Strong Customer Authentication and phone payments: FAQs

Strong Customer Authentication and phone payments: FAQs

The EU Payment Services Directive (PSD2) requires merchants and payment providers to ensure that, when a cardholder is not present, their identity is verified using two-factor authentication. Here are answers to some FAQs on the topic.

What is “Strong Customer Authentication”?

What is 3D Secure?

Is Strong Customer Authentication required for phone payments?

What security protections exist on phone payments?

Can merchants choose to invoke SCA on phone payments?


What is “Strong Customer Authentication”?

The EU Payment Services Directive (PSD2) was devised to make electronic payments easy, efficient and more secure across Europe, and includes a requirement for merchants to enforce “Strong Customer Authentication” (SCA).

This requires merchants and their payment service providers — from payment intermediaries to acquiring banks and card issuers — to ensure that, when the cardholder is not present, their identity is verified at the point of payment using at least two of the following three elements:

  • Knowledge — something the customer knows such as a password or PIN
  • Possession — something the customer owns; for example a card, a phone or a hardware token
  • Inherence — something the customer is such as a fingerprint or face recognition

This is variously referred to as “two-factor” or “multi-factor” authentication (MFA). 3D Secure is a form of two-factor authentication applied and used for e-commerce online transactions.

What is 3D Secure?

3DS is a method of ensuring SCA for online payments.

It is a security protocol used to authenticate users. This has been adopted by the major card brands to provide an extra layer of protection for payment card transactions made online. It allows a cardholder to authenticate their identity to prevent payment fraud, obstruct unauthorized transactions and limit chargebacks, and enables online payments to meet the SCA requirements of PSD2.

Is Strong Customer Authentication required for phone payments?

No. 

Phone-based transactions — referred to as “MOTO” or Mail Order, Telephone Order payments — are one of four methods of card payment where strong customer authentication is not mandatory. 

The other three are:

  • Merchant Initiated Transactions (MITs) — Where a cardholder has pre-agreed (and pre-authenticated) a future transaction(s), and may not be available to authenticate at the time that it is initiated
  • One-leg-out Transactions — Defined as those transactions where one of the issuer or acquirer is outside of the European Economic Area and UK
  • Anonymous Transactions — Customers do not need to complete SCA when an anonymous payment method is used, e.g. a gift card

Since SCA is a process that is managed by the cardholder’s bank, it is important that you ensure card payments taken over the phone are flagged as “MOTO” payments by your payment service provider. Paytia handles this for you automatically. If you are in any doubt on this, contact the Paytia support team or your PSP (Payment Service Provider).

What security protections exist on phone payments?

First and foremost, Paytia protects your customers from fraud or identity theft by preventing cardholder data reaching your staff or systems.

This not only protects them from fraud or identity theft, but protects your business from the ramifications of any data breach or rogue employee actions — reputational damage or fines from your bank.

Paytia also provides the following protection measures:

  • Customer address verification: Cardholder details are checked against their registered billing address
  • Realtime payment fraud analysis: Detects and blocks fraud using machine learning that trains on data across millions of global companies

Can merchants choose to invoke SCA on phone payments?

SCA is available by using Paytia’s Payment links solution, whereby a payment link can be sent to your customer via email or text. This automatically triggers 3D Secure which will be invoked by the cardholder’s bank as deemed necessary.

    • Related Articles

    • How do I reconcile payments made via Paytia?

      This article explains how you can match payments to your order records when using Paytia. Paytia transaction details are posted to your payment gateway with metadata to enable you to distinguish phone payments from other channels in your ...
    • How do customers call my existing phone number & still take payments?

      In this article we explain the three ways to enable you to set up your telephony so that you can take secure card payments on incoming calls There are three ways to enable Paytia on your incoming calls: 1. Publish your new Paytia number Instruct ...
    • How do I set up Paytia to work with BT One Phone?

      This article explains the options available to set up Paytia Agent Capture Assist to work in conjunction with the small-business phone service, BT One Phone In order to protect your customers and your business during the payment process, your call ...
    • How do I use customer look up in Agent Capture Assist ?

      This article will demonstrate how to locate and automatically retrieve a customer's details from Stripe to autofill the Agent Capture Assist payment detailsform. Login To use Paytia to take payments you must be logged in. Beginning a payment Once ...
    • How do I set the phone number that appears on my phone when a customer calls you?

      Recognise customer calls appearing on your phone that have come via Paytia When a customer calls your business via Paytia — i.e. they have dialled your new secure payment number, or have been routed via Paytia from your telephone system — the call ...