make online payments with a mobile phone or card, the customer must enter two authentication factors from among three categories:

  • Knowledge", something you know. For example, a password or PIN.
  • "Possession", something you have. For example, a mobile phone you own that we will send the verification code to.
  • "Inherence", something you are. For example, your fingerprint, your iris, facial recognition, etc.

PSD2 stipulates a few exceptions such as, for example, transactions with an online trader previously classified as "trustworthy" by the customer (whitelist), recurring transfers (same beneficiary and amount), and very small transfers.

What do I do if I have a Santander POS?

For payments with cards, the most common procedure for this kind of authentication is what is known as 3DSecure. Version 1.0 has been used since 2001 to boost the security of online transactions, helping you prevent fraud and protecting you against repudiation of transactions.

The new 3DSecure 2.2 version simplifies the authentication processes by including extra parameters that will help card issuers in some cases to authenticate owners with no need to request the dual authentication factor.

Develop a better experience in your online store

If you wish to home in on improvements in your buyers' experience and your conversion ratios, you must add more 3DS parameters in the transaction messaging. For example, data on the holder, dispatch, billing, type of purchase, retail purchase history etc.

If your business has redirection integration (in other words, your online store's pay button redirects to our virtual POS terminal webpage) or webservice, you can now use the integration environment to add the parameters required by 3DSecure v2.2, and so you can get your development teams working on the project, and carry out any tests you may require. To assist with integration, you also have the integration guides. They may be updated, but we will keep you informed of any changes.

If you work with plugins from Santander or Redsys (WooCommerce, Prestashop, Magento, OsCommerce, OpenCart, VirtueMart or ZenCart), remember that these have already been upgraded. If, on the other hand, you use shopping baskets belonging to another developer, you must contact them to request the upgrade. However, you will always need to configure a few parameters (e.g. data on the holder, dispatch, billing, type of purchase, retail purchase history etc.) in your plugin for these to be captured in the transaction.

Remember that the ecosystem of payment methods has multiple operators: card issuers, processors, payment service providers (PSP), gateways, acquirers, standby engines or intermediate developments etc.

Remember you can use our specialist e-commerce team to help you during the process. Contact info.riesgostpv@gruposantander.com with any queries you may have. 

SCA (strong customer authentication, or use of the dual authentication factor) has been mandatory since 31 December 2020, and so we advise you to implement these changes as soon as possible to enable you to optimise the payment process and maximise conversion of your transactions.