EVERYTHING YOU NEED TO KNOW ABOUT 3DS2, PSD2 AND SCA

The changes brought on by 3DS2 and PSD2 protocol have left businesses with many unanswered questions. Our team has researched the top questions asked by merchants and answered them.

What are 3DS, PSD2 and SCA?Watch our webinar “PSD2 – What merchants need to know” – a joint webinar by SafeCharge, a Nunei company and VisaHow is 3DS2 different from 3DS1?How will Strong Customer Authentication be supported by 3DS2?How will 3DS2 enable a frictionless customer authentication?How would the changes affect merchants?Will the conversions take a big hit? What can SafeCharge do about it? What are SCA exemptions?Why don’t all merchants use 3D Secure?What is the chargeback liability shift?With 3DS, can a merchant expect to never have a chargeback again?What is Transaction Risk Analysis (TRA)?What are the integration options?Will the integration require extensive development or reorganisation of the existing payment infrastracture?What can merchants do to be prepared for PSD2 and SCA?

WHAT ARE 3DS, PSD2 AND SCA?

3DS stands for 3D-Secure authentication service, a secure protocol that protects and secures online purchasing transactions. This allows customers to securely process payments without an increased risk of liability of fraudulent payments to the card issuer.

PSD2 is the second Payment Services Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). It is designed to promote safer payment services for the EU single market establishment, and to create an efficient and secure payment service within the EU. With it comes the enforcement of Strong Customer Authentication (SCA).

SCA is a regulation that promotes better authentication of online payments across Europe. Its focus is to better authenticate user identity during bank transactions to reduce fraudulent transactions and to increase confidence in online services. As part of PSD2, it applies to all authentication services to secure transactions across all technological devices.

PSD2 went into full effect on 14 September 2019, but due to delays in the implementation, the European Banking Authority allowed for a time extension of the strong customer authentication.

IMPORTANT DATES:


⇑ Back to top

Watch our Webinar “PSD2 – What merchants need to know” – a joint webinar by SafeCharge, a Nuvei company and Visa

If you operate a business in Europe or if your customers are based in the EU, there is no doubt that you are wondering and most probably worrying about Payment Services Directive 2 (PSD2), its implications on your business and if you are prepared.

This informative session discusses the opportunities and challenges that the Directive presents. The webinar has been designed to provide merchants with a deeper understanding of PSD2, SCA/3DS 2.0/MPI through our expert panel including Visa representatives.

⇑ Back to top

HOW IS 3DS2 DIFFERENT FROM 3DS1?

3D Secure 1.0 (3DS1) was a protocol established by Visa and MasterCard that promotes two-way authentication for transactions. It was created primarily as a means to authenticate transactions on desktop browsers.

The new version of protocol, 3D Secure 2.0 (3DS2) has expanded to all major card networks and is accessible through more devices and platforms, including integration with a mobile number that uses a secure passcode for transaction verification.

3DS1 and 3DS2 were in co-existence for several years before a full transition was rolled out to 3DS2, however the former method isn’t compatible with many modern technologies in existence today.  3DS2 integrates seamlessly with modern technologies and allows for improved authentication methods.

Designed to enable a better user experience and minimise the impact on conversions, 3DS2 will be the primary method to comply with PSD2 SCA requirements. As with the earlier version, with 3DS2 authentication, the liability for fraudulent transactions shifts to the card issuer.

Some enhancements of 3DS2 compared to 3DS1 include:

  • An improved user experience with mobile purchases
  • Secure authentication in checkout through browsers and mobile applications
  • Collection of intricate data to identify any risks or fraudulent activity in transactions
  • Reducing unauthenticated payment risks

⇑ Back to top

HOW WILL STRONG CUSTOMER AUTHENTICATION BE SUPPORTED BY 3DS2?

SCA will make online financial transactions safer through enhanced verification. The days when online customers were using static (and easy to share and steal) code to authenticate with their issuing bank will disappear. Instead, in some cases, customers will be required to perform Strong Authentication through their card issuing bank which will collect two of the following three categories of information from them:

  • Who the customer is: This can be a fingerprint, facial features, DNA signature, or voice patterns.
  • What the customer knows: This can be a password, sequence, PIN, pass phrase, or even a personal fact, like the name of your first pet.
  • What the customer has: This can be a mobile phone, badge, token, wearable device, or smart card.

Instead of only using a password, customers may be requested to go through one of the following authentication flows:

A ‘two-factor’ authentication that will ask the user to provide a code sent via email or SMS.


A biometric authentication that will enable the user to use their fingerprint or face in the issuing bank app. These authentication flows provide handy alternatives to passwords that are easily forgotten. By making life easier for customers, businesses also lower the risk of them abandoning their purchase halfway through the security process.

HOW WILL 3DS2 ENABLE A FRICTIONLESS CUSTOMER AUTHENTICATION?

3DS2 follows a risk-based authentication process to determine whether a transaction should be challenged. The risk level is calculated by intelligent use of data collected during the transaction, such as device information, time zone and various other parameters. If authentication can be achieved with the data collected in the background, the transaction is processed without requesting any additional information from the customer.

However, if there are risks associated with the transaction, authentication will move on to the extra steps or the ‘challenge flow’. Users will be able to use advanced authentication methods such as biometric information.

Unlike with 3DS1, businesses can use an iframe to implement the request for authentication on the same page without redirection. That means customers are not redirected and enjoy a better check-out experience.

⇑ Back to top

HOW WOULD THE CHANGES AFFECT MERCHANTS?

To support businesses in maximising their conversions after the enforcement of SCA, SafeCharge will enable dynamic implementation of 3D Secure 2.0. This means taking real-time intelligent decisions about whether to take or not to take advantage of SCA exemptions and push for higher conversion.

The Payment Services Directive is regulated and compliant with 3DS2 to allow for strong customer authentication (SCA), increase approval rates of transactions and is adaptable to changing technology.

⇑ Back to top

WILL THE CONVERSIONS TAKE A BIG HIT? WHAT CAN SAFECHARGE DO ABOUT IT?

At this time, there is no hard evidence that conversions will be reduced. SafeCharge believes the optimum approach is to seek exemptions only where we believe the transaction does not pose a significant risk of fraud and where we do not believe the issuer will exempt the transaction without our exemption.

⇑ Back to top

WHAT ARE SCA EXEMPTIONS?

Not every transaction will be subject to SCA. For example, low-risk and low-value transactions worth less than 30 EUR are exempt. But if low risk payments adding up to over 100 EUR are made on the card, or more than five consecutive transactions take place, SCA will apply. For low-risk transaction exemptions, the risk of a transaction is based on the average fraud levels of the card issuer and the acquirer processing the transaction.

There are many other exemptions, including:

  • Mail orders and telephone orders: which are not classified as electronic payments.
  • Corporate cards: which are issued to companies and used for business purposes.
  • Whitelisted merchants: who are chosen by customers and placed on a special list overseen by their bank.
  • Inter-regional transactions: where the card’s acquirer or issuer isn’t based in Europe.
  • Recurring transactions and subscriptions worth a set amount will be exempt after the first payment is made according to SCA regulations. If the amount changes though, 3D Secure 2.0 must be used.

⇑ Back to top

WHY DON’T ALL MERCHANTS USE 3D SECURE?

Merchants adopt 3D Secure when requiring an extra layer of security for transactions. Using 3D secure isn’t mandatory for transactions apart from those conducted in the European Economic Area (EEA).

⇑ Back to top

WHAT IS THE CHARGEBACK LIABILITY SHIFT?

Merchants with 3DS enabled are no longer liable for card disputes where the issuer has confirmed the shopper’s identity. In the event of a successful authentication of an end-user transaction, the merchant receives full chargeback protection. Instances where a transaction would have previously been considered fraudulent, the authorized issuer assumes liability instead of the merchant.

⇑ Back to top

WITH 3DS CAN A MERCHANT EXPECT TO NEVER HAVE A CHARGEBACK AGAIN?

Merchants will always receive protection from liability chargebacks for fully authenticated transactions. This is expected for any other 3D secure versions. As with the earlier version, with 3D Secure 2.0 authentication, the liability for chargebacks due to fraud reasons shifts to the card issuer. However, note that chargebacks due to service or technical reasons are excluded from any liability shift and merchants remain liable for those.

⇑ Back to top

WHAT IS TRANSACTION RISK ANALYSIS (TRA)? 

The 3DS2 protocol states that transaction data will always be shared. 

This transactional data forms the base of Transactional Risk Analysis (TRA). TRA is a fraud analysis strategy that observes and analyses components that form part of a transaction to identify and block fraudulent behaviors.

3DS introduced TRA through algorithms built to detect spending, purchasing and behavior patterns of the cardholder. As part of risk fraud analysis operations, it also analyses location information and real-time fraud rates within e-commerce transactions.

⇑ Back to top

WHAT ARE THE INTEGRATION OPTIONS?

Choose an integration solution based on your business requirements. SafeCharge helps you reduce 3DS complexity while ensuring compliance to PCI and PSD2.

WEB SDK

SafeCharge’s Web SDK offers a simple yet robust set of JavaScript libraries. With our Web SDK, businesses get end to end payment functionality that includes tokenisation, 3DS authentication service and more, combining speed, simplicity and security. It offers complete control of the user experience, with the ability to customize and stylize the UI however you like. Our Web SDK also offers peace of mind by keeping your business outside of PCI scope.

  • Simple and quick integration
  • Complete control over UI and UX
  • PCI compliant solution
  • Advanced payment functionality
REST API

Businesses that need higher levels of customisation and require complete control over the UX and UI can opt for SafeCharge’s Rest API integration. It provides a deeper level of integration for developers and businesses that choose to implement 3DS2 to manage payment authentication across several acquirers. It’s ideal for large businesses that need greater control and have the resources to manage a more complex integration process.

  • High levels of customisation for experienced developers
  • Control over the integration workflow
  • Can be used in combination with other solutions
  • Acquirer agnostic
HOSTED PAYMENT PAGE (HPP) SafeCharge’s hosted payment page offers end-to-end payments functionality that includes tokenization and 3DS authentication services, with standard or customised UI/UX, designed to work with any country’s regulation flows.
We handle PCI scope, regulation and mandate requirements- so you focus on your business.

  • No integration needed, option to provide additional parameters for additional security
  • Full localisation (including regulatory)
  • Full 3DS version 2 support
  • Storage of card and alternative payment method credentials

⇑ Back to top

WILL THE INTEGRATION REQUIRE EXTENSIVE DEVELOPMENT OR REORGANISATION OF THE EXISTING PAYMENT INFRASTRACTURE?

SafeCharge will guide you through the process to ensure you are prepared for SCA and the upgrade to 3DS2. 

⇑ Back to top

WHAT CAN MERCHANTS DO TO BE PREPARED FOR PSD2 AND SCA?

Merchants will be required to provide data to issuers for high-quality data analysis to ensure an effective experience and a probable higher rate of authorized transactions. Merchants should also identify those providers who have a good track record of preventing fraud. This will help allow smoother transactions and convenient payment options with limited challenges.

⇑ Back to top

The new regulations are complex, and we know that there may be many more questions that you may have. Please feel free to contact your account manager or get in touch with us. We’ll be happy to help you.

ENJOYED THIS POST? SHARE THE LOVE

SafeCharge Limited is an Electronic Money Institution authorised and regulated by the Central Bank of Cyprus and is a principal member of Mastercard, Visa and Unionpay International (CUP). SafeCharge Financial Services Limited is authorised and regulated by the Financial Conduct Authority as a Payment Institution. Both SafeCharge companies are wholly owned by SafeCharge International Group Limited.