PCI DSS compliance v4.0: Your requirements checklist
Updated September 2021
Keeping customers secure when they’re paying online is the first rule of ecommerce. And with many new ways to pay and new regulations coming to light such as PSD2, it’s vital to understand customer authentication beyond the regulatory standards.
In this article we're going to take a closer look at 3D Secure authentication, exploring the original 3D Secure 1 (3DS1.0.2), the newer 3D Secure 2 (3DS2.1.0 and 3DS2.2.0), and the opportunities it can create for your business.
Chances are, you've experienced it as a shopper. Before you could finalize a payment, 3DS1 would redirect you to your bank for card authentication, often prompting a password or an SMS (one-time-password). By completing this step successfully, issuing banks, rather than the business you were buying from, became liable to fraudulent chargebacks. It was a consistent security step but not exactly conducive to a smooth shopping experience.
3DS1 lacked native in-app flows and introduced confusing, difficult-to-remember authentication prompts. The result: countless shoppers dropping out of the payment process.
Each region has its own security requirements and legislation, and adoption of the protocol was inconsistent from bank to bank and country to country. This made things especially challenging for businesses with a global footprint.
To combat this, we built Dynamic 3D Secure, which stops fraud and routes payments through 3D Secure when necessary. And while it continues to be effective, it didn't address the underlying issues of the 3DS1 protocol itself.
That's enough of the doom and gloom though, let's explore the opportunity. 3D Secure 2 is here. Well, to be precise - versions 2.1.0 and 2.2.0
3DS2 is the improved standard introduced by EMVCo and the major card schemes. It provides a new approach to authentication through a wider range of data, biometric authentication, and an improved online experience, especially for mobile. It addresses many of 3DS1's issues while bringing benefits across a broader set of use cases for businesses worldwide.
Let's take a look at some of the benefits 3DS2 can bring to your business:
3DS2 allows for better risk-based analysis, all within your native shopper flow. The combination of certified SDKs and iframes in the checkout flow, paired with data-sharing APIs, makes it the data conduit between businesses and banks. Over 100 potential data points are shared, meaning better risk decisions drawn from the information you and card issuers know about your mutual customers. And as we all know, the more information you have to support authentication cases, the higher the chances of a successful transaction.
You can increase authorization rates with no perceivable change to the checkout flow. Our Authentication Engine guides you when regulatory requirements such as PSD2 enter the equation. This is interesting for businesses that don't require 3DS2 for fraud prevention alone. For example, you might have low fraud rates, so you'll instead benefit from authorization uplift. Meanwhile, the seamless checkout flow your customers enjoy remains unchanged.
Passive - The SDK and servers exchange all necessary information in the background. The customer sees nothing.
Two-Factor - The user receives a request to provide two-factor authentication. Typically by an SMS code and a password.
Biometric - The SDK facilitates an app switch to the issuing bank's app. The user can use their fingerprint or face for authentication.
More authentication flows and consumer choice means increased security while reducing drop-off rates seen in older solutions based on static passwords. What's more, our 3DS2 SDK will help you quickly build these authentication flows natively.
They also offer more flexibility so banks can continue to innovate, making it simple and more secure. It's excellent news for businesses in higher-risk industries that already use 3D Secure. It's also a plus for those operating in regions introducing new requirements, like the aforementioned PSD2 in Europe.
We'll be the first to admit that the EU PSD2 SCA regulatory frameworks can be confusing. Global enterprise businesses will be looking for solutions to identify which transactions require authentication and which don't. In 2019 it became even more complex with shifting timelines and delivery roadmaps from different EU countries.
Our solution can play a key role in managing PSD2 compliance on your behalf. We'll take care of triggering the PSD2 and SCA exceptions automatically when applicable so you can focus on your core business. These compliance rules will work together with other Dynamic 3DS rules, targeting fraud-prevention and performance optimization to make sure that you're always using 3DS when it makes sense and avoiding it when it doesn't. Below you'll see how it works:
Integration with our solution works with any partner that follows 3DS2 specifications. This way, businesses can have their authentication solution in one place, while keeping the flexibility and freedom around which partners they choose.
When setting up 3DS2, there are two core components of the integration to consider: the frontend libraries and the 3D Secure server.
The job of the SDK is to securely collect and transmit device information and display authentication flows. As a result, there is a strict certification process on these libraries with EMVCo and the schemes. Adyen takes care of this. SDKs were not a component of 3DS1 so businesses migrating from 1 to 2 will need to introduce them into their frontend payment flows.
The biggest driver for businesses and issuing banks to implement 3DS2 is the enforcement of Strong Customer Authentication (SCA) requirements under PSD2. As PSD2 is enforced by issuers across Europe, SCA is becoming a key element to accept payments in the region. You can rest assured that we'll continue to build and release the latest 3DS2 versions. As of publication, the latest update is 3DS2.2.
As for the rest of the world, both Brazil and Australia have SCA mandates in place which will encourage the adoption of 3D Secure 2.
The biggest driver for business and issuing banks to implement 3DS2 is the upcoming enforcement of Strong Customer Authentication (SCA) requirements under PSD2. Many EU national regulators have indicated that they expect to be live by 31 December 2020. For us, we continue to build and release to the latest 3DS2 versions (currently at 2.2) so you get the best performance and innovations.
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.