Contact us

BOOK A PRESENTATION

Trusted Merchant Listing within PSD2: An Overview

NO NAME
PSD2 requirement introduced Strong Customer Authentication (SCA) as a means of safer online payment authentication. With SCA also came SCA exemptions; scenarios that do not require an additional authentication step, allowing the cardholder to enjoy an entirely frictionless experience. A part of the exemptions is Merchant Whitelisting, a convenient feature included in the 3D Secure 2.2. upgrade.

PSD2 requirement introduced Strong Customer Authentication (SCA) as a means of safer online payment authentication. With SCA also came SCA exemptions; scenarios that do not require an additional authentication step, allowing the cardholder to enjoy an entirely frictionless experience. A part of the exemptions is Trusted Merchant Listing (TML), a convenient feature included in the 3D Secure 2.2. upgrade.

A brief overview of SCA

The latest PSD2 directive enforced Strong Customer Authentication (SCA) as an additional layer of security for online payment processing. To fight fraud, cardholders need to confirm their identity using two-factor authentication (2FA). This includes authenticating themselves using two out of three security elements:

  1. Knowledge – something the user knows (PINs and passwords)
  2. Possession – something the user owns (smartphone, mToken)
  3. Inherence – something the user is (biometrics)

This approach was not welcomed by issuers and merchants, raising concerns regarding the overall traffic impacted by the added authentication step. In the cardholder's eyes, SCA means more friction, and more friction is an inconvenience for the end-user. In order to address this issue, PSD2 also includes SCA exemptions.

SCA exemptions

SCA exempted scenarios include transactions that do not require an additional authentication step in order to process the payment. It is a clever concept for mitigating friction when applicable. The given transaction must meet specific criteria regarding the risk level and some predefined types of transactions to be classified as an exemption. SCA exemptions are the following:

  1. Low-risk transactions - Transactions that are classified as low risk based on risk assessment do not require an additional authentication step.
  2. Low-value payments (LVP) – Transactions amounting up to and equal to 30EUR are low-value transactions and are not a part of the SCA requirement.
  3. Corporate payments – Payments made by a card belonging to an entity rather than an individual are also considered to be SCA exemptions.
  4. Recurring payments - Subscriptions, loans, and similar payments with a fixed amount require SCA only for the first payment. In cases where the amount changes, SCA is necessary for each individual change.
  5. Merchant Whitelisting – If the merchant is eligible for whitelisting (approved by the issuing bank), the cardholder is able to whitelist a trusted merchant in order to skip the additional authentication step.

Introduction to Trusted Merchant Listing (TML)

Merchant Whitelisting, also known as Trusted Beneficiaries, enables cardholders to choose known merchants whom they trust in order to skip the additional authentication step and enjoy a genuinely frictionless online payment experience. Regardless of the transaction amount or merchant/issuer fraud rate, SCA is not necessary. Of course, not all merchants are eligible for whitelisting. The selection of merchants that a cardholder is able to whitelist is under the issuing bank's control. Based on preselected criteria regarding the industry type of the merchant, level of risk, and cardholder's transaction history, the issuer proposes a list of merchants eligible for whitelisting based on the cardholder's request.

How to add a merchant to a trusted list?

The process of adding a merchant to a trusted list involves transaction authentication. The cardholder who is about to make an online purchase can enroll the merchant to their trusted merchants list. This is done through the authentication interface that contains a checkbox indicating the possibility of whitelisting a particular merchant. By checking the box and applying SCA for the given transaction, both transaction and trusted listing verification are successful and PSD2 & RTS compliant.

This means that every future purchase made by the cardholder won't require SCA, i.e., unless the cardholder decides to remove the merchant from the trusted list at some point.

The cardholder is the one in control of the trusted list. Merchants have no information if they are either on the trusted list or removed from it by the cardholder. Also, merchants can't apply themselves for trust listing evaluation on the issuer side. Based on the cardholder's proposal for a particular merchant to be on the trusted list, the issuer conducts further risk evaluation and either approves or denies merchant inclusion on the eligible merchant list. 

TML Authentication Flow

Regardless of the fact that the merchant is previously listed by the cardholder, each transaction is sent for authentication. This happens because merchants have no idea if they are on the trusted list of the cardholder or not. In case the merchant was previously successfully enrolled on the cardholders trusted merchant list, and this was verified with the initial SCA necessary for TML enrollment, ACS skips risk analysis and processes a frictionless transaction.

Change of liability rules?

According to Mastercard liability rules are the following:

'' The liability shift applies to 3DS independently of the program protocol version (3DS 1.0 or EMV 3DS). If the Merchant does not support 3DS or uses Data Only (refer to section Acquirer SCA Exemptions), liability in case of fraud is with the Acquirer/Merchant. In all other cases, the Issuer is liable if no Acquirer PSD2 SCA exemption applies or if the Issuer has delegated SCA to the Merchant. If the Merchant applies an Acquirer exemption through 3DS and the Issuer accepts it, then the Merchant is liable. If the Issuer goes through SCA without accepting an Acquirer exemption, the Issuer is liable.''

Mastercard

Initial 3D Secure liability shift states that for transactions authenticated using 3D Secure, liability shifts to the issuer. The same goes for TML transactions. Since the issuer deemed a merchant eligible for trusted merchant listing, for any transaction that proves to be a fraudulent one, liability stays on the issuer side.

3D Secure 2 and Trusted Merchant Listing

3D Secure v2.2. brings a number of new features aiming to make the solution even more flexible. By introducing SCA exemptions (Trusted Merchant Listing being one of them), issuers and merchants get a sense of relief regarding SCA requirement for two-factor authentication.  Enhanced risk analysis enabled the application of SCA exemptions such as low-value payments (LVP) and Trusted Merchant Listing (TML). This results in a more user-friendly experience and makes the authentication process straightforward. A more detailed summary of EMV 3DS2 features is available in our recent blog post.

eBook: Leveraging the full potential of payment data

ASEE provides actionable advice on how to confront the high cart abandonment rates for mobile, as well as provides the tools that have the capacity to address other mCommerce challenges.

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Want to learn more about cybersecurity trends and industry news?

SUBSCRIBE TO OUR NEWSLETTER

CyberSecurityhub

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram