New Card Scheme Compliance Rules: Are you Ready?

If you are merchant, it’s vital that you ensure that the technologies you use are always compliant with the latest regulations. So, how can you make this easy for you and your business?

Technology has made it easier than ever to pay for goods and services instantly no matter how much geographical distance there might be between the purchaser and the provider.

In turn, this has made it possible for merchants who would previously have served a relatively small local market to turn themselves into genuinely global businesses.

It’s easy to take this convenience and opportunity for granted, but the systems which make it possible can only exist if the payment methods and platforms being used can be trusted.

If a customer is going to shop with your business, then they have to be certain that the personal and financial details this transaction involves are completely safe.

When you partner with NOIRE you can take this security for granted – because we ensure that the payment solutions we provide are always compliant with the latest regulations. This means that as the rules around payment compliance evolve, our services evolve to keep track.

Why compliance matters

It’s easy to simply assume that the systems and platforms which we all use each and every day will be designed and built with complete security in mind, but the facts say otherwise…

Just a few of the statistics outlining data breaches which have impacted some of the largest and most renowned tech giants in the world make it plain that nobody is immune from the risks posed by a combination of cyber-crime and poor practice:

• In March 2019 Facebook admitted that it had not properly secured the passwords of as many as 600 million users
• Microsoft admitted that a data breach, which ran from January 1^st to March 28^th 2019, enabled hackers to gain access to non-corporate email accounts via the company’s customer support portal
• In November 2019, T-Mobile confirmed a data breach which impacted more than a million customers, enabling data which included details such as their billing address, phone number and account number to be hacked
• In the same month, the newly launched Disney+ streaming service was attacked by hackers – an attack which resulted in users being locked out of their accounts. Login details such as usernames and passwords were later found to be on sale on the dark web for a starting price of $3

What these examples all underline is the fact that nobody is immune from the risk of cyber-crime and data breaches, no matter how large the company and how much is being spent on cyber security. For any company smaller than Facebook and Disney (which is pretty much any company in the world), the key to avoiding the massive financial and reputational damage which can be caused by incidents of this kind, lies in working with a payment services boutique such as NOIRE, which does the hard work of staying abreast of the latest regulations on your behalf.

The risks of non-compliance

If your business suffers a data breach of any kind and is subsequently found not to be compliant with the regulations as they currently stand, then as well as the fact that you’ll lose existing customers and find it harder to attract new ones, you’ll face a range of fines and charges which vary in different parts of the world.

As an average, the fine handed out by credit and debit card companies to merchants who suffer a breach while being non-compliant can range from $5,000 to $100,000 per month, and in the longer term, continued non-compliance can lead to a merchant having the right to take payment by card revoked.

The latest regulations include 3DS2 and PSD2, and keeping completely up to date with what these new regulations involve, is something which the average merchant simply hasn’t got the time for. In simple terms, you’ve got your own business to run, and you can concentrate on doing that when you know that working with NOIRE guarantees compliance on your part.

Version 2 of 3DS

3D Secure 2.0 is the updated version of a payment authentication protocol which was originally launched by Visa as the Three Domain Secure (3DS) protocol in 1999. It was created to authenticate the identity of cardholders during what was then the newly emerging process of online shopping.

The new version is an update which has been launched with two aims:

• To increase the level of security
• To make the process as seamless and smooth as possible for the customer interacting with a merchant’s website

The three domains mentioned in the title of the protocol are the acquirer domain, which comprises the merchant and the bank the payment is made into, the issuer domain, which is the bank which originally issued the card and the interoperability domain which covers the infrastructure which underpins the protocol.

How does 3DS 2.0 work?

The first thing to note is that the protocol works in the background without in any way impacting on the process of making a payment.

When a customer enters card details at the checkout, more than 100 key data points are analysed, with the 3DS provider sending an authentication request to the issuer of the card.

Data included with this request will vary depending upon the specific market regulations in each region, but could include the device being used, previous transactions and the geographical location.

If a risk is identified using this data, the cardholder will be prompted to confirm their identity using either biometrics or two factor authentication such as a one-time password (OTP).

If the transaction is deemed to be low or zero risk, then no further action of this kind will be needed.

When you work with NOIRE the technicalities underpinning 3DS2 become less important, because we already have the technology in place. If you are a merchant working with us, every individual payment will be checked for authenticity and the business as a whole will be fully compliant with the wider regulations.

What is PSD2?

PSD2 is a European regulation which was originally launched as the Payment Service Providers Directive (PSD) in 2007.

It was intended as a means of hastening the creation of a single payment market across the European Union, making it easier for merchants to sell within 28 countries while also boosting the protection for customers.

The ‘2’ in PSD2 refers to a set of amendments which were originally introduced by the European in 2013 and which were gradually imposed between January 13^th 2018 and September 14 2019.

Many of these amendments were highly technical in nature and were driven by a desire to open the payment services provided by banks to other companies.

The aim was to increase competition within the field of payment provision at the same time as ensuring that the new Third Party Payment Service Providers (TPPs) were covered by the same level of regulation and authorisation as more traditional providers.

Innovation could therefore be encouraged without any drop in the levels of security enjoyed by merchants and customers.

Strong Customer Authentication

Strong Customer Authentication (SCA) is the name for the new layer of security put in place by PSD2.

It involves the use (as with 3DS2) of two factor authentication – meaning that a customer accessing accounts and bank operations online or via an app now has to provide extra authentication by default.

Under the new regulations the details on a card such as the number, expiration date and CVV will no longer be taken as proof that the customer making the payment is who they claim to be.

Forget about compliance?

Compliance can feel like a tick-box operation, but it is still very important. Working with us at NOIRE will mean you’re able to rely on our expertise and ensure that your business and transactions are fully compliant.

The rules regulating the vast array of payment methods now available are complex and constantly evolving. If you are a merchant, you may find that you are having to deal with shifting demands as you move into new markets, or as the law is tweaked, to keep pace with the threat of cyber-crime.

If you work with NOIRE, however, you’ll find that the tricky task of remaining fully compliant at all times and in all places is our problem and not yours, and it’s a problem we’re highly experienced at solving. Let us worry about this for you.

Like the technology around 3DS2 and PSD2, our payment provision runs seamlessly in the background while you can concentrate on the rest of your business.

Who is NOIRE?

At NOIRE, we are a leading boutique payments service provider, offering the most advanced and sophisticated payments and risk technologies to global public companies and eCommerce start-ups.

To reduce the risk of non-compliance, please get in touch with us today.