Even if the European Banking Authority has granted regulators in individual European countries a longer transition period, the EU’s Payment Services Directive (PSD) will shortly be replaced by PSD2 (effective: 14 September 2019), ensuring Strong Customer Authentication (SCA) for credit and debit cards transactions across the EU. We would like to take this opportunity to outline what this means for our payment ecosystem and by extension for our customers.
The second European Payment Services Directive (PSD2) is a European directive which came into force across the European Economic Area (EEA) on January 13, 2018. PSD2 was established to drive payments innovation and data security by reducing competitive barriers, mandating new security processes and encouraging standardized technology to protect the confidentiality and integrity of payment service users’ personalized security credentials. PSD2 requires banks to support Open APIs to enable consumers to make payments directly from their bank accounts via newly-regulated third-party payment service providers. The primary focus of this document is the introduction of the Regulatory Technical Standards (RTS) around strong customer authentication (SCA). These standards will come into effect on September 14, 2019.
The SCA introduced with PSD2 will provide even greater fraud prevention for online payments. For this to apply, both the card owner’s bank and the vendor’s payment service processor need to be based in EU. During the online purchase, SCA is used to determine the identity of the customer and authentication is carried out using two factors. The 3D-Secure 2 (3DS2) standard was introduced for card payments, which – depending on the card provider – requires security checks such as “Visa Secure” (previously known as “Verified by Visa”), “Mastercard Identity Check” and “American Express SafeKey”. Transactions that do not adhere to the new authentication directive can be rejected by the issuing bank of the customer. Transferring the information provided in predefined fields allows real-time transaction monitoring and risk analysis at the acquirer.
At the heart of the new EU directive are “seamless and safe payments” for card-based transactions (e.g. via VISA, Mastercard etc.). Exceptions include, among others, transactions with a value of less than 30 euros, recurring transactions (e.g. membership fees), MoTo transactions (payments made via mail or telephone order), as well as payments where the acquirer of the card or the issuer are not based in EU.
3D-Secure 2 means merchants are facing large challenges regarding the transfer of data required for a seamless checkout. We are excited and proud that after months of work on the integration and intensive coordination with card schemes like VISA and Mastercard, the transition will be kept as simple as possible for our vendors. This solution allows our customers to secure transactions via 3DS independent of the acquirer.
The difference between 3DS1 and 3DS2
The shopping experience when using 3DS1 was very inflexible. Each customer needed to go through an authentication process that involved being forwarded to a security form in a new browser window or iFrame. Furthermore, these forms were also not adapted to meet the requirements of modern web applications and web shops. On the one hand, 3-D Secure V2 opens up the opportunity for “frictionless flows” (meaning no forwarding is required); on the other hand it makes it easier for vendors to control the security forms. For example, the desired size of the iFrame can be defined, or a dedicated 3D-Secure SDK can be integrated in mobile apps. This provides seamless integration with vendor’s native apps, resulting in higher conversion rates and better protection against fraud.
There are several benefits to merchants, issuers and shoppers as a result of 3-D Secure V2. Broadly, the changes ensure a streamlined customer journey with fewer friction points to reduce the high rate of shopping cart abandonment from 3-D Secure V2. These enhancements include:
- Risk-based authentication. 3-D Secure V2 will support the transmission of additional rich data during transactions, making authentication assessments and decisions more
accurate. The issuer will be able to evaluate the fraud risk and bypass full authentication if the risk is low enough, resulting in a smoother customer journey for low-risk shoppers. This risk-based approach to authentication is entirely aligned with PSD2 guidance on SCA.
- Biometric or two-factor authentication. If the issuer (after performing an initial assessment) determines that authentication is required, either biometric or two-factor
authentication will be performed to validate the shopper. The biometric authentication methods available will depend on what is supported.
- Eliminates initial enrollment. The removal of this one-time step in the 3-D Secure flow eliminates a major point of friction in the customer journey upon first-time use.
- Support for in-app purchases. Unlike 3DS V1, which required a browser call-out to complete authentication, 3DS V2 can handle in-app purchases natively. This avoids compatibility issues experienced within some apps for browser authentication callouts.
- Allows for bespoke checkout integration. Should they wish, merchants can now integrate the 3-D Secure authentication process into their own checkout process, resulting in a much smoother experience for shoppers.
- Support for non-payment authentications. The latest 3-D Secure version offers support for no-value authorizations, such as tokens for card-on file. Note that it is mandatory to perform an SCA check such as 3-D Secure to add a new card as a card-onfile. Subsequent transactions do not have to go through 3-D Secure, but need to reference the original transaction and the amount cannot differ by more than 15%.
In response to industry uncertainty and unreadiness for the September 14, 2019 secure customer authentication (SCA) deadline, the European Banking Authority (EBA) have issued an opinion paper. The EBA concludes that the national competent authority (NCA) of each European country may work with merchants and payment service providers to “provide limited additional time” for issuers, acquirers and merchants to migrate to SCA-compliant solutions.
- Austria: The Financial Market Authority (FMA) has confirmed a transition period will be put in place. Providers will be required to submit an implementation plan to the FMA with progress updates.
- Belgium: The National Bank of Belgium has confirmed a collective transition plan will be put in place for the migration to SCA-compliant solutions.
- Cyprus: The Central Bank of Cyprus has confirmed it will grant an eCommerce transition period to issuers and acquirers that support a non-reusable and non-replicable element
(such as one-time password).
- Denmark: Finanstilsynet will allow for a transition period, but this only extends to allowing the use of authentication methods based on card details and one-time password via
- France: Banque de France will provide a transition period of 33 months for cardholders to enrol in solutions that meet SCA requirements.
- Germany: BaFin supports a transition period for the enforcement of SCA requirements.
- Greece: The Bank of Greece will provide a transition period, with the length of that period dependent on further announcements from the EBA.
- Ireland: The Central Bank of Ireland (CBI) have confirmed a transition period will be put in place for eCommerce transactions.
- Italy: Banca d’Italia has confirmed that a transition period will be implemented based on the maximum duration allowed by the EBA.
- Luxembourg: The Commission de Surveillance du Secteur Financier (CSSF) has confirmed a transition period, with the length to be aligned with an “EU-wide timetable from the EBA” once provided.
- Malta: The Central Bank of Malta has confirmed they will delay the application of SCA requirements for institutions that have taken steps to comply with agreed migration plans.
- The Netherlands: De Nederlandsche Bank (DNB) has confirmed it will grant a transition period, the length of which has yet to be determined.
- Norway: Finanstilsynet has confirmed that a transition period will be made available (upon request) to PSPs that require an extended deadline.
- Poland: The Polish Financial Supervision Authority has confirmed that “no supervisory measures… will be applied” to PSPs who submit an appropriate SCA migration plan prior
to September 14, 2019.
- United Kingdom: The Financial Conduct Authority (FCA) has confirmed an 18-month transition period for eCommerce transactions.
However, the EBA opinion does not specify what form this migration plan should take. Furthermore, the delegation of this responsibility to each region’s NCA is likely to result in a divergent European regulatory environment that poses challenges to organizations operating internationally.
In light of this, AllSecure with its partners supports the recommendation of the European Association of Payment Service Providers for Merchants (EPSM). The EPSM have proposed that extended timeframes should be harmonised across all regions affected by this regulation. Mastercard have similarly called on NCAs to agree on ‘collective migration plans [based on] a harmonized European roadmap.’
Until confirmation has been received on the process merchants should follow to request an extension, customers are still recommended to work towards meeting SCA requirements in advance of September 14, 2019.
How do customers implement 3-D Secure V2?
Instructions for Exchange Payments Gateway customers on upgrading to 3-D Secure V2 are available now on the developer portal. The 3D Secure 2.0 facilitates a lot more options to identify your customer. Generally there are 2 possible authentication flows available:
- Frictionless flow
- Challenge flow
Depending on the data provided, the card issuing bank determines which flow to apply. In the frictionless flow no further customer interaction is required, in the challenge flow the customer will be redirected to its bank’s authentication page (as with 3D Secure 1.0). The Gateway automatically handles any necessary data exchanges and redirects. The transaction response will only ask your system once to redirect the customer.
To improve your chances to apply for the frictionless flow, you should transmit as many 3D Secure related data as you have. Refer to 3D-Secure 2.0 Fields for detailed field documentation.