Seamless payments with PSD2, SCA, 3D-Secure 2: all you have to know about the new regulations
3DS2 Compliance achieved
Even if the EBA (European Banking Authority) has granted regulators in individual European countries a longer transition period, the EU’s Payment Services Directive (PSD) will shortly be replaced by PSD2 (effective: 14 September 2019), ensuring Strong Customer Authentication (SCA) for digital card transactions (credit and debit cards) across the EU. We would like to take this blog entry as an opportunity to outline what this means for our payment ecosystem and by extension for our customers and partners.
SCA: New user experience through seamless authentication for even more secure online purchases
Online shopping is growing rapidly worldwide, and paying for purchases with various devices, within a browser, or via apps etc. has become an everyday occurrence in many regions of the world. These transactions need to be completed securely, quickly and without friction. The increasing growth of digital commerce has in the past led to a rise in fraudulent activities. For this reason, PSD2 was developed, a reworked Payment Service Directive for the EU, guaranteeing secure and more transparent online payments: seamless, effective and user-friendly.
Within the scope of PSD2, the new SCA check requires a combination of at least two of the following authorization factors (two-factor authentication) to complete a transaction:
- Something the card owner knows, e.g. a PIN or password
- Something the card owner possesses, e.g. a token or user-specific device
- Something that uniquely identifies the card owner, e.g. fingerprint or facial recognition
Challenges for the Payment Ecosystem
The SCA introduced with PSD2 will provide even greater fraud prevention for online payments. For this to apply, both the card owner’s bank and the vendor’s payment service processor need to be based in EU. During the online purchase, SCA is used to determine the identity of the customer and authentication is carried out using two factors. The 3D-Secure 2 (3DS2) standard was introduced for card payments, which – depending on the card provider – requires security checks such as “Visa Secure" (previously known as "Verified by Visa"), “Mastercard Identity Check” and “American Express SafeKey”. Transactions that do not adhere to the new authentication directive can be rejected by the issuing bank of the customer. Transferring the information provided in predefined fields allows real-time transaction monitoring and risk analysis at the acquirer.
Marco Dania, IXOPAY Lead Software Engineer says, “The 3DS2 protocol is a new system environment, where the actual authentication happens on the issuer side. We need to provide the issuer with essential information provided via predefined fields (e.g. browser language, card holder information, how long the customer has been registered, when the last password update took place, whether the shipping address has been used before etc.), which help them decide whether SCA is required or not. For 3D-Secure 2, this means either “frictionless flow”, because no further authentication is required, or “challenge flow”, meaning the card owner needs to further identify themselves via SCA. Our API provides all necessary data elements required by the acquirer/PSP to complete the 3D-Secure authentication. IXOPAY itself implemented a 3D-Secure 2 server from Netcetera, one of the leading global providers of 3D-Secure software, which is used to initiate and complete the payment process.”
At the heart of the new EU directive are “seamless and safe payments” for card-based transactions (e.g. via VISA, Mastercard etc.). Exceptions include, among others, transactions with a value of less than 30 euros, recurring transactions (e.g. membership fees), MoTo transactions (payments made via mail or telephone order), as well as payments where the acquirer of the card or the issuer are not based in EU.
“3D-Secure 2 means merchants are facing large challenges regarding the transfer of data required for a seamless checkout. We are excited and proud that after months of work on the integration and intensive coordination with card schemes like VISA and Mastercard, the transition will be kept as simple as possible for our vendors. This solution allows our customers to secure transactions via 3DS independent of the acquirer”, says Marco Dania, IXOPAY Lead Software Engineer.
What is the difference between 3DS1 and 3DS2?
The shopping experience when using 3DS1 was very inflexible. Each customer needed to go through an authentication process that involved being forwarded to a security form in a new browser window or iFrame. Furthermore, these forms were also not adapted to meet the requirements of modern web applications and web shops. On the one hand, 3DS2 opens up the opportunity for “frictionless flows” (meaning no forwarding is required); on the other hand it makes it easier for vendors to control the security forms. For example, the desired size of the iFrame can be defined, or a dedicated 3D-Secure SDK can be integrated in mobile apps. This provides seamless integration with vendor’s native apps, resulting in higher conversion rates and better protection against fraud.
The new EU regulations should help issuers and merchants distinguish good transactions from bad ones, and provide customers with a quick and pleasant online shopping experience. The SCA requirements under PSD2 will come into effect in the EU on 14 September 2019. As things stand currently, many issuers and acquirers are not yet prepared for the new standard. The card schemes have therefore announced that they will continue to permit 3D-Secure 1 authentication in many regions until 2020, or at least not to refuse transactions based on that authentication method. User identification should make eCommerce a comfortable experience while increasing security – factors that are essential to end customers and keep conversion rates high for merchants. As of now, IXOPAY offers all customers and partners Strong Customer Authentication in the form of 3D-Secure 2.
Write us a message to schedule a meeting!CONTACT