The Second Payment Services Directive (PSD2) is a fundamental piece of payments related legislation in Europe, which entered into force in January 2016.

Under Article 98, Issuers are required to support regulatory technical standards (RTS) on strong customer authentication (SCA) and secure communications.

CLOWD9 supports the requirements of PSD2 by using its comprehensive Behaviours functionality to implement the controls necessary to comply with the legislation.

Please note that currently where the Acquirer and the merchant is outside of the UK or EEA, then the PSD2 rules do not apply.

There are types of transactions where the SCA rules do not apply and therefore are considered to be exempt. Exempt transactions are :

Instalment / Repayment
Recurring
Unscheduled Credential on File (CoF)
Incremental
Delayed Charges
No shows
Transport transactions and Parking Fee / unattended terminals in the following Merchant Category Codes :
- 4111: Local and suburban commuter passenger transport, including ferries
- 4112: Passenger Railways
- 4131: Bus Lines
- 4784: Tolls and Bridge Fees
- 7523: Car parking and Meters

PSD2 and E-commerce transactions

Under the current regulations, Acquirers and Issuers are mandated by PSD2 to support a form of Strong Customer Authentication for E-commerce transactions.

In CLOWD9’s case, these rules are implemented within our integrated ACS providers;

For countries within EU region the E-commerce rules are implemented as follows:

Acquirer Exemption Requests - enabled and set to “ALLOW”

Our ACS will look for the presence of the Acquirer TRA flag and if present, will accept the
request and grant the frictionless flow.
During implementation you can choose to apply a velocity limit to this rule which will track the number or value of exemptions
and automatically challenge the transaction after an issuer-defined limit.

Whitelisting Rule (aka Trusted Beneficiaries) - enabled

Whitelisting enables your cardholders to identify merchants they frequently shop with and flag
them as a “trusted merchant” going forward. Transactions at whitelisted merchants will be
authenticated frictionlessly (note: each merchant whitelist is unique per-cardholder and not
maintained by the issuer).

Low Risk Rule (Issuer TRA exemption) - enabled up to PSD2 value limit

Our ACS will determine a risk score for the transaction and if this falls within a “Low Risk”
threshold, the TRA Issuer exemption will be applied to grant the frictionless 3DS flow.

This exemption can be applied on transactions valued up to the regulatory limits set by PSD2

Low Value Payment Rule (Issuer exemption) - enabled

This rule will trigger the frictionless flow if the transaction is below the regulatory limit of €30
and if either the total cumulative spend since the last challenge is less than €100, or if the
number of transactions since the last challenge is less than 5 (whichever comes first).

Recurring Payment Rule - enabled

Transactions that are flagged as recurring by the merchant (and therefore exempt from SCA
regulation in Europe) will be authenticated frictionlessly.

Note, if this rule is disabled, Recurring Transactions will fail as they cannot be challenged
(cardholder is not present to authenticate).

Merchant-Initiated Rule (out-of-scope of SCA) - enabled

Transactions that are “merchant-initiated” (and therefore out-of-scope of SCA regulation in
Europe) will be authenticated frictionlessly.

Note, if this rule is disabled, Merchant-Initiated Transactions will fail as they cannot be
challenged (cardholder is not present to authenticate).

One-Leg Transaction Rule (out-of-scope of SCA) - enabled

This rule ensures frictionless processing of one-leg transactions (transactions where the
Acquirer is outside EU and therefore not in-scope of SCA).

Non-Payment Authentication Rule - enabled

This rule allows 3DS transactions for non-payment use cases. For example, authenticating a
cardholder when attempting to add their card to a wallet.

For countries outside EU region:

Low Risk Rule - enabled up to issuer-defined value limit

Our ACS will determine a risk score for the transaction and if this falls within a “Low Risk”
threshold, the transaction will be frictionless.

This exemption can be applied on transactions valued up to any desired limit as defined by the
issuer (no SCA-related restrictions apply).

Whitelisting Rule - enabled

Outside the EU region where SCA restrictions do not apply, the issuer can add merchants to
their own whitelist (or blacklist) that affects all cardholders.

Contactless SCA

Under the current regulations, Acquirers and Issuers are mandated by PSD2 to support a form of Strong Customer Authentication for contactless transactions. The following are configurable parameters and are implemented using CLOWD9s Behaviour engine:

Single Contactless transaction must not exceed €50 (or the local currency equivalent for non-Euro Zone markets)
Cumulative amount must not exceed must not exceed €150 (or the local currency equivalent for non-Euro Zone markets)
The number of consecutive contactless transactions since the last application of SCA must not exceed five

CLOWD9 PSD2 Authorisation Processing

Where a transactions is exempt, the standard Behaviour rules as configured for your product and CLOWD9 will provide the relevant response to the network for any authorization requests.

Where a transaction is not exempt and is successful, the SCA limit counters will be increased until they are triggered and an SCA based response is triggered.

If an SCA response is triggered CLOWD9 respond with a soft decline to the network

The network will send the soft decline response to the merchant via their acquirer

The soft decline will cause the terminal to request the cardholder to enter their PIN to authenticate themselves and initiate a further transaction/authorisation request subject to standard chip and PIN rules.