EMV 3DS (3-D Secure version 2)
If you operate in Europe and accept online card payments, you will need to implement EMV 3DS (3-D Secure version 2). This is in line with the PDS2 mandate for strong customer authentication. Trust Payments will be supporting our customers to comply with this mandate.
You need to ensure that additional authentication is built into your checkout flow (as outlined below) and that you have sufficiently tested. For our TRU Connect gateway customers, the actions you will need to take vary depending on your integration:
Hosted Payment Pages (HPP) solution – Most of our merchants will not need to make any changes. We will enable EMV 3DS on your request.
Webservices API and/or STAPI – To support EMV 3DS you will need to review the current integration you have with your developer/software provider and choose one of the three paths below:
Integrate using our JS Library – You can embed our JS Library into your checkout to complete the EMV 3DS authentication. Click here to get started.
Migrate to our hosted Payment Pages solution – Click here to get started.
If you are already using your own MPI, follow this guide.
If your system is returned a 71000 Soft decline response following processing an Authorisation (AUTH) Request to Trust Payments, this has occurred because card issuer declined the request due to absence of Strong Customer Authentication (SCA).
Action to take
You will need to resubmit the transaction with the necessary EMV 3DS authentication.
The Revised Directive on Payment Services (PSD2) mandates that a form of SCA is performed on all transactions initiated by the customer through their browser. To comply with this mandate, you will need to utilise EMV 3DS.
There are exceptions to this rule that are permitted by the card issuer and do not need to be declared, examples of which include Mail or Telephone Order (MOTO) payments and Merchant Initiated Transactions (MIT) against a customer’s stored card. However, there are additional exemptions that do require flagging to the card issuer, by including the field scaexemptionindicator (click here for the field specification).
Failure to declare exemptions correctly or to meet conditions specified by the card issuer may lead to the 71000 Soft decline error.
3-D Secure version 1 minimum is already required by the card schemes (Visa, Mastercard, Amex, Discover/Diners) for e-commerce transactions.
3-D Secure version 2 (EMV 3DS):
- If you are processing e-commerce payments from a card issued and acquired in the European Economic Area (EEA), the deadline for EMV 3DS compliance was 31 December 2020.
- If you are processing e-commerce payments from a card issued and acquired in the UK, you will need to be up and running with the new EMV 3DS standard by the end of September 2021 to ensure full compliance with EU laws and to avoid unnecessary card declines, as card schemes will begin to remove 3-D Secure version 1 functionality. From June 2021, some card issuers have already started to soft decline some transactions that are sent without SCA in preparation for this change.
3-D Secure is a security protocol provided by credit card schemes (Visa, Mastercard, Amex, Discover/Diners). During a 3-D Secure transaction, security checks are seamlessly performed in the background, and if an elevated risk of fraud is detected, the customer is redirected to a site hosted by the issuing bank to verify their identity (usually by prompting for a unique password or SMS verification code sent to their device). This reduces the likelihood of a fraudulent transaction being processed.
The latest version of EMV 3DS (3-D Secure version 2) was developed to provide an enhanced method of authentication which meets the requirements for the European Revised Directive on Payment Services (PDS2). This directive requires that the consumer provides information from at least two of the three categories below:
• Knowledge – something you know (PIN, Passcode, Memorable information).
• Possession – something you have (Mobile Phone, Tablet, Key fob).
• Inherence – something you are (Fingerprint, Voice, Facial Scan).
EMV 3DS is the current standard for authentication and replaces the legacy 3-D Secure version 1.0.2 service. From October 2021, the first stage of sunsetting of 3-D Secure version 1 will commence, with the removal of some functionality. For this reason, it is important to ensure that you are integrated with the EMV 3DS by the end of September.
The Revised Directive on Payment Services (PSD2) is a set of laws and regulations for payment services in the EU and EEA. These were defined in response to several factors including:
An increase in online fraud by 66% between 2011 and 2016.
The rise of the API economy, making systems easier to talk to each other with a huge impact on banking.
New payment business models – since PSD1 there has been grown in digital payments and a lot of new fintech businesses – some fully regulated and others less so. PSD2 provides standards and structure to allow these companies to access customer bank accounts.
Strong Customer Authentication is a requirement of the EU Revised Directive on Payment Services (PSD2). This mandate requires that electronic commerce payments are performed with multi-factor authentication to increase security of the transactions and help prevent fraudulent use of payment cards.
If you try processing e-commerce card payments without EMV 3DS (3-D Secure version 2) authentication, issuers may soft decline those transactions. Furthermore, failure to authenticate with EMV 3DS from October 2021 will result in the loss of the ability to shift liability to the card issuer for “Attempts” (status A).