Dear business friends and partners,
In recent days, you have certainly noticed information regarding changes in the payment system and the use of payment cards under the new PDS2 Payment System Directive. This directive was approved by the European Commission and subsequently technically implemented since last March 2018.
This is a comprehensive change in the field of cashless payments, which on one hand allows new, so-called third parties, to make direct payments from customers’ accounts to your accounts, while providing greater security for transactions through so called “strong customer authentication.”
This standard applies to all payments in physical and online stores throughout the EU.
This standard brings fundamental changes to the technical security of all payment terminal systems, payment gateways, card issuing systems, mobile banking access and direct and indirect payments from bank accounts. All of this has been the subject of discussions throughout the European Union.
Under the new directive, transaction has to be protected by two factors.
Two factor verification means that a combination of at least two safety elements (factors) from different categories which are identifying the user (cardholder), with the following categories:
Knowledge (what only the user knows) – eg password or PIN
possession (what only the user holds) – eg card or phone,
inherence – what the user is – biometric features such as fingerprint or eye scan.
The condition is that each authentication element must be from a different category.
At the same time, please note that biometric authorization, which is currently used on Android and iOS (iPhone) operating systems, has a temporary exception to payment associations and will move to a more secure type of security during 2020-2021.
Given the above exceptions, it was misinterpreted that contactless payments are exempted from the high security requirement. EBA confirmed that contactless payments have an exception of up to EUR 50 and up to a maximum of 5 consecutive transactions with a total limit of EUR 150. In practice, this means that every sixth transaction, regardless of its amount, must be authorized by the PIN or, for example, after 3 transactions of € 50. The logic of requesting an additional PIN for contactless transactions is fully implemented by the card issuer. They have to be entered whenever they suspect the card is being misused.
PAYMENT TERMINAL AREA
It may appear that 18 months was long enough to implement all the changes, but the technical specifications were still refined by the European Banking Association until July this year. Based on feedback from the technical public, the European Banking Association recommended in July 2019 that local authorities postpone the effectiveness of the PDS2 standard by 12 to 18 months for e-commerce. For payment terminals, it was assumed that transactions are primarily authorized by PIN.
As the Hungary, in contrast to some advanced countries of the European Union, uses contactless card transactions at terminals in a large number, the merchant needs to perform PIN authorization when five consecutive contactless payments and it is relatively frequented. As mentioned, checking this number and limits is always up to the client’s card issuer. The payment terminal is obliged to send information for processing on-line.
Due to the very short implementation time, banks are now in the process of implementation in their card systems, primarily for the calculation and sum of consecutive contactless transactions. In the past, it was not possible to differentiate between contact and contactless payments within banking systems.
According to the settings of individual business cases, payment terminal operators remotely adjust payment terminal SW so that the PIN entry request is made automatically if the bank that issued the client’s card requested. Current practice shows that not all processes on the side of banks, acquirer and application gateways are aligned when deploying these modifications. There may be cases where a transaction is denied without giving a specific reason, although the terminal should only have requested a PIN.
We recommend that you no longer expect the usual instant approval for low value, one-touch payments, only release the buyer once approval has been obtained. Please always check the message of the terminal, the text of the printed document!
In the field of eCommerce, the BORGUN payment gateway is operated in the 3DS 1.0.2 standard, which requires client authentication by SMS. According to the statement there is a transitional period for the implementation of 3DS2.
Although grace period is expected, BORGUN is still making changes to meet the higher security requirements of current 3DS2.1 standards. This includes the implementation of a new payment gateway meeting requirements for higher level of Strong Customer Authentication.
We expect new interfaces to use 3DS2 within 2-3 months. Until then, we recommend using the current 3DS 1.0.2, which can work with the method of confirmation via SMS and according to statistics is still highly secure. This security will continue to be used in parallel for those cases where the card issuer does not come from the EU and EEA and also for banks that are not ready for the PSD2 standard in the near future.
We will inform you in case of any changes or new information. If you have any further questions, please use support@xxxxxxx