Understanding PSD2 & Payment Integration
Originally scheduled to come into effect from September 14th 2019, but now delayed by 18 months, the PSD2 (Payment Services Directive second revision) has created a legal framework to facilitate easier payments online.
PSD2 requires that all Payment Service Providers (PSPs) are responsible for the application of Strong Customer Authentication (SCA) which is applied to ALL customer initiated electronic payments including proximity, remote and m-payments within the European Economic Area (EEA). Not only that, if you are using saved cards on your site your integration will need to change, or the saved cards functionality will need to be disabled, in order to comply with PSD2, as saved cards are now also subject to SCA where they previously were not. The directive aims to improve security around online payments in an effort to reduce fraud by requiring the payer to be authenticated using at least two factors, both of which must be from a different category. The categories are outlined in the table below.
The reason that the factors are separated into different categories is so that if one is comprised, the others are not. The choice of factors to use is decided by the individual PSPs and whilst biometrics are an option, they are not widely supported across the industry, but will be in future.
This authentication is going to be carried out using 3D Secure (3DS) - branded as Verified by Visa, MasterCard SecureCode and American Express Safekey - depending on which card is used. Chances are you have probably come across this before where you are sent an OTP (One Time Pin) to your phone during checkout, which you then key in to facilitate the payment. This currently only occurs on about 5% of transactions but as SCA is expected to increase friction during checkout, there are a lot of concerns about the sub-optimal shopping experience and potential dropout of customers as a result.
In order to help try and combat this, a 2nd generation 3D Secure (3DS2) has been introduced which will use new algorithms to determine transactions that are higher risk and require increased authentication. This means purchases that are deemed as low risk will not be presented with 3DS2 at all. This should help minimise friction, meaning authentication is estimated to remain at approx. 5% of total transactions. Nevertheless, there is a possibility that merchants who remain using PSPs sill running the original 3DS could see authentication required in a far greater number of transactions as they are not subject to the new algorithms.
Those transactions that are out of scope of SCA include merchant initiated transactions such as MOTO (Mail Order, telephone Order), One Leg Out (where either the issuer or acquirer is outside the EEA) and anonymous transactions. Those transactions that are exempt of SCA are low risk transactions, low value transactions, recurring transactions (although the initial transaction will still be subject to SCA), whitelisted transactions and corporate payments.
Integrating tradeit with payment providers
There are different ways to offer multiple payment methods on your website by either integrating tradeit directly with each one, or passing through a PSP offering Alternative Payment Methods through their interface.
Some PSPs offer over three hundred Alternative Payment Methods, alongside traditional credit and debit card payment types, including e-Wallets, Invoicing, Post-Pay, Direct Debits, Pre-Payment, PayPal Online Payments, Mobile Payments, & Online Bank Transfers from the likes of Apple Pay, Klarna, iDEAL, Google Pay, Samsung Pay, Android Pay, Sofort, Alipay and many others. Both integration options have pros and cons.
- More flexible
- Possibly simpler as no 3rd party input
- Increased features/wider scope of options
- More control over the integration than passthrough
- Not beholden to PSP
- Multiple integrations adds times/costs
- More effort to administer/multiple logins/reconciliation points
- Different transaction/fees for each may add more cost
Passthrough Integration (via PSP)
- All payments in one place. APMs via your PSP can have some benefits in terms of managing the payment (i.e. refunds) as you can view/manage payment from a single portal
- Same/more simple administration
- Easier reconciliation from one place (in theory)
- Compliance with any new regulations is handled by PSP
- Single financial settlement services contract
- Beholden to PSP
- Less flexibility
- Liable to two sets of fees (PSP and APM)
- Possibly more complex integration
- Less control over the integration
- Not all payment methods work in the same way so have different authorisation flows which can impact your business and operating model
- Number of APMs is often limited, particularly in cheaper products
Integrations with some of the leading PSPs
tradeit is currently integrated with a number of leading Payment Service Providers and their differing products but in order to comply with the new directive, 3D Secure HAS to be enabled. Saved cards are now also subject to SCA, where previously they were not, so if you are using Saved Cards on your site your integration will need to change or the saved cards functionality will need to be disabled in order to comply with PSD2.
tradeit is directly integrated with Secure Trading's Hosted Payment Processing product. Secure Trading Payment Processing is for merchants who want a simple and easily implemented way of adding e-payment capability to their online commerce systems. Hosted Payment Processing allows you to process payments on your website by redirecting the buyer to a payment screen hosted by Secure Trading. tradeit also provides access to PayPal Online Payments and iDEAL payments through the integration with Secure Trading as well as scope for PCI-PAL.
Example of a payment page using Secure Trading's Hosted Payment Processing.
tradeit has direct integrations with two of WorldPay's products, Online Payments and Corporate Direct
Example of a checkout using WorldPay Online Payments. Card details are entered on the merchant’s site, but that information (along with customer and order information) is sent straight to the PSP in order to conform to the basic requirements of PCI-DSS.
Aimed at larger businesses with higher transaction levels – this is also an on-site payment method but uses XML for the storage and exchange of data. In the same way as Online Payments, card details are all stored directly with WorldPay meaning this payment option also conforms to the very basic level of PCI-DSS compliance. The current integration with tradeit also provides access to PayPal Online Payments and Apple Pay. Corporate Direct has much better support than Online Payments and will carry 3D Secure v.2 when it is launched. Corporate Direct also supports over 300 other Alternative Payment Methods.
tradeit is directly integrated with CyberSource's Secure Acceptance offering. Secure Acceptance solutions let you accept ecommerce payments securely, without the risks involved in handling payment data, enabling you to deliver seamless payment experiences to consumers. A whole range of additional payment types is also offered through their Alternative Payments Suite including online bank transfers, cash payments, e-wallet payments, and invoicing. tradeit's integration with CyberSource Secure Acceptance includes provision for PayPal Online Payments and PCI-PAL.
Secure Acceptance Checkout is a secure hosted checkout experience that collects data directly from your customers and processes their payments. Integration options include a client-side web API (SOP) and a hosted option (Web/Mobile) that supports redirection and iframe.
Silent Order Post - SOP
This method has no redirection with customers staying on your site as shown in the example below.
This method redirects customers to a payment page hosted by CyberSource to complete checkout.
PayPal is an acquirer, performing online money transfers as electronic alternatives to paying with traditional methods, such as cheques and money orders. There are two types of integration directly to PayPal from tradeit, although PayPal is often enabled via other PSPs as an Alternative Payment Method as well.
PayPal Express Checkout
Payment is taken via the PayPal site so is PCI-compliant and customers avoid lengthy form filling. Once payment is approved by the buyer, the button calls the PayPal Orders API to finalise the transaction. Whilst this is convenient for the purchaser, it's not always beneficial to the merchant as customer details are stored with PayPal meaning marketing, advertising and personalisation opportunities are missed.
Example of a PayPal Express Checkout.
PayPal Online Payments
PayPal Online Payments work like other PSPs. Using this method users go through the website checkout, rather than get redirected straight to PayPal from the product or basket page. This means users' details are kept by the merchant and PayPal is just selected as the payment type at checkout. Once selected users are still redirected off to PayPal to complete payment so PCI Compliance is assured.
Whilst it’s not a PSP as such, PCL-PAL enables you to take secure and compliant payments through your call centre without compromising the user’s security. Using DTMF (Dual Tone Multi Frequency) masking technology means customer service agents never see or hear users’ personal details including any passwords or payment card details such as the card number, PAN or CVV. The customer uses their telephone keypad to enter card details but only asterisk are displayed to the agent, whilst the tones are masked with a monotone beep. Once complete, the agent presses the “process card” button which instructs the PCI-PAL app to send the transaction to the payment provider. No cardholder data enters your environment for your PCI-DSS scope is vastly reduced.
Customer service agent's view of PCI-PAL transaction.
Learn more about enabling different payment methods on your site, get in touch.