The European Banking Authority has confirmed the enforcement deadline for PSD2 Strong Customer Authentication – December 31st, 2020 (with the exception of the United Kingdom). With the deadline looming, many businesses have unanswered questions. Our team has researched the most common areas of confusion among merchants and provided clarifications.
WHAT ARE 3DS, PSD2, AND SCA?
3DS – short for 3D Secure – is an authentication protocol that protects and secures online purchasing transactions. It allows merchants to securely process payments, and shifts the liability for fraudulent payments from the merchant to the card issuer.
PSD2 is a directive issued by the European Commission (Directorate General Internal Market), replacing the first Payment Services Directive of 2007. The purpose of PSD2 is to regulate payment services and payment service providers throughout the European Union (EU) and the European Economic Area (EEA). It is designed to increase the efficiency and security of payment services within the EU single market.
With PSD2 comes the enforcement of Strong Customer Authentication (SCA). This regulation promotes better authentication of user identities during bank transactions, with the purpose of reducing fraudulent transactions and increasing confidence in online services. As part of PSD2, it applies to all payment-related authentication services across all devices.
PSD2 went into full effect on September 14th 2019, but due to delays in implementation, the European Banking Authority (EBA) allowed an extension for the implementation of SCA. It expects the migration plans to be complete and enforced for all EU countries by the end of the year.
The UK’s Financial Conduct Authority confirmed an additional 6-month extension for the UK, intended to reduce disruption to consumers and merchants during the ongoing COVID-19 crisis.
Issuers in the Netherlands have already begun to soft-decline non-3DS transactions exceeding EUR 250, and will extend this to all transactions in early November. France will gradually accelerate soft declines of non-3DS transactions based on market readiness, and Germany is considering a progressive extension with soft declines.
HOW IS 3DS2 DIFFERENT FROM 3DS1?
3D Secure 1.0 (3DS1) was a protocol established by Visa and Mastercard that promoted two-way authentication for transactions. It was created primarily as a means of authenticating transactions on desktop browsers.
The new version of the protocol, 3D Secure 2.0 (3DS2), has been expanded to all major card networks and is accessible through a greater number of devices and platforms, including integration with mobile numbers. In the latter case, a secure passcode is used for transaction verification.
3DS1 and 3DS2 co-existed for several years before the transition was fully executed. However, today, many devices are no longer compatible with 3DS1, while 3DS2 integrates seamlessly with the latest technology.
Designed to enable a better user experience with minimal impact on conversions, 3DS2 will be the primary method by which merchants will comply with the requirements of PSD2 SCA. As with the earlier version, 3DS2 authentication shifts liability for fraudulent transactions to the card issuer.
Enhancements brought by 3DS2 (compared to 3DS1) include:
- An improved user experience with mobile purchases
- Secure authentication on checkout pages, both browser and mobile
- The collection of complex data for the purposes of identifying risks and fraudulent activity
- Reducing risks caused by unauthenticated payments
HOW WILL STRONG CUSTOMER AUTHENTICATION BE SUPPORTED BY 3DS2?
SCA will make online financial transactions safer through enhanced verification. The days of online customers using static codes – which are easy to share and steal – to authenticate themselves with their issuing banks will disappear. Instead, in some cases, customers will be required to perform strong authentication, which will collect from them two of the following three categories of information:
- Who the customer is – this can be a fingerprint, a facial scan, a DNA signature, or a voice pattern
- What the customer knows – this can be a password, a sequence, a PIN, a pass phrase, or even a personal fact, like the name of a pet
- What the customer has – this can be a mobile phone, a badge, a token, a wearable device, or a smart card
Instead of only using a password, customers may be requested to go through one of the following authentication flows:
|A ‘two-factor’ authentication that will ask the user to provide a code sent via email or SMS.|
|A biometric authentication that requires the user to use their fingerprint or face to identify themselves when using their banking app.|
These flows provide handy alternatives to passwords, that can be forgotten. By making life easier for customers, businesses also lower the risk of them abandoning their purchase halfway through the security process.
HOW WILL 3DS2 ENABLE FRICTIONLESS CUSTOMER AUTHENTICATION?
3DS2 follows a risk-based authentication process to determine whether a transaction should be challenged. The risk level is calculated by the intelligent use of data collected during the transaction, such as device information, time zone, and various other parameters. If authentication can be achieved with the data collected in the background, the transaction is processed without additional information from the customer.
However, if there are risks associated with the transaction, authentication will move on to the extra steps, or the ‘challenge flow’. Users will be able to use advanced authentication methods such as biometric information.
Unlike with 3DS1, businesses can use an iframe to implement the request for authentication on the same page, without redirection. That means customers are not taken from the payment page, ensuring a more seamless checkout experience.
HOW WILL THE CHANGES AFFECT MERCHANTS?
To help businesses maximize their conversions after the enforcement of SCA, Nuvei will enable dynamic implementation of 3D Secure 2.0. This means making intelligence-based decisions in real-time about whether or not to take advantage of SCA exemptions to push for higher conversions.
WILL CONVERSIONS TAKE A BIG HIT? WHAT CAN NUVEI DO ABOUT IT?
At this time, there is no hard evidence that conversion rates will be harmed by the changes.
However, to maintain revenue streams during and following the transition, Nuvei will identify issuers with 3DS2 support issues and exclude them from 3DS2 flows. In addition, we utilize a cascading system that activates in cases where a technical issue arises with 3DS2 authentication, automatically retrying with 3DS1.
Exemptions will be handled according to merchant preferences.
WHAT TRANSACTIONS ARE EXEMPT FROM SCA?
Not every transaction will be subject to SCA. For example, low-risk and low-value transactions (less than 30 EUR) are exempt. But if low-risk payments adding up to over 100 EUR are made on a card, or more than five consecutive transactions take place, SCA will apply. For low-risk transaction exemptions, the risk of a given transaction is based on the average fraud levels of that card issuer and the acquirer processing the transaction.
There are many other exemptions, including:
- Mail orders and telephone orders – these are not classified as electronic payments
- Corporate cards that are issued to companies and used for business purposes
- Whitelisted merchants who are chosen by customers and placed on a special list overseen by their bank.
- Inter-regional transactions where the card acquirer or issuer isn’t based in Europe.
- Recurring transactions and subscriptions worth a set amount will be exempt after the first payment is made. If the amount changes, 3D Secure 2.0 must be used.
WHY DON’T ALL MERCHANTS USE 3D SECURE?
Merchants adopt 3D Secure when they require an extra layer of security on their transactions. Using 3D Secure is not mandatory for transactions conducted outside the EEA.
WHAT IS THE CHARGEBACK LIABILITY SHIFT?
|>||Merchants with 3DS enabled are no longer liable for card disputes where the issuer has successfully authenticated the shopper’s identity. In these cases, the merchant receives full chargeback protection. In instances where a transaction would have previously been considered fraudulent, the authorized issuer assumes liability instead of the merchant.|
WHAT IS TRANSACTION RISK ANALYSIS?
|>||The 3DS2 protocol states that transaction data will always be shared.
This transactional data forms the base of Transactional Risk Analysis (TRA). TRA is a fraud analysis strategy that observes and analyzes the characteristics of transactions to identify and block fraudulent behavior. 3DS introduced TRA through algorithms designed to detect the behavior patterns of cardholders. It also analyzes location information and real-time fraud rates within e-commerce transactions.
WHAT ARE THE INTEGRATION OPTIONS
Choose an integration solution based on your business requirements. Nuvei helps you reduce 3DS complexity while ensuring compliance to PCI and PSD2.
HOSTED PAYMENT PAGE (HPP)
This ready-to-use integration gives you end-to-end payment processing ability with one connection, with no coding needed on your end. It is designed to optimize payment journeys worldwide while allowing you to descope your PCI obligations and focus on your business.
- Acquirer-agnostic global payment processing
- Full support for 3DS2
- Accepts more than 450 alternative payment methods and 154 currencies worldwide.
- Decline-recovery tools, data-reporting, risk-management suite
- Localizable to any geography
- Minimal integration needed for full access to Nuvei network
This developer-friendly integration gives you a higher level of control while still allowing you to descope your PCI obligations. Web SDK is completely modular, allowing you to embed Nuvei codes in your own payment page as you require.Quick, simple integration to 3DS2
- Customized connection
- Full-stack payment processing
- 3DS 1 and 2 transactions processed agnostically
- Full support for world currencies and alternative payment methods
- No redirection or iFrame
How does it work?
This is a server-to-server connection to our payment engine providing a deeper level of integration for developers. It is perfect for businesses that require complete control over their UX and UI and have the resources to manage a more complex integration process. Merchants remain fully responsible for their PCI SAQ-D when using this integration. It is perfect for businesses that choose to implement 3DS2 across several acquirers.
- Developer portal with sandbox for testing
- High levels of customization
- Full control over the integration workflow
- Can be used in combination with other solutions
WHAT CAN MERCHANTS DO TO BE PREPARED FOR PSD2 AND SCA?
PSD2-readiness requires payment solutions that are up to date with the new regulatory requirements. While this could be facilitated by a merchant internally, for most, the complexity of the new regulations necessitates a payment partner that is 3DS and SCA compliant.
Nuvei technology is fully compliant with PSD2, allowing you to descope your compliance and focus on your main business. Get in touch – our representatives will be happy to answer your questions about PSD2 compliance and how you can avoid getting left behind.