The changes brought on by 3DS2 and PSD2 protocol have left businesses with many unanswered questions. Our team has researched the top questions asked by merchants and answered them.
3DS stands for 3D-Secure authentication service, a secure protocol that protects and secures online purchasing transactions. This allows customers to securely process payments without an increased risk of liability of fraudulent payments to the card issuer.
PSD2 is the second Payment Services Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). It is designed to promote safer payment services for the EU single market establishment, and to create an efficient and secure payment service within the EU. With it comes the enforcement of Strong Customer Authentication (SCA).
SCA is a regulation that promotes better authentication of online payments across Europe. Its focus is to better authenticate user identity during bank transactions to reduce fraudulent transactions and to increase confidence in online services. As part of PSD2, it applies to all authentication services to secure transactions across all technological devices.
PSD2 went into full effect on 14 September 2019, but due to delays in the implementation, the European Banking Authority allowed for a time extension of the strong customer authentication.
⇑ Back to top
Watch our Webinar “PSD2 – What merchants need to know” – a joint webinar by SafeCharge, a Nuvei company and Visa
If you operate a business in Europe or if your customers are based in the EU, there is no doubt that you are wondering and most probably worrying about Payment Services Directive 2 (PSD2), its implications on your business and if you are prepared.
This informative session discusses the opportunities and challenges that the Directive presents. The webinar has been designed to provide merchants with a deeper understanding of PSD2, SCA/3DS 2.0/MPI through our expert panel including Visa representatives.
3D Secure 1.0 (3DS1) was a protocol established by Visa and MasterCard that promotes two-way authentication for transactions. It was created primarily as a means to authenticate transactions on desktop browsers.
The new version of protocol, 3D Secure 2.0 (3DS2) has expanded to all major card networks and is accessible through more devices and platforms, including integration with a mobile number that uses a secure passcode for transaction verification.
3DS1 and 3DS2 were in co-existence for several years before a full transition was rolled out to 3DS2, however the former method isn’t compatible with many modern technologies in existence today. 3DS2 integrates seamlessly with modern technologies and allows for improved authentication methods.
Designed to enable a better user experience and minimise the impact on conversions, 3DS2 will be the primary method to comply with PSD2 SCA requirements. As with the earlier version, with 3DS2 authentication, the liability for fraudulent transactions shifts to the card issuer.
Some enhancements of 3DS2 compared to 3DS1 include:
- An improved user experience with mobile purchases
- Secure authentication in checkout through browsers and mobile applications
- Collection of intricate data to identify any risks or fraudulent activity in transactions
- Reducing unauthenticated payment risks
SCA will make online financial transactions safer through enhanced verification. The days when online customers were using static (and easy to share and steal) code to authenticate with their issuing bank will disappear. Instead, in some cases, customers will be required to perform Strong Authentication through their card issuing bank which will collect two of the following three categories of information from them:
- Who the customer is: This can be a fingerprint, facial features, DNA signature, or voice patterns.
- What the customer knows: This can be a password, sequence, PIN, pass phrase, or even a personal fact, like the name of your first pet.
- What the customer has: This can be a mobile phone, badge, token, wearable device, or smart card.
Instead of only using a password, customers may be requested to go through one of the following authentication flows:
A ‘two-factor’ authentication that will ask the user to provide a code sent via email or SMS.
A biometric authentication that will enable the user to use their fingerprint or face in the issuing bank app. These authentication flows provide handy alternatives to passwords that are easily forgotten. By making life easier for customers, businesses also lower the risk of them abandoning their purchase halfway through the security process.
3DS2 follows a risk-based authentication process to determine whether a transaction should be challenged. The risk level is calculated by intelligent use of data collected during the transaction, such as device information, time zone and various other parameters. If authentication can be achieved with the data collected in the background, the transaction is processed without requesting any additional information from the customer.
However, if there are risks associated with the transaction, authentication will move on to the extra steps or the ‘challenge flow’. Users will be able to use advanced authentication methods such as biometric information.
Unlike with 3DS1, businesses can use an iframe to implement the request for authentication on the same page without redirection. That means customers are not redirected and enjoy a better check-out experience.
To support businesses in maximising their conversions after the enforcement of SCA, SafeCharge will enable dynamic implementation of 3D Secure 2.0. This means taking real-time intelligent decisions about whether to take or not to take advantage of SCA exemptions and push for higher conversion.
The Payment Services Directive is regulated and compliant with 3DS2 to allow for strong customer authentication (SCA), increase approval rates of transactions and is adaptable to changing technology.
At this time, there is no hard evidence that conversions will be reduced. SafeCharge believes the optimum approach is to seek exemptions only where we believe the transaction does not pose a significant risk of fraud and where we do not believe the issuer will exempt the transaction without our exemption.
Not every transaction will be subject to SCA. For example, low-risk and low-value transactions worth less than 30 EUR are exempt. But if low risk payments adding up to over 100 EUR are made on the card, or more than five consecutive transactions take place, SCA will apply. For low-risk transaction exemptions, the risk of a transaction is based on the average fraud levels of the card issuer and the acquirer processing the transaction.
There are many other exemptions, including:
- Mail orders and telephone orders: which are not classified as electronic payments.
- Corporate cards: which are issued to companies and used for business purposes.
- Whitelisted merchants: who are chosen by customers and placed on a special list overseen by their bank.
- Inter-regional transactions: where the card’s acquirer or issuer isn’t based in Europe.
- Recurring transactions and subscriptions worth a set amount will be exempt after the first payment is made according to SCA regulations. If the amount changes though, 3D Secure 2.0 must be used.
Merchants with 3DS enabled are no longer liable for card disputes where the issuer has confirmed the shopper’s identity. In the event of a successful authentication of an end-user transaction, the merchant receives full chargeback protection. Instances where a transaction would have previously been considered fraudulent, the authorized issuer assumes liability instead of the merchant.
Merchants will always receive protection from liability chargebacks for fully authenticated transactions. This is expected for any other 3D secure versions. As with the earlier version, with 3D Secure 2.0 authentication, the liability for chargebacks due to fraud reasons shifts to the card issuer. However, note that chargebacks due to service or technical reasons are excluded from any liability shift and merchants remain liable for those.
This transactional data forms the base of Transactional Risk Analysis (TRA). TRA is a fraud analysis strategy that observes and analyses components that form part of a transaction to identify and block fraudulent behaviors.
3DS introduced TRA through algorithms built to detect spending, purchasing and behavior patterns of the cardholder. As part of risk fraud analysis operations, it also analyses location information and real-time fraud rates within e-commerce transactions.
Choose an integration solution based on your business requirements. SafeCharge helps you reduce 3DS complexity while ensuring compliance to PCI and PSD2.
Businesses that need higher levels of customisation and require complete control over the UX and UI can opt for SafeCharge’s Rest API integration. It provides a deeper level of integration for developers and businesses that choose to implement 3DS2 to manage payment authentication across several acquirers. It’s ideal for large businesses that need greater control and have the resources to manage a more complex integration process.
|HOSTED PAYMENT PAGE (HPP)||SafeCharge’s hosted payment page offers end-to-end payments functionality that includes tokenization and 3DS authentication services, with standard or customised UI/UX, designed to work with any country’s regulation flows.
We handle PCI scope, regulation and mandate requirements- so you focus on your business.
Merchants will be required to provide data to issuers for high-quality data analysis to ensure an effective experience and a probable higher rate of authorized transactions. Merchants should also identify those providers who have a good track record of preventing fraud. This will help allow smoother transactions and convenient payment options with limited challenges.
The new regulations are complex, and we know that there may be many more questions that you may have. Please feel free to contact your account manager or get in touch with us. We’ll be happy to help you.