Skip links

EMV 3DS (3-D Secure version 2)

If you operate in Europe and accept online card payments, you will need to implement EMV 3DS (3-D Secure version 2). This is in line with the PDS2 mandate for strong customer authentication. Trust Payments will be supporting our customers to comply with this mandate.

FAQ

You need to ensure that additional authentication is built into your checkout flow (as outlined below) and that you have sufficiently tested. For our TRU Connect gateway customers, the actions you will need to take vary depending on your integration:

Hosted Payment Pages (HPP) solution – Most of our merchants will not need to make any changes. We will enable EMV 3DS on your request.

Note: If you have applied custom JavaScript, we advise that you check with your test site reference that the new 3-D Secure flow works correctly. Please let us know once you have completed testing, and we will enable EMV 3DS on your production account. Click here for test card details you can use.

Webservices API and/or STAPI – To support EMV 3DS you will need to review the current integration you have with your developer/software provider and choose one of the three paths below:

JavaScript Library – If you are already using v2 or v3 of our JavaScript Library, your solution is already configured for EMV 3DS and no further changes are necessary. However, if you are using v1 of our JavaScript Library, you will need to migrate to the latest version. Click here for further information.

If your system is returned a 71000 Soft decline response following processing an Authorisation (AUTH) Request to Trust Payments, this has occurred because card issuer declined the request due to absence of Strong Customer Authentication (SCA).

Action to take

You will need to resubmit the transaction with the necessary EMV 3DS authentication.

Background

The Revised Directive on Payment Services (PSD2) mandates that a form of SCA is performed on all transactions initiated by the customer through their browser. To comply with this mandate, you will need to utilise EMV 3DS.

There are exceptions to this rule that are permitted by the card issuer and do not need to be declared, examples of which include Mail or Telephone Order (MOTO) payments and Merchant Initiated Transactions (MIT) against a customer’s stored card. However, there are additional exemptions that do require flagging to the card issuer, by including the field scaexemptionindicator (click here for the field specification).

Failure to declare exemptions correctly or to meet conditions specified by the card issuer may lead to the 71000 Soft decline error.

3-D Secure version 1 minimum is already required by the card schemes (Visa, Mastercard, Amex, Discover/Diners) for e-commerce transactions.

3-D Secure version 2 (EMV 3DS):

  • If you are processing e-commerce payments from a card issued and acquired in the European Economic Area (EEA), the deadline for EMV 3DS compliance was 31 December 2020.
  • If you are processing e-commerce payments from a card issued and acquired in the UK, you will need to be up and running with the new EMV 3DS standard by the end of September 2021 to ensure full compliance with EU laws and to avoid unnecessary card declines, as card schemes will begin to remove 3-D Secure version 1 functionality. From June 2021, some card issuers have already started to soft decline some transactions that are sent without SCA in preparation for this change.

3-D Secure is a security protocol provided by credit card schemes (Visa, Mastercard, Amex, Discover/Diners). During a 3-D Secure transaction, security checks are seamlessly performed in the background, and if an elevated risk of fraud is detected, the customer is redirected to a site hosted by the issuing bank to verify their identity (usually by prompting for a unique password or SMS verification code sent to their device). This reduces the likelihood of a fraudulent transaction being processed.

The latest version of EMV 3DS (3-D Secure version 2) was developed to provide an enhanced method of authentication which meets the requirements for the European Revised Directive on Payment Services (PDS2). This directive requires that the consumer provides information from at least two of the three categories below:

• Knowledge – something you know (PIN, Passcode, Memorable information).

• Possession – something you have (Mobile Phone, Tablet, Key fob).

• Inherence – something you are (Fingerprint, Voice, Facial Scan).

EMV 3DS is the current standard for authentication and replaces the legacy 3-D Secure version 1.0.2 service. From October 2021, the first stage of sunsetting of 3-D Secure version 1 will commence, with the removal of some functionality. For this reason, it is important to ensure that you are integrated with the EMV 3DS by the end of September.

The Revised Directive on Payment Services (PSD2) is a set of laws and regulations for payment services in the EU and EEA. These were defined in response to several factors including:

An increase in online fraud by 66% between 2011 and 2016.
The rise of the API economy, making systems easier to talk to each other with a huge impact on banking.
New payment business models – since PSD1 there has been grown in digital payments and a lot of new fintech businesses – some fully regulated and others less so. PSD2 provides standards and structure to allow these companies to access customer bank accounts.

Strong Customer Authentication is a requirement of the EU Revised Directive on Payment Services (PSD2). This mandate requires that electronic commerce payments are performed with multi-factor authentication to increase security of the transactions and help prevent fraudulent use of payment cards.

If you try processing e-commerce card payments without EMV 3DS (3-D Secure version 2) authentication, issuers may soft decline those transactions. Furthermore, failure to authenticate with EMV 3DS from October 2021 will result in the loss of the ability to shift liability to the card issuer for “Attempts” (status A).

The test credentials you need to complete testing can be found here. If you do not have a test account and would like one, please ask your account manager.

Security statement

Security is our top priority at Trust Payments and we strive to ensure that all data is kept secure at all times We keep all customer data safe with AES256 encryption, SSL Certificates, and a minimum of TLS1.2, between your website and our datacentres.

Our systems are scanned quarterly using the Qualys PCI Platform, an independent Qualified Security Assessor (QSA) and approved vendors – Omnicybersecurity (UK) & Forgenix (US) – to ensure compliance with the security requirements of the card schemes.

We follow a number of rigorous security procedures on a daily basis including, but not limited to, continuous monitoring of our perimeter, dark web monitoring, and internal checks to ensure that CIA triad is maintained at all times.

Keep up with the latest in payments!

Fill the form below to sign up to our mailing newsletter.