The proliferation of mobile technologies and alternative payment channels has made it easier for consumers to make online purchases and led to the rapid growth of e-commerce. But while digital commerce continues to gain in popularity, incidents of fraud are on the rise as the verification of customer identity in card not present transactions becomes a real challenge.
Starting in September 2019, the EU’s Revised Payment Service Directive, also known as PSD2, will introduce new requirements and begin enforcement of Strong Customer Authentication (SCA) standards for online payments to combat fraud. The EMV 3D Secure (3DS 2) messaging protocol will be the preeminent method to help you comply with PSD2- SCA requirements. In this basics guide, we’ll explain what 3DS 2 is, its benefits, and help you understand what you’ll need to do to get your operations 3D secure compliant.
What is Strong Customer Authentication (SCA) under PSD2?
In 2015, the first Payment Services Directive (PSD1) was introduced to regulate payment services and providers throughout the European Union and European Economic Area. Since then, rapid changes in the payments sector have led the EU to upgrade the Payment Services Directive. The Second Payment Services Directive (PSD2) includes several articles and mandates, one of which focuses on Strong Customer Authentication (SCA). SCA stipulates a two-factor authentication which will be required for certain transactions.
Strong Customer Authentication (SCA) requires the use of at least two of the following three elements.
Up until now, additional security steps aka two-factor authentication has only been a requirement for transactions considered high risk. To accept transactions after SCA is introduced in Europe in September 2019, merchants with sales to European consumers will need to upgrade their authentication capabilities to allow for two-factor authentication or face declines. In other words, two-factor authentication is going to become the default for all customer-initiated transactions within Europe, unless an exemption applies.
3DS 1 vs. 3DS 2
EMV Three Domain Secure also known by merchants as 3D Secure 2 is an authentication tool or protocol introduced by EMVCo and major card brands to help consumers authenticate their identity when making card-not-present transactions by providing an additional security layer.
You’ll already be familiar with 3D Secure 1 which shared data among critical stakeholders in the payments ecosystem to authenticate transactions.
3DS 2 is the latest update of this authentication protocol, which provides improvements that take into consideration SCA regulatory requirements from the European Union, the need to support new payment channels like digital wallets, and declining conversion rates. With 3DS 2, merchants will be able to integrate an additional security layer into their checkout processes which will help them comply with new SCA regulations and fight fraud more effectively without sacrificing the customer experience.
Whereas the flow of 3DS 1 focused mainly on a simple challenge (insertion of a code on a static webpage, SMS authentication etc.), 3DS 2 facilitates rich data exchange between merchants, card-holders and issuers, more so than ever before to achieve more accurate authentication. Transactions can be verified by merchants using the customer’s issuing bank instead of a customer needing to remember a PIN or getting redirected to a new webpage. The result is a more frictionless payment experience, although in some cases a challenge may be required to verify user identity. Check out the two flows below to get a better understanding of the two flows:
Rules have exemptions, and 3DS 2 is no different
Some transactions will be exempted from the 3DS 2 protocol. These cases may include:
- Low-value transactions - Transactions that total less than 30 Euros each, with no more than five transactions allowed in a row. If the total amount on a single card is higher than 100 EUR in 24 hours, SCA will be required.
- Low-risk transactions - A transaction is to be considered low risk if it passes an acquirer’s real-time risk assessment and is approved by an issuer on a case-by-case basis.
- Whitelisted Merchants (or trusted beneficiaries) - Customers will have the opportunity to whitelist any merchant that they deem trustworthy after an initial authentication has occurred. By doing so, most future authentication steps will no longer be required.
- Mail order and telephone orders - Card data that is collected from customers over the telephone.
- Recurring transactions/ subscriptions and Merchant Initiated Transactions - A subscription-based service that features recurring payments of the same/different value. However, a customer’s first payment will still require authentication.
6 benefits 3DS 2.0 brings to merchants
Harnessing 3DS 2 delivers several benefits for merchants. These include:
- 3DS 2 helps comply with new SCA mandates which stipulate two-factor authentication as a requirement for all electronic payments. If you have a large number of customers in Europe, employing 3DS 2 is a necessity to continue operating.
- 3DS 2 protects operations with robust security and has the potential to fight cases of fraud.
- 3DS 2 provides a great customer experience. Frictionless customer identification has the potential to contribute to a shortened check-out process and to reduce cart abandonment.
- 3DS 2 improves approval rates as authentication is quick and can take place on the same page.
- 3DS 2 allows to easily build authentication flows natively into Apps or websites.
- 3DS 2 helps to shift liability away from the merchant (the issuing bank assumes the risk).
We hope that the information provided above helps to shed some light and to demystify the fears revolving 3DS 2. Stay tuned for more information coming soon.