Payment Services Directive (PSD2) Compliance for Magento Websites

Beginning September 14, 2019, all companies that operate retail services in the United Kingdom and European Union must comply with the new Payment Services Directive (PSD2). All merchants selling in the UK and EU must implement PSD2 compliance standards on their websites and payment processing systems, including websites operating on the Magento platform.

Online retailers must follow the regulatory systems in place for the countries in which they sell their products. Governing bodies often adjust these compliance requirements in the face of new consumer trends, technological innovations, and other causes.

Countless online retailers use the Magento platform for ecommerce, and Forix can help Magento-based online retailers selling in the UK and EU implement the necessary changes for full PSD2 compliance. We can also provide recommendations for native Magento payment integrations like PayPal, Braintree, and more.

What Is PSD2?

PSD2 is a revised version of the previous Payment Services Directive in effect across the EU. As online retail becomes the preferred way for many people all across the world to shop, regulatory bodies must ensure a fair market and implement new standards to protect customers. PSD2 aims to increase transaction security when making purchases online from the UK and EU. PSD2 compliance requires the implementation of Strong Customer Authentication (SCA) measures including at least two of the following to complete a purchase:

1. Something only the customer knows, such as a password or PIN number.
   Customers should create strong, unique passwords and store them safely. When choosing PIN numbers, customers should not use obvious numbers like birthdates or anniversary dates.
    
2. A physical hardware token or phone to which only the customer has access.
   A secure mobile app or a physical hardware token like a dongle with a revolving access code can add an additional security factor for online transactions.
    
3. Biometric security for facial recognition or fingerprint identification.
   Many modern laptop computers and smartphones have fingerprint scanners that users can code to themselves individually.

If a retail website selling in the UK or EU fails to implement these features as required, European banks may decline transactions that do not meet PSD2 requirements. However, the PSD2 guidelines may not apply to low-value and low-risk online payments or recurring payments with subscription-based online services.

3D Secure 2.0 and PSD2

The new standards for PSD2 compliance also require compliance with the new standards established by 3D Secure 2.0, implemented in 2019. 3D Secure is a robust fraud prevention protocol for online retailers that provides an additional layer of security for debit and credit card transactions. The 3D Secure 2.0 protocol uses a three-domain model:

• The Issuer Domain is the bank or financial institution that issued the credit or debit card.
   
• The Acquirer Domain is the acquiring party or merchant site into which customers enter debit or credit card information.
   
• The Interoperability Domain is the infrastructure supporting the 3D Secure protocol or the transaction interface, usually the payment gateway the customer uses to complete a purchase.

3D Secure 2.0 uses secure XML messages to transmit cardholder information across an SSL connection. Different financial services have developed their own proprietary implementations of 3D Secure 2.0, such as Visa’s “Verified by Visa,” and MasterCard’s “MasterCard SecureCode.”

These and other 3D Secure 2.0 implementations add an additional layer of security to customer transactions, usually taking the form of a popup from the card issuer or cardholder’s bank during the transaction process. The biggest change in 3D Secure from 1.0 to 2.0 is that 2.0 does not require the customer to manually verify their identity; the card issuer can verify the transaction using contextual data the merchant’s site sends during the transaction request for 3D Secure verification.

What Do These Changes Mean for Merchants Using Magento?

Magento is an incredibly flexible ecommerce platform, and some native payment integrations like PayPal will handle PSD2 and 3D Secure 2.0 compliance measures on their end, but merchants who rely on the Magento platform must implement the necessary changes for PSD2 compliance before the September 14, 2019 deadline. Magento offers compatibility with several payment extensions and native payment integrations, and many of these extensions have specific steps necessary for full PSD2 compliance.

Retailers selling in the EU and UK cannot afford to lose potential customers or face legal penalties from failing to implement 3D Secure 2.0 and PSD2 compliance measures. At Forix, we understand that modern ecommerce companies thrive on uptime and transactional security, and our team has the experience to assist you with PSD2 and 3D Secure 2.0 compliance at all levels.

The September 14, 2019 deadline for PSD2 compliance is quickly approaching, so contact Forix today to learn more about how we can assist with your PSD2 compliance issues.
 
 

Disclaimer: The content provided on this website is for commercial and educational purposes and is not legal advice or opinion and should not be relied upon as such. Forix does not make any claims to guarantee the accuracy or completeness of information contained on this site as all laws including PSD2 Compliance laws may change without notice at any given time. It is your responsibility to understand all laws and regulations applicable to you in regards to this.