3-D Secure 2.1
What is happening?
If you operate in Europe and accept online card payments, you will soon need to implement 3-D Secure 2.1. This is in line with the PDS2 mandate for strong customer authentication. Over the coming months, Trust Payments will be supporting our customers to comply with the mandate by rolling out an upgrade in time for 31 December 2020.
When do I need to have 3-D Secure?
3DS v1 minimum is already required by the card schemes (Visa, Mastercard, Amex, Discover/Diners) for e-commerce transactions. You’ll need to be up and running on the new version 3-D Secure 2.1 – by 31 December 2020 so we can make sure you’ll be compliant with EU laws and avoid card declines.
What do I need to do to enable 3-D Secure 2.1?
You need to ensure that the additional authentication is built into your checkout flow and that you have sufficiently tested.
For our gateway customers, the actions you need to take vary depending on your integration:
- Hosted Payment page (HPP). You do not need to do anything. We will enable 3DS 2.1 for you.
- Custom HPP. We advise you to check with your test site that the new 3-D Secure flow works for your payment flow. Please let us know once you have tested it, and we will enable it on your production account.
- Update to the latest JS Library;
- Move to our HPP and let us handle the payment page; or
- Use your own MPI
You could choose one of the following paths:
1. JS Library (preferred)
The JS Library solution can be introduced into your existing API based system to connect through to our new 3-D Secure system.
2. Move to our HPP and let us handle the payment page
Our hosted payment solution is fully integrated with 3-D Secure version 2.1 and could be a viable alternative if you wish to move away from an API based solution.
3. Your own MPI
If using your own or a third party MPI, instructions can be found here.
What is 3-D Secure?
3-D Secure is a security protocol provided by credit card schemes (Visa, Mastercard, Amex, Discover/Diners). During a 3-D Secure transaction, your customer is redirected to a site controlled by the issuing bank to answer additional security questions (usually a unique password or SMS verification). This reduces the chance of a fraudulent transaction occurring.
The latest version, 3DS 2.1, was developed to provide an enhanced method of authentication which meets the requirements for the European Revised Directive on Payment Services (PDS2). This directive requires that the consumer provides information from at least two of the three categories below:
- Knowledge – something you know (PIN, Passcode, Memorable information).
- Possession – something you have (Mobile Phone, Tablet, Key fob).
- Inherence – something you are (Fingerprint, Voice, Facial Scan).
What is PSD2?
The Revised Directive on Payment Services (PSD2) is a set of laws and regulations for payment services in the EU and EEA. These were defined in response to several factors including:
- An increase in online fraud by 66% between 2011 and 2016.
- The rise of the API economy, making systems easier to talk to each other with a huge impact on banking.
- New payment business models – since PSD1 there has been grown in digital payments and a lot of new fintech businesses – some fully regulated and others less so. PSD2 provides standards and structure to allow these companies to access customer bank accounts.
Are there any benefits in using 3-D Secure 2.1 aside from legal compliance?
Yes, the benefit of the upgrade extends beyond compliance. The older version of 3DS (3-D Secure 1.0) is known to be disruptive to the shopper experience, leading to more abandoned shopping carts. Version 2 aims to address this, with a more seamless experience for the shopper. Initial research is promising and shows that 3DS 2 can reduce checkout times by 85% and cart abandonment by 70%. The approval rates also surpass the approval rates of 3DS 1 authenticated transactions.
What is Strong Customer Authentication (SCA)?
Strong Customer Authentication is a requirement of the EU Revised Directive on Payment Services (PSD2). This mandate requires that electronic commerce payments are performed with multi-factor authentication to increase security of the transactions and help prevent fraudulent use of payment cards.
What will happen if I am not SCA-compliant by 31 December 2020?
If you try taking a payment from a card which was issued and acquired in the EEA without 3-D Secure authentication on or after 31 December, issuers may decline those transactions.
How do I test 3-D Secure 2.1?
If you have a test account, you can test from 21 October 2020. The test credentials you need to complete testing can be found here. If you do not have a test account and would like one, please ask your account manager.
Who can help with queries?
Our support team will be able to advise and answer any questions on the integration. Please contact us on [email protected].
Are any transactions out of scope?
Yes. there are some transactions which are outside of the scope of SCA. In summary:
- MOTO – mail order/telephone order transactions.
- Merchant Initiated Transactions, apart from for the initial payment taken when the agreement was set up. If the initial payment was face-to-face or MOTO, no further SCA is required.
- If either the issuer or acquirer is outside the EEA.
- Anonymous transactions – e.g. prepaid gift cards.
Are there any transactions which can be exempted from SCA?
Certain transactions may be exempted from SCA. The acquirer or the issuer can apply exemptions and take risk for any fraud:
- Transaction Risk Analysis. If robust risk analysis is performed and acquirer has a fraud rate that is within defined limits, transactions may be exempted from SCA.
- Low-value transactions (€30 and under). Up to a maximum of 5 transactions or limit of €100 (only the issuer can determine this). Exemption can be applied by the merchant/Acquirer in the authorisation message but there is a risk of soft decline if the issuer finds that the €100 limit (since last SCA) or transaction count (5) has been exceeded.
- Trusted beneficiaries. Cardholders may add merchants to a whitelist. Subsequent payments to that merchants by the cardholder may be exempted from SCA.
- Secure corporate payments made through lodge cards, central travel accounts and virtual cards.
I am using a 3DS 1 MPI. Is this compliant with PSD2?
Yes, 3DS 1.0 MPI is technically compliant with PSD2. However, the card schemes are gradually moving away from it in preference of the new version. This makes it more costly for you to use since some card schemes plan to increase fees. For example, Mastercard will be doubling their authentication fee with 3DS 1 from 29 December 2020.
What is the cost to use 3D Secure v2.1?
There is a fee per transaction for using the technology behind 3D Secure 2.1 authentication. There is also a card scheme fee. The total will vary, depending on the card which is used to make the payment. Should you require further clarification on this please contact your account manager. By using this solution, you will not be subjected to the increase in fees for 3DS v1 which is being levied by some card schemes. You will also be fully compliant with PSD2 mandate for Strong Customer Authentication, avoiding possible penalties and transaction declines.
Join Our Newsletter