Even if the European Banking Authority has granted regulators in individual European countries a longer transition period, the EU’s Payment Services Directive (PSD) will shortly be replaced by PSD2 (effective: 14 September 2019), ensuring Strong Customer Authentication (SCA) for credit and debit cards transactions across the EU. We would like to take this opportunity to outline what this means for our payment ecosystem and by extension for our customers, mainly by focusing on the introduction of 3-D Secure 2 (3DS2) standard .
The second European Payment Services Directive (PSD2) is a European directive which came into force across the European Economic Area (EEA) on January 13, 2018. PSD2 was established to drive payments innovation and data security by reducing competitive barriers, mandating new security processes and encouraging standardized technology to protect the confidentiality and integrity of payment service users’ personalized security credentials. PSD2 requires banks to support Open APIs to enable consumers to make payments directly from their bank accounts via newly-regulated third-party payment service providers. The primary focus of this document is the introduction of the Regulatory Technical Standards (RTS) around strong customer authentication (SCA). These standards will come into effect on September 14, 2019.
Even if the European Banking Authority has granted regulators in individual European countries a longer transition period, the EU’s Payment Services Directive (PSD) will shortly be replaced by PSD2 (effective: 14 September 2019), ensuring Strong Customer Authentication (SCA) for credit and debit cards transactions across the EU. We would like to take this opportunity to outline what this means for our payment ecosystem and by extension for our customers.
The SCA introduced with PSD2 will provide even greater fraud prevention for online payments. For this to apply, both the card owner’s bank and the vendor’s payment service processor need to be based in EU. During the online purchase, SCA is used to determine the identity of the customer and authentication is carried out using two factors. The 3-D Secure 2 (3DS2) standard was introduced for card payments, which – depending on the card provider – requires security checks such as “Visa Secure” (previously known as “Verified by Visa”), “Mastercard Identity Check” and “American Express SafeKey”. Transactions that do not adhere to the new authentication directive can be rejected by the issuing bank of the customer. Transferring the information provided in predefined fields allows real-time transaction monitoring and risk analysis at the acquirer.
At the heart of the new EU directive are “seamless and safe payments” for card-based transactions (e.g. via VISA, Mastercard etc.). Exceptions include, among others, transactions with a value of less than 30 euros, recurring transactions (e.g. membership fees), MoTo transactions (payments made via mail or telephone order), as well as payments where the acquirer of the card or the issuer are not based in EU.
3D-Secure 2 means merchants are facing large challenges regarding the transfer of data required for a seamless checkout. We are excited and proud that after months of work on the integration and intensive coordination with card schemes like VISA and Mastercard, the transition will be kept as simple as possible for our vendors. This solution allows our customers to secure transactions via 3DS independent of the acquirer.
The shopping experience when using 3DS1 was very inflexible. Each customer needed to go through an authentication process that involved being forwarded to a security form in a new browser window or iFrame. Furthermore, these forms were also not adapted to meet the requirements of modern web applications and web shops. On the one hand, 3-D Secure 2 opens up the opportunity for “frictionless flows” (meaning no forwarding is required); on the other hand it makes it easier for vendors to control the security forms. For example, the desired size of the iFrame can be defined, or a dedicated 3D-Secure SDK can be integrated in mobile apps. This provides seamless integration with vendor’s native apps, resulting in higher conversion rates and better protection against fraud.
There are several benefits to merchants, issuers and shoppers as a result of 3-D Secure V2. Broadly, the changes ensure a streamlined customer journey with fewer friction points to reduce the high rate of shopping cart abandonment from 3-D Secure V2. These enhancements include:
In response to industry uncertainty and unreadiness for the September 14, 2019 secure customer authentication (SCA) deadline, the European Banking Authority (EBA) have issued an opinion paper. The EBA concludes that the national competent authority (NCA) of each European country may work with merchants and payment service providers to “provide limited additional time” for issuers, acquirers and merchants to migrate to SCA-compliant solutions.
However, the EBA opinion does not specify what form this migration plan should take. Furthermore, the delegation of this responsibility to each region’s NCA is likely to result in a divergent European regulatory environment that poses challenges to organizations operating internationally.
In light of this, AllSecure with its partners supports the recommendation of the European Association of Payment Service Providers for Merchants (EPSM). The EPSM have proposed that extended timeframes should be harmonised across all regions affected by this regulation. Mastercard have similarly called on NCAs to agree on ‘collective migration plans [based on] a harmonized European roadmap.’
Until confirmation has been received on the process merchants should follow to request an extension, customers are still recommended to work towards meeting SCA requirements in advance of September 14, 2019.
Instructions for Exchange Payments Gateway customers on upgrading to 3-D Secure 2 are available now on the developer portal. The 3D Secure 2.0 facilitates a lot more options to identify your customer. Generally there are 2 possible authentication flows available:
Depending on the data provided, the card issuing bank determines which flow to apply. In the frictionless flow no further customer interaction is required, in the challenge flow the customer will be redirected to its bank’s authentication page (as with 3D Secure 1.0). The Gateway automatically handles any necessary data exchanges and redirects. The transaction response will only ask your system once to redirect the customer.
To improve your chances to apply for the frictionless flow, you should transmit as many 3D Secure related data as you have. Refer to 3-D Secure 2 Fields for detailed field documentation.