3DS 2.1.0 EOL and Changes to 3DS in IXOPAY

3DS v2.1.0 to be phased out in favor of v2.2.0

July 13, 2023 | News

The major card schemes are planning to phase out 3DS v2.1.0 in favor of 3DS v2.2.0 by Q3 2024. This has resulted to some changes in the behavior in IXOPAY.

Until now, if an issuer supported both versions (v2.1.0 and v2.2.0), IXOPAY’s default behavior was to use the older protocol if no 3DS version is explicitly configured at the connector level. Effective from 26 July 2023, IXOPAY will change its default behavior to use the latest available protocol version instead.

Furthermore, you will no longer be able to configure a preferred protocol version in adapters that support transaction processing via IXOPAY’s own 3DS infrastructure. The card schemes are urging the industry to use the highest available 3DS protocol version.

If you are using IXOPAY's provisioning API, you need to ensure that you are not including the “preferredProtocolVersion” parameter in your requests. This configuration option will be removed, and API requests attempting to configure a preferred 3DS version will be rejected.

If you or your merchants use your own 3DS infrastructure or use an external provider and send 3DS result data to IXOPAY's API, please take note of Mastercard's recent announcement AN7264. Starting from 1 August 2023, Mastercard mandates that 3DS operators must initiate 3DS v2.2.0 as the minimum version (except if the issuer still exclusively supports v2.1.0). Failure to comply may result in fines imposed by Mastercard at the acquiring level.

As always, IXOPAY will pass through the 3DS result data it receives exactly as sent by the merchant. Please be aware that IXOPAY assumes no liability for any reputational or financial damage that may occur due to merchants sending 3DS result data that does not meet Mastercard's Data Integrity requirements.

This change only affects processing with IXOPAY’s own 3DS infrastructure. Adapters processing transactions via a PSP’s own 3DS infrastructure are unaffected by this change in IXOPAY. Nonetheless, these PSPs will still need to ensure compliance with the scheme mandates as explained above.

Other than changing how IXOPAY’s own 3DS infrastructure handles the supported protocol version, no changes will be made to the transaction API.

If you have any questions or require further assistance, please do not hesitate to contact us.

FAQs

Do I or my merchants need to make any changes to calls to the transaction API in order to be prepared for the 3DS v2.2.0 protocol?

No. Transactions can already be processed with 3DS v2.2.0 in IXOPAY.

Should I or my merchants expect any positive or negative impacts from the new 3DS version?

No, the 3DS protocol version alone will not have any impact. For every 3DS session, issuers perform a risk analysis and decide whether to grant frictionless authentication or demand a challenge. The 3DS protocol version has no impact on the issuer’s risk analysis.

Do I have to take any action if I use the provisioning API to configure connectors in IXOPAY?

In general no. However, if you are sending the “preferredProtocolVersion” parameter, your API requests will fail with a validation error once we remove this configuration parameter.

Will the preferred protocol version option be re-introduced once 3DS v2.2.0 and v2.3.1 co-exist?

We have not yet made a decision in this regard. There is a good chance that the credit card schemes will mandate 3DS operators to always use the highest available version in order to more quickly phase out older 3DS versions.

I’m using an adapter, which uses the PSP’s own 3DS infrastructure. Am I affected in any way?

No, 3DS infrastructures, hosted by a PSP will be unaffected by the change in IXOPAY. The PSP itself is responsible for selecting the appropriate protocol version, and IXOPAY has no influence on this.

I or one of my merchants use an external 3DS operator and “pass-through” 3DS result data. Do I have to make any changes?

No, not regarding the transaction API in IXOPAY itself.

However, any merchants using either their own or an external 3DS server should take Mastercard’s mandate into account, which comes into effect from 1 August 2023. 3DS sessions must always be initiated with v2.2.0 whenever possible (see Mastercard’s AN7264 for details).

IXOPAY does not verify whether 3DS result data has been obtained according to Mastercard’s data integrity requirements and assumes no liability for passing on 3DS result data that does not adhere to Mastercard’s Data Integrity requirements.

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months