What universities and colleges need to know about compliant internet card payments


Written by Richard Marks

Published May 2019

In this article...

How much do you know about the upcoming changes for Payment Service Directive 2 (PSD2)?

Now part of UK law, PSD2 is a European directive which all finance departments need to be aware of. Of particular relevance to further and higher education institutes who offer facilities for online payments are the regulations around card payments made over the internet.

Amongst other requirements, the directive stipulates that payments initiated electronically must be secured by Strong Customer Authentication by 14 September 2019 – only four months from now.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is essentially two-factor authentication, where in addition to entering a card or account number the payer must also be authenticated using something physical in their possession (e.g. a mobile phone or RSA token device) or something biometric (e.g. a fingerprint or facial scan).

How does SCA work?

SCA is not something that you as a merchant can provide alone; the onus is on the card issuers to provide the mechanism whilst you - the merchant - must provide access to this via your Payment Service Provider (PSP), in this case using 3D Secure. The screen displayed and the subsequent check is controlled by the card issuer.

Because the basic check, using only the password, doesn’t provide SCA, card issuers are changing the way their 3DS1 screens operate. Many issuers will now send a one-time-passcode by SMS to the payer’s mobile phone which is then entered on the 3DS1 screen. This method does then provide SCA, as it requires the payer to not only know the card number, but to also have the physical mobile phone registered to the cardholder.

Improving the customer experience

Whilst the one-time-passcode method meets SCA requirements, it’s not exactly an ideal solution from a customer journey point of view; it introduces so-called ‘friction’ to the payment process whilst also being problematic if the payer doesn’t have a registered mobile phone (where this is the case, the one-time-passcode is obtained via a landline phone).
The answer to removing this payment friction is 3D Secure 2 (3DS2), a new version of the 3D Secure process which seeks to increase security whilst at the same time providing a frictionless customer journey. The new 3DS2 process provides the card issuer with access to much more data than the current 3DS1. Up until now, issuers may have only had basic information about a transaction, in future they’ll have access to information such as the language, time zone and IP address of the payer’s device.

Better-informed decisions to prevent fraud

Using this additional data, the card issuer can make a more informed decision about whether the transaction is likely to be fraudulent. If the issuer is comfortable they have enough data, then they may bypass the SCA process altogether based upon their assessment of the risk, thus significantly reducing the friction for the payer. If the issuer decides that the transaction may be a higher risk, due to the contents of the additional data, then SCA will be requested.

With 3D Secure 2, the methods of achieving SCA are also improved: in addition to a basic SMS message, issuers can use push technology to deliver a one-time-passcode or confirmation request to the known mobile phone. Alternatively, they can use fingerprint or facial recognition to provide the SCA, again reducing friction for the payer.

Does 3D Secure 2 offer any advantages?

With many educational institutes offering a wide choice of curriculum, including colleges who offer short courses in first aid, beauty, health and safety, hospitality and interior design to name just a few, the most efficient way to receive payments is online. Which is why it’s so important not to put off prospective online enrolments by frustrating the would-be student with a clunky payment experience. No college wants to lose good business to the neighbouring educational institution because they weren’t processing the payment quickly enough.

This applies to anything which supports college or university life and their cashflow – from fees and merchandise to events and trips, you want your students to be engaged with what’s being offered and have the opportunity to pay easily, at the time they’re motivated to pay. You also want to avoid unintentionally driving students who are frustrated with the online payment to pay face to face as this is a poor use of resources and staff time, whilst also being less secure. All in all, frictionless online payments equals good business sense all round.

It’s worth knowing that at Pay360 we also offer advanced alternative payment methods such as PayPal and Visa Checkout – because these use tokenisation methods, these meet the requirement for SCA, reducing your compliance obligations and making the payment process even smoother and easier for students.

What happens now?

The deadline for SCA is 14th September 2019 and already card issuers are changing their current 3DS process, with many live with 3D Secure 2. The deadline for implementing 3D Secure 2 is end 2019 and we understand that we can expect levying of non-compliance fees from 2020.

What do educational organisations need to do next?

The simple answer, if you’re a Pay360 customer using our 3D Secure solution, is that you don’t need to do anything. As a merchant, you’re required to support both 3DS version 1 and 2 of the standards to ensure backward compatibility but these are supported by our existing platforms – no changes to your integration are needed to remain compliant with SCA or the requirement to support 3D Secure 1 and 2.

To find out more about Pay360, or if you’re interested in hearing how we can help you meet your payment compliance requirements, call us on 0333 313 7160 or fill out our contact us form.

Sign up for similar content

Receive the latest insight and tips, straight to your inbox and learn how to maximise the success of your business.