3D Secure and 3D Secure 2 authentication: A guide
Updated: April 2020
So far in this series, we’ve looked into the key changes you can expect with The Revised Payment Services Directive (PSD2) and the impact it will have on marketplace business models. In this blog, we’ll be talking about the need for businesses to provide Strong Customer Authentication (SCA) for ecommerce payments.
So what is SCA, how can you prepare, and what exemptions are available? Below you’ll discover how it fits into PSD2 and how to get your business ready.
Today with PSD2 regulations, more information will be required. There are exceptions to this, which we’ll cover later.
Previously, an authentication tool called 3D Secure 1.0 was used by the card schemes as a way to verify ecommerce card transactions. You're probably familiar with the process of being redirected to a new page to input a code. This is 3D Secure 1.0 doing its job to make sure you are who you say you are. Now, there's 3DSecure 2, which will make it easier to collect SCA information at the time of the transaction.
Before SCA and 3DSecure 2, issuing banks could only challenge users with a single static password that users had to remember. And of course, passwords are easily forgotten.
Now, more dynamic data points will be used to verify users’ identities. So, instead of relying on the traditional ‘Something you know’ (that ever-evasive password), your customers can combine ‘Something they own’ such as their smartphone, with ‘Something they are’ like a fingerprint. This approach is often called ‘two factor authentication’.
Let's break it down:
The number of required authentication data points is increasing, but more customer choice should mean better authentication experiences and less drop-offs.
The intent of PSD2 is to make SCA a requirement for all online transactions. There are however, some exemptions and for any given transaction your acquirer can and will request the exemption that's most appropriate.
These exemptions ensure that consumers still enjoy easy shopping experiences with additional security on their larger and less frequent payments.
Here are the most relevant:
Transactions under €30 EUR will be exempt from SCA. However, the issuing bank will keep track of the amount of payments made. So, if the total amount attempted on the card without strong authentication is higher than €100 EUR, SCA will be required. It will also be required every five transactions.
Low risk transactions are also exempt from SCA. The ability for a payment to be considered low risk is based on the average fraud levels of the card issuer and acquirer processing the transaction.
Subscription or recurring transactions with a fixed amount will be exempt from the second transaction onwards. Only the initial transaction will require SCA. But if the amount changes, 3D Secure will be required for every new amount.
This poses a challenge to ‘variable amount’ recurring businesses in which the value changes over time. For example, some products have a variable cost per period based on usage. Thankfully, these types of transactions are considered ‘merchant initiated transactions’. These are exempt from PSD2 and SCA requirements.
Most subscription payments will not need SCA since most are initiated by the merchant and not the cardholder and because there is an exemption for static amount recurring payments.
Customers can assign businesses to a whitelist of “Trusted Beneficiaries,” which are maintained by their bank. Whitelisted merchants will be exempt from 3D Secure. This allows customers who regularly shop with a given business to never need SCA from that point forward.
Mail Order and Telephone Orders (MOTO) will be exempt from SCA in all cases. MOTO transactions are not considered to be ‘electronic’ payments, so are out of the scope of the regulation.
Payments made between two corporations are free from SCA when the payment method used is a payment instrument dedicated to make such B2B payments.
The list of exemptions and out-of-score scenarios is extensive and relies heavily on bank, scheme, and regulatory interpretation.
The good news for our customers is that our Dynamic 3D Secure service will help businesses navigate these complexities and automatically take advantage of exemptions where possible.
This means that your customers will only need to authenticate transactions when absolutely necessary.
3D Secure 1.0 isn’t the best experience for customers, especially when they’re using a mobile device. So while it adds a layer of additional security, it can cost you conversions.
To deal with the requirements of PSD2 and improve 3D Secure, EMVco, an organization consisting of representatives from major card schemes and payment industry leaders, created the 3DSecure 2 protocol. The new aim: To make authentication more dynamic and secure.
3DSecure 2 removes the clunky redirect, and your customers can authenticate themselves with a tap of their finger or even a smile. 3DSecure 2 uses certified SDKs and APIs to share rich authentication data with banks, make the integration of authentication flows into websites and apps seamless, all while meeting the SCA requirements of PSD2.
While SCA will undoubtedly create challenges for businesses, our new 3DSecure 2 solution will soften the blow. We hope that, in learning about how PSD2 defines SCA and what exemptions are available, you’ll be able to approach the regulation changes confidently and in the knowledge that we’ve got your back.
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.