Understanding 3D Secure and 3D Secure 2
On the 2nd of November 1988, an ambitious Cornell University student called Robert Morris released a computer worm into the internet. Why? Well, mostly because he wanted to see if it could be done (it could). But also because he wanted to attract the attention of the Massachusetts Institute of Technology (MIT) (he did). The result? The worm went rogue, it literally broke the internet, and Morris was arrested (although he later became a tenured professor at MIT).
This is one of the earliest forms of internet fraud since it exploited weak passwords. And, while he caused a lot of chaos, Morris’ escapade helped improve internet security by highlighting a critical vulnerability.
Ever since then, legislators have sought to strengthen the internet against fraud attacks. This is no mean feat. The rise of the volume of online transactions is matched by the increasing sophistication of fraud techniques. So to clamp down on fraud and make online shopping safer, the EU (supported by its major banks) created the Revised Payments Services Directive (PSD2). A central part of this is strong customer authentication (SCA). Learn more about SCA and how it fits into PSD2 in the video summary below.
So what does all this mean in practical terms? How does SCA impact your business and what action do you need to take and when? In this article we’ll walk you through everything you need to know about SCA; what it is, how it works, and how you can implement it correctly.
As the name suggests, SCA is a more robust means of authentication. Rather than simply relying on a single password (which Morris proved back in 1988 to be extremely fallible), SCA requires two forms of authentication. This can be two of three things: something you know (a password), something you own (a smartphone), and something you are (biometrics).
As is often the case, the roll-out of PSD2 legislation was easier in theory than practice. The requirements were officially introduced on September 14, 2019. But the European Banking Authority then extended this deadline to December 31, 2020 because banks weren’t ready. As of now, however, all EEA countries are enforcing PSD2 SCA requirements, although final implementation in the UK has been delayed to March 14, 2022.
If you only sell to customers based in the UK, you have until next March. But, if you accept payments from customers based in the EEA, you need to be ready now.
We know that SCA requires two separate forms of identification. For example, a combination of a fingerprint and a code sent to your smartphone:
Examples of SCA: combining a fingerprint or a one time authentication code sent to a smartphone with your account login
But implementing SCA will also depend on payment methods. For credit and debit cards, for example, 3D Secure is the authentication method used. All major card schemes have their own version of 3D Secure although the most widely known are Mastercard SecureCode and Verified-by-Visa. Its latest iteration (3D Secure 2) provides a much better user experience.
Local payment methods and e-wallets will also need to be subjected to strong authentication. And it’s worth getting these right, especially if you’re looking to sell to customers in the EEA. For example, we see the following local payment methods converting well:
The PSD2 SCA regulations are for banks. Issuing banks that approve non-compliant transactions are violating the law in their home country. But, if you don’t support the right authentication methods on your side, these banks will start declining your payment approval requests and your authorisation rates will plummet.
With PSD2, there’s both a long story and a short story. The short story is that SCA is mandated for all online transactions across the EEA. Easy. But of course it’s not as simple as that and there are in fact, many exemptions and other transactions are simply out of scope.
Note if you or your acquirer requests an exemption and the request is accepted by the issuer, the liability stays with you. If the exemption is applied by the issuer, the liability shifts to the issuer.
Many exemptions and out of scope scenarios depend on the bank, scheme, and regulatory interpretation. You can find a list of all the exemptions in the official Regulatory technical standards on strong customer authentication and secure communication under PSD2.
With the Adyen Authentication Engine, we won’t trigger 3D Secure for out of scope transactions or exemptions. We'll also skip 3D Secure if the issuing bank doesn’t enforce 3D Secure.
If you want to manage PSD2 SCA compliance yourself, Adyen offers two options. You can either: