PSD2 & SCA: Updates in Tito and a Brief Overview
Tito is currently working on an update to our checkout and will be rolling it out in advance of the 14th September SCA deadline. We’ll notify all customers when it’s ready, and provide instructions for what you need to do.
Want to know more about what this means? Read on!
What do all those letters stand for?
PSD2 stands for “Second Payment Services Directive”.
SCA stands for “Strong Customer Authentication” measures.
What was the first Payment Services Directive?
Good question. The First Payment Services Directive (or PSD1) was implemented in 2009. As with PSD2 (which we’ll be covering in this post) it was created as a directive instigated by the European Union.
It was introduced to help create more competition in the payments industry in Europe. Essentially, it was (and still is, to some extent) concerning that banks can have a monopoly and all of the control over secure online payments.
Okay, so what’s the Second Payment Services Directive (PSD2)?
It’s also an EU directive! Since 2009, the number and diversity of alternatives to traditional banking, and associated technologies, have multiplied many times over. That’s great, because it means we have a lot more options as consumers when it comes to how we manage, receive and spend money.
And while that’s a good reason to celebrate, there are a few things that might make you delay that a bit. Namely: the global increase in credit fraud, and the overwhelming nature of having multiple systems and institutions to grapple with to get transparency over how we use money.
PSD2 was set up to help with these problems.
Are those problems actually bad enough to warrant all this fuss?
Ehm, yes. Two quick examples on this one:
- Over 75% of Europeans use mobile devices to keep track of finances and to make payments nowadays. Only 18% did that in 2015. So, I wasn’t exaggerating when I mentioned that “multiplication” earlier.
- £309 million ($375m) was lost to credit card fraud in 2016 alone.
When does SCA come into the equation? Are they the same thing?
Kind of. SCA is a part of the requirements that will come into effect once PSD2 is fully enforced.
As we mentioned earlier, SCA stands for “Secure Customer Authentication”.
The bottom line is that accepting online payments is going to become safer as a result of SCA. Practically, SCA, once it comes into effect, will require extra checks to verify that the person doing a transaction has the authority to do so. There are three acceptable elements that facilitate those checks, and at least two have to be used for verification during a checkout process.
The three accepted elements are:
- Something the consumer knows (think a password, or a PIN)
- Something the consumer has (like a phone) and
- Something the consumer is (something that IDs you, like your fingerprint)
When does it come into force?
PSD2 is actually already here. It came into effect on January 13th, 2018. (Don’t worry, you were probably under a GDPR rock at the time.)
However, some measures that are specifically relevant to us will be enforced on September 14th, 2019. One of those is SCA.
How will it affect event organisers?
People buy tickets to events, and they do it online. In one study conducted by the UK Office for National Statistics, researchers found that 51% of individuals between the ages of 16 and 45 bought tickets for events online in 2018.
Banks will have the authority to decline transactions that don’t meet SCA requirements after September 14th. For event organisers, that means that they’ll need a way to sell their tickets online that provides the checks and authentication we talked about previously in this article. Otherwise, potential attendees who try to buy tickets may have their orders declined, meaning you don’t receive the funds from the transaction.
What are you going to do about it, Tito?
As mentioned above, we’re currently working on an updated version of our checkout and widget. Internally we’ve been calling it v2, but this will actually replace what we have now.
In v2, we’ve added support for Stripe’s SCA flow as well as implementing the new PayPal API.
Your customer will fill in their card details and complete the checkout form to initiate the payment as normal. The checkout will detect if authentication is required (depending on what the customer’s bank supports) and will trigger this process automatically.
As a bonus, we’ve also made a few improvements to the checkout user interface.
We’ll be rolling out checkout v2 within the next few weeks, in advance of the 14th September SCA deadline, and we’ll notify all customers when it’s ready, and provide instructions for what you need to do to switch over. But don’t worry — we’ll make the process easy and painless. And you can rest easy knowing your customers are protected from fraud.
We’ll be updating this post when our v2 opt-in is available, which should be in the very near term. We’ll provide that information across our other channels too.
Should you have any specific questions about SCA or how it relates to Tito, please reach out to us at support@tito.io.