Skip to main content
Image with laptop showing a screen with notification written

Product Notifications

Verifone PSD2 SCA Bulletin

September 2019 will see the introduction of new requirements for authenticating cardholders when processing credit and debit card payments. This mandate forms part of new legislation being rolled out across Europe as part of the second phase of the Payment Services Directive; PSD2.

This bulletin explores the new requirements for Strong Customer Authentication (SCA), the in scope and exempt payment types and the proactive steps merchants must take to prepare for this mandate.
 

What is Strong Customer Authentication (SCA) ?

The PSD2 legislation requires cardholders to be authenticated in additional ways to reduce fraud and make payments more secure. These require merchants to implement additions to checkout payment flows and customer present payment terminal capabilities. SCA requires authentication to apply a minimum of two of the three following methods:
  • Knowledge: Something the cardholder knows, e.g. a password
  • Possession: Something the cardholder has, e.g. a registered mobile phone
  • Inherence: Something the cardholder is, e.g. fingerprint or other biometric

What is in scope for SCA?

The following transactions are impacted by SCA applies to cardholder-initiated transactions (CIT) including:
  • Contactless payments
  • Ecommerce orders

What is not in scope for SCA?

The following transaction types (including merchant-initiated transactions) that are not impacted by SCA rules :
  • Chip and PIN transactions
  • Unattended payments, e.g. kiosk
  • Mail Order transactions
  • Telephone Order transactions
  • Recurring transactions that are initiated by a merchant
  • Magazine transactions

SCA and Contactless Payments

Unlike chip and PIN transactions, contactless transactions do not support multi-factor authentication. The industry has adopted waivers to allow a maximum of 5 consecutive contactless transactions or £150 of spend before requiring a ‘fall forward’ to chip and PIN.

There are two alternative ways that this fall forward process can be handled:
  • The payment terminal declines the card transaction and staff can prompt to customer to re-try using chip and PIN. This requires no changes or updates to the terminal application.
  • The payment terminal automatically prompts the cardholder to insert their card. This provides a better and more seamless cardholder experience but requires the terminal to be updated.
To support automatic fall forward the industry recently introduced specification changes. Verifone is implementing these changes in its major terminal applications and solutions including:
  • Ocius POS Client
  • Ocius RS
  • Ocius VX680
  • VX820 DUET/IP

When can I upgrade my software?

Merchants can upgrade the terminal payment application by remotely flagging the device PTID for a software update, via the Ocius WebCom portal or by contacting the Merchant Helpdesk team for support (See FAQ)

Updated versions of the Ocius payment applications are available now on our Production environment.

The new application version numbers are listed below:
  • Ocius POS Client: V03.56.22.17 (Kernel 6)
  • Ocius RS: V03.01.01.10708
  • Ocius VX680 / VX820 DUET: V03.52.01.99995 (K6) / V03.70.00.99995 (K7)
  • V240m / V200c: 2.8.1.4
If merchants are not able to update their terminals, they can continue to use the terminal as is but staff should be trained to retry declined contactless transactions and asking the customer to insert their card.

E-Commerce compliance; 3D-Secure

For E-Commerce merchants the standard approach for authenticating cardholders processing online card payments is commonly referred to as ‘3D-Secure’.

2019 sees the introduction of the 3D-Secure v2 standard that will replace the current v1 implementation widely used by UK merchants.

3D-Secure v2 provides merchants with an improved cardholder experience as well as meeting the SCA authentication requirements; it is however, not the only method of demonstrating SCA compliance ahead of the September deadline.

3D-Secure v1 Compliance

Ahead of the introduction of the 3D-Secure v2 standard in 2019, the discussion of SCA compliance using the existing 3D-Secure v1 standard has been explored in detail with the UK acquirers, schemes and the Financial Conduct Authority (FCA).

The conclusion of the discussion is that;
  • Any merchant processing online/E-Commerce card payments should look to implement 3D-Secure v1 on their web checkout
  • 3D-Secure v1 could provide UK merchants with PSD2 SCA compliance provided either;
    • One Time Passcodes (OTP) are supported by the cardholder’s card issuer
    • Risk Based Analysis (RBA) is implemented within the card issuer host system
One Time Passcode = A unique, one-time use passcode generated by the cardholder’s card issuer that is sent to the cardholder via SMS text message; supplementing the entry of the cardholder’s 3D-Secure online passphrase.

It is expected that all UK card issuers will support the generation of OTPs ahead of the September deadline.

3D-Secure v2 Roadmap

Verifone UK is actively working to provide 3D-Secure v2 capabilities as part of the introduction of a new E-Commerce payments platform.

Introduction of 3D-Secure v2 is scheduled to be available for merchants from August 2019, with a phased rollout across acquirers.

Verifone recommends that all merchants processing E-Commerce transactions implement 3D-Secure v1 via their existing Ocius payment solution.

If you wish to understand more about the upcoming E-Commerce platform launch, payment capabilities, upgrade path and more, please contact your Verifone Account Manager.

“How do I enable 3D-Secure v1 in my Web Services API (XML) product...?”

There are three main steps to enabling the 3D-Secure v1 capability in your Web Service integrated solution:
  1. Liaise with your Verifone Account Manager to initiate the creation and acquirer boarding of your 3D-Secure credentials.
  2. Update your web checkout flow to include 3D-Secure API calls as documented in the Web Services Integration guide; available from the Technical Services team.
  3. Complete comfort testing with the Technical Services team to ensure end to end implementation is correct.

“How do I enable 3D-Secure v1 in my hosted payment page product...?”

There are three main steps to enabling the 3D-Secure v1 capability in your Web Service integrated solution:
  1. Liaise with your Verifone Account Manager to initiate the creation and acquirer boarding of your 3D-Secure credentials.
  2. Update your hosted payment page account configuration within the Ocius portal to include your 3D-Secure v1 credentials.
    1. Template Builder URL (Payment Page v2): https://pp2.cxmlpg.com/paypage2templatebuilder/
    2. OCP (Responsive Hosted Payment Page): https://payportal.vfims.com
  3. Validate your configuration changes with the Ocius Technical Services team before applying the changes to your production account.

Industry Updates

Verifone continue to work closely with the UK acquirers, issuers and the FCA to ensure that all necessary information is made available to merchants along with a clear path to support merchants in achieving compliance.

The latest information highlights the significant complexity and resulting impact that PSD2 SCA brings to the UK card payments ecosystem, with many UK acquirers working towards compliant platforms and hosts ahead of September.

Should you wish to discuss any aspect of the PSD2 SCA mandate, please contact Verifone.
 

FAQ

Q. When does the PSD2 SCA mandate come into effect?
A. The SCA mandate effective date is September 14th, 2019.

Q. Where do I find updates on Verifone’s SCA compliance…?”
A. Our Customer Support URL, https://www.verifone.com/en/uk/customer-support, provides our customers with any and all news related to the SCA mandate, Verifone’s product updates and support information.

Q. Where can I find out more information regarding the PSD2 legislation?
A. We recommend that merchants contact the acquirer in the first instance, however more information on the legislation can be found here.

Q. When is the 3D-Secure v2 service available for integration testing?
A. Available now, for merchants acquired by BMS, with additional acquirer support to be added thereafter.

Q. Who do I contact for assistance and further information?
A. Merchants should contact the Verifone Account Manager or Service Delivery Manager in the first instance however our technical teams can provide support too.

Merchant Helpdesk
Tel : 0333 323 6677
Email : ocius.helpdesk@verifone.com

Technical Services
Tel : 0333 323 6667
Email : ocius.techservices@verifone.com