PSD2 Security Recommendations

What you have to do and know to get ready before PSD2 goes into effect.

What is SCA?
Among the most relevant concepts introduced by PSD2 is the Strong Customer Authentication (SCA), which is simply a procedure required to check the authenticity of customers by using two factors belonging to one of the following categories:
- Something that only the customer knows, such as a password
- Something that only the customer has, such as their cell phone
- Something that only the customer is, such as their fingerprint
This dual authentication procedure is obligatory for a customer to be able to:
- access their online accounts (both via a website and app)
- initiate electronic payment transactions (a transfer, a payment to an online store, etc.)
- and/or take any action through remote channels that could entail the risk of fraud
It is important to note that there are cases where it will not be necessary to apply SCA, such as when paying with a gift card or for low-value purchases. Even so, card holders should be aware that this additional security step must be carried out more often than they have been accustomed to so far.
What does this regulation imply?
All parties involved in an e-commerce process in Europe - banks, payment service providers such as Visa or Mastercard, stores, etc. - must implement additional measures to ensure that they comply with the regulatory requirements of PSD 2.
Customers may experience changes in the way they access their accounts remotely (app or website) or in the way they make electronic payments in Europe, such as via bank transfers or physical payments with contactless cards.
And what does this mean for me as a BBVA customer?
At BBVA, we have been working for some time to adapt our high security standards to the new requirements of this directive, always with a view to maintaining a pleasant user experience for our customers. Therefore, whenever the regulation allows it, and we're confident that our security measures - "invisible" to customers - identify a transaction as not fraudulent, we won't require you to undergo the dual authentication, thus making the transaction more convenient. Whenever required by law, we will resort to dual authentication.
Let's take a look at some simple examples that will help you understand how these new requirements, designed to protect your money, will affect you.
1. A customer makes a payment online with a card:
- They go to the store's payment website as usual.
- They will be asked to enter their card details.
- As they complete the transaction, they will be asked for additional security information (called "credentials," which may be, for example, a one-time code). This information may be requested on the page itself, or via the store's mobile phone app.
- Once the credentials provided are validated, the usual screen will be displayed, confirming that the transaction has been completed successfully.
2. A customer who pays in a physical store using a Contactless Card:
- They make the payment with their card as usual
- They may be asked to enter their PIN more often than usual: when making more than five contactless payments of less than €20, or when the sum of the contactless payments exceeds €100.
3. A customer who wants to access their accounts via the website or app:
- Starting in September, when the customer enters their online banking app or website for the first time, they will be asked to provide a dual authentication factor.
- Every 90 days, or when accessing information more than 90 days old, they will encounter this strong authentication request, as required by the regulation.
- Once authenticated, they will access their accounts as usual.
Do I have to do anything?
Yes, it is important that we have your updated cell phone number, since we will use as an authentication factor a one-time password (OTP) that you will receive on your cell phone so you can access your accounts or carry out certain electronic transactions.
If your cell phone number had not been validated, meaning we're not sure that you are the one who is receiving the one-time code to authenticate that it is you who is on the other side, you won't be able to access your accounts via the website or app or make online payments.
It's easy to validate your cell phone number. You can do it at:
- Any BBVA branch, with your cell phone and DNI/NIE.
- Any BBVA ATM, with your card and cell phone.
When does PSD2 go into effect?
The PSD2 directive specified the regulatory requirements that are applicable to payment service providers. This regulation was published on November 27, 2017 and goes into effect from September 14, 2019 in all countries that are part of the European Economic Area - EEA.
Due to the complexity and impact that the application of strong authentication (SCA) to e-commerce has on consumers and businesses, a plan is being drawn up that will be validated with the national authority to determine when and how the SCA requirements laid out in the payment services regulation will go into effect.
Regardless of this, on September 14, the customers of every bank will be required to use dual authentication to access their accounts remotely (website and app).
How does PSD2 affect online stores?
Although card issuers must carry out this dual-authentication process, electronic businesses must also ensure that their online payment platform (virtual POS terminal) is able to process transactions securely, since it is possible that any payments processed in a NON-SECURE purchasing environment could be denied by the banks that issued the cards.
It is important to note that the strong authentication processes will be very beneficial for online businesses because, in addition to offering enhanced security and confidence to their customers, they reduce the potential for customer claims due to possible fraud.
Does my business have to do anything to adapt to PSD2?
Businesses may or may not have to make changes to their virtual POS terminal depending on the connection that it currently uses to process online operations. Although a plan is being drawn up that will be validated with the national authority to determine when the SCA requirements laid out in the payment services regulation will go into effect, we recommend that you make any required adjustments as soon as possible.
- If your business is redirected to a payment gateway, you don't have to do anything since BBVA will modify the configuration of your VIRTUAL POS terminal to adapt it to the technical standards when they go into effect.
- If your business connects to the payment gateway using Host-to-Host connections (such as webservice, Price, Rest), you will have to make a series of changes to your Virtual POS Terminal settings to adapt it to the new regulation. There are two ways to make these changes:
- SIMPLE OPTION: Send the operations to the Make Payments input (redirecting the user to the POS terminal), so that the gateway itself manages the authentication flow and subsequent authorization. Check the developer's manual, available here:
  Developer manual
- ADAPT YOUR HOST-TO-HOST CONNECTION: In this case, since it is you who manages the entire flow of the operation, you will have to redirect the transaction to the corresponding service at each step, based on the technical specifications that you can find in our guides.
  VIRTUAL POS terminal input/output parameters
  Installation manual for developers
  Developer manual
  One of the new features for adapting to this new scenario is the creation of a new version of the secure purchase protocol, EMV 3DS (also called 3DS 2.0), which will gradually replace the current version (3DS 1.0), and whose advantages include the option of adding more information fields to enhance the consumer authentication experience.
- If you use the services of a Payment Service Provider other than BBVA, you will have to contact said provider so that it can inform you of the necessary changes.
Are there exemptions or exclusions to the Law?
Additionally, the new law specifies certain exemptions or exclusions for SCA that will be very useful when it comes to making customer authentication processes more flexible. These cases include:
SCA EXEMPTIONS:
Although the business can propose the following exemptions, it is the entity issuing the card that may ultimately require the dual authentication of the transaction.
- Transactions for less than 30 euros
- Contactless operations for less than €50
- Transactions made at unattended parking or transport terminals.
- When the payee of the payment is included by the payer in a list of trusted payees.
- Operations identified by the payment platform as low risk: These operations have a non-fraudulent profile, since they conform to the customer's usual operations (expense patterns, made using the customer's own device, etc.).
- Frequent or periodic transactions with matching amounts and payees. In this case, a dual authentication will be required the first time
EXCLUSIONS:
The following transactions are beyond the scope of this regulation and therefore the SCA requirement:
- Those involving cards at businesses outside the European Economic Area (EEA), although the card issuer will require a dual authentication factor if it deems it necessary.
- Operations initiated by telephone, mail, or email
- Payments with anonymous cards (e.g. gift cards)
- Transactions initiated automatically by the business, such as subscriptions or payments made without the customer being present (the customer must have previously consented to these payments).
If you have any questions about PSD2, or if you are interested in using any of the SCA exemptions or exclusions provided for by law, please contact:
Business Line Soportevirtual@bbva.com
Tel. 912 983 609

What is PSD2?

PSD2 FOR YOU

PSD2 FOR YOUR ONLINE BUSINESS

What is SCA?

What does this regulation imply?

And what does this mean for me as a BBVA customer?

Do I have to do anything?

When does PSD2 go into effect?

How does PSD2 affect online stores?

Does my business have to do anything to adapt to PSD2?

Are there exemptions or exclusions to the Law?