The EU Payment Services Directive (PSD2) requires merchants and payment providers to ensure that, when a cardholder is not present, their identity is verified using two-factor authentication. Here are answers to some FAQs on the topic.

What is “Strong Customer Authentication”?

What is 3D Secure?

Is Strong Customer Authentication required for phone payments?

What security protections exist on phone payments?

Can merchants choose to invoke SCA on phone payments?

What is “Strong Customer Authentication”?

The EU Payment Services Directive (PSD2) was devised to make electronic payments easy, efficient and more secure across Europe, and includes a requirement for merchants to enforce “Strong Customer Authentication” (SCA).

This requires merchants and their payment service providers — from payment intermediaries to acquiring banks and card issuers — to ensure that, when the cardholder is not present, their identity is verified at the point of payment using at least two of the following three elements:

• Knowledge — something the customer knows such as a password or PIN
• Possession — something the customer owns; for example a card, a phone or a hardware token
• Inherence — something the customer is such as a fingerprint or face recognition

This is variously referred to as “two-factor” or “multi-factor” authentication (MFA). 3D Secure is a form of two-factor authentication applied and used for e-commerce online transactions.

What is 3D Secure?

3DS is a method of ensuring SCA for online payments.

It is a security protocol used to authenticate users. This has been adopted by the major card brands to provide an extra layer of protection for payment card transactions made online. It allows a cardholder to authenticate their identity to prevent payment fraud, obstruct unauthorized transactions and limit chargebacks, and enables online payments to meet the SCA requirements of PSD2.

Is Strong Customer Authentication required for phone payments?

No. 

Phone-based transactions — referred to as “MOTO” or Mail Order, Telephone Order payments — are one of four methods of card payment where strong customer authentication is not mandatory. 

The other three are:

• Merchant Initiated Transactions (MITs) — Where a cardholder has pre-agreed (and pre-authenticated) a future transaction(s), and may not be available to authenticate at the time that it is initiated
• One-leg-out Transactions — Defined as those transactions where one of the issuer or acquirer is outside of the European Economic Area and UK
• Anonymous Transactions — Customers do not need to complete SCA when an anonymous payment method is used, e.g. a gift card

Since SCA is a process that is managed by the cardholder’s bank, it is important that you ensure card payments taken over the phone are flagged as “MOTO” payments by your payment service provider. Paytia handles this for you automatically. If you are in any doubt on this, contact the Paytia support team or your PSP (Payment Service Provider).

What security protections exist on phone payments?

First and foremost, Paytia protects your customers from fraud or identity theft by preventing cardholder data reaching your staff or systems.

This not only protects them from fraud or identity theft, but protects your business from the ramifications of any data breach or rogue employee actions — reputational damage or fines from your bank.

Paytia also provides the following protection measures:

• Customer address verification: Cardholder details are checked against their registered billing address
• Realtime payment fraud analysis: Detects and blocks fraud using machine learning that trains on data across millions of global companies

Can merchants choose to invoke SCA on phone payments?

SCA is available by using Paytia’s Payment links solution, whereby a payment link can be sent to your customer via email or text. This automatically triggers 3D Secure which will be invoked by the cardholder’s bank as deemed necessary.