The Payments Service Directive 2 (PSD2) enforces the need for Strong Consumer Authentication (SCA) in the European Economic Area and was fully implemented in 2021. This directive applies to all e-commerce credit and debit card transactions, enforcing an additional security step at point of sale online. This step is between you and your issuing bank and is mandatory for all cards, so you may be challenged to confirm your identity during this process. This uses multi-factor authentication to help ensure your online purchases are secure and protected. All such transactions must be authenticated by at least two of three factors (as determined by your bank):
-
Something you have (e.g. the credit card/mobile device)
-
Something you know (e.g. a pin number/password)
-
Something you are (e.g. a biometric ID such as face scan, thumb print)
What is 3DS?
SCA, also known as 3-D Secure (3DS), is an authentication protocol giving an additional security layer for e-commerce transactions. You may recognise this as: Verified by Visa, Mastercard SecureCode or Amex Safekey.
This is the pop-up window that appears at checkout after entering card details, which may require you to enter a password, or a one-time code sent to your mobile phone.
All businesses (regardless of size or industry sector) and banks need to comply with this regulation.
Will this affect me?
The PSD2 rules will apply to you. Your purchases by credit or debit card may be blocked if you do not know the security details required by your bank.
What will I see? A 3D Secure window may be displayed after you enter your card details, which could require you to authenticate the card you are using.
Your bank’s pop-up window will be visible, and you will be required to enter your chosen piece of security information. This communication will take place directly between you and your bank and RS will not be privy to the data exchanged.
In many cases, it is likely that card providers will recognise that your purchase with RS is within your regular purchasing behaviour and will therefore not require additional authentication, enabling the transaction to flow through seamlessly. But, as mentioned, if prompted for authentication you will need to enter the requested information for the transaction to be approved.
Who do I contact to help me?
You need to contact your card provider directly for help if your card does not authenticate online.
We have a Purchasing Manager account, are we still affected?
Yes, if within your PurchasingManager™ set up you have credit and/or debit cards which you have shared with your end users for use during their online checkout.
The new directive rules of strong authentication will mean that all card users could be asked questions based on the personal details of the card holder. If the card user does not know the answers to these questions, the card will be declined. For these reasons, we recommend that purchases are only made by the named card holder.
Are any online payments exempt?
Card transactions below £30 are considered to be low value and are generally exempt from authentication. However, if you initiate more than five consecutive low-value payments or if the total payments value exceeds £100, SCA will be required. On rare occasions, some card types may be exempt from authentication. Only your card provider will be able to confirm if your cards are affected by this regulation.
I can't place my order online, what do I do?
As PSD2 only affects online purchases, you may be able to place an order over the phone by contacting our customer services team on 03457 201 201.
How can I help myself?
There are some simple steps you can take to ensure that you and your business can purchase online.
- Upgrade your internet browser to the latest version. Solution providers are using the latest online security features to make your online journey as secure as possible and old browsers may not be compatible.
- Disable pop-up blockers for the RS website.
- Do not share cards between individuals. Card providers will hold personal details for all credit and/or debit cards, which you may not have access to.
- Communicate these changes to all company credit/debit card users so they are aware how authentication works for online payments.