3D Secure and 3D Secure 2 authentication: A guide
On September 14, 2019, Strong Customer Authentication (SCA) became a requirement for businesses processing online payments in Europe. These requirements were part of the Revised Payment Services Directive (PSD2).
In this article, we’ll discuss everything you need to know to be SCA compliant. We’ll cover what SCA exactly is, which transactions are exempt or out of scope, and how SCA applies to your business.
SCA is a European requirement introduced to make online payments more secure and reduce the risk of fraud. This requirement applies to online payments made in the European Economic Area (EEA), Monaco, and the UK.
In short, SCA means shoppers in Europe may need to complete extra levels of authentication when they pay online.
These levels of authentication involve asking customers for two of the three following: something they know, something they own, and something they are.
You can find out which types of information are included in these categories in the image below.
Before SCA, issuing banks could only challenge customers with a single static password. These new dynamic data points verify users’ identities more accurately.
Learn more about SCA and how it fits into PSD2 in this video summary:
With SCA, there are more ways to authenticate shoppers than the traditional ‘something they know’ (like a password). You can now combine other data points, as long as they are from at least two different categories.
Examples of SCA: combining a fingerprint or a one time authentication code sent to a smartphone with your account login
Even though increased authentication is now required, more data points are available to choose from. This should make it easier for the customer to authenticate a payment and, ultimately, lead to fewer drop-offs.
The Strong Customer Authentication (SCA) requirements, as part of PSD2, were officially introduced on September 14, 2019. The European Banking Authority later extended this deadline to December 31, 2020 due to lack of industry readiness.
To date, all EEA countries are enforcing PSD2 SCA requirements. In the UK, the final implementation date has been delayed until March 14, 2022.
Since the full enforcement of PSD2, all merchants inside the EEA should be SCA ready.
Implementing SCA differs depending on the payment method.
3D Secure 2 (3DS2) provides a more user-friendly experience than 3D Secure 1 (3DS1). Each version is SCA compliant, but we recommend that you support both 3D Secure 1 and 3D Secure 2.
Across the EEA, we see local payment methods converting well, for example:
SCA is required for online European payments. This means both the business and the card holder’s bank are in Europe. We’re also seeing more regions, such as India, start to introduce SCA as a requirement.
But there are some transactions exempt from SCA or out of the PSD2 SCA scope. Below you can find an extensive list of the specific transactions where this is the case.
Below is a list of the most relevant exempt or out of scope transactions.
Note if you or your acquirer requests an exemption and the request is accepted by the issuer, the liability stays with you. If the exemption is applied by the issuer, the liability shifts to the issuer.
Transactions through acquirer or issuer whose fraud level is below a certain threshold.
Certain acquirers, like Adyen, look at the risk involved with each ‘in-scope’ transaction, to comply with the TRA requirements. If the acquirer thinks a transaction is low risk, it can request a ‘TRA exemption’ to try to skip SCA.
But, this is only possible if the acquirer or issuer’s fraud rates are below the following thresholds:
In the end, the issuer decides whether to accept this exemption request or still enforce SCA.
Transactions under €30 and cumulative payments higher than €100 on the same card.
Transactions under €30 EUR are exempt from SCA. But the issuing bank will keep track of how many payments are made using this exemption.
SCA is required if the total amount attempted on the card is higher than €100 EUR, and every five transactions.
Certain trusted merchants chosen by the cardholder.
Customers can assign businesses to a whitelist of ‘Trusted Beneficiaries’. This list is maintained by their bank. Whitelisted merchants, whatever the transaction amount, can be exempt from SCA.
This lets regular customers mostly skip SCA with the businesses they've chosen to whitelist.
Recurring, fixed-amount transactions after first payment.
Recurring, fixed-amount transactions will be exempt from the second transaction onwards. Only the initial transaction requires SCA. But, if the transaction amount changes, SCA will be required for every new amount.
Or, you can also flag these types of payments as a Merchant Initiated Transaction (MIT) which are out of scope of the PSD2 SCA requirements. Find out more about MITs below.
Payments between corporations.
Payments made between two corporations can be exempt from SCA. But, this is only possible when the payment method is a payment instrument dedicated to make such B2B payments.
Payments via phone or mail.
Mail Order and Telephone Orders (MOTO) are exempt from SCA in all cases. MOTO transactions are not considered to be ‘electronic’ payments, so are out of the scope.
Transactions without direct customer involvement.
Merchant initiated transactions (MITs) are transactions that don't directly involve the customer. The payment is taken from a saved card with the customer’s prior consent on an arranged date.
For example, some products have a variable cost based on usage, like energy contracts. The first payment, or the first time the card is saved, always needs to be authenticated. But the following payments can skip SCA if marked as a ‘Merchant Initiated Transaction.’
Payments involving non-European businesses or customers.
Many exemptions and out of scope scenarios which depend heavily on the bank, scheme, and regulatory interpretation.
The PSD2 SCA regulations are for banks, not for merchants. Issuing banks that approve non-compliant transactions are violating the law in their home country.
The risk for the merchant is the bank refusing your transactions, which causes lower authorization rates.
With the Adyen Authentication Engine, we won’t trigger 3D Secure for out of scope transactions or exemptions. We'll also skip 3D Secure if the issuing bank doesn’t enforce 3D Secure.
If you want to manage PSD2 SCA compliance yourself, Adyen offers two options. You can either:
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.