Skip links
Log in
Contact us
Log in
Contact us
Trust Payments

EMV 3DS (3-D Secure version 2)

If you operate in Europe and accept online card payments, you will need to implement EMV 3DS card payments (3-D Secure version 2). This is in line with the PDS2 mandate for strong customer authentication. Trust Payments will be supporting our customers to comply with this mandate.

FAQ

For our TRU Connect gateway customers, the actions you will need to take vary depending on your integration:

Hosted Payment Pages (HPP) solution

EMV 3DS is enabled and used by default, unless the incoming POST is configured to prevent EMV 3DS authentication. EMV 3DS authentication should only be prevented where the card used is issued outside of PSD2 mandated countries.

Note: If you have customised the appearance of your Payment Pages integration, we advise using your test site reference to check that the 3-D Secure flow works correctly. Click here for test card details you can use. 

JavaScript Library

All new Trust Payments JavaScript Library integrations use v3 of our JavaScript Library, which is already configured for EMV 3DS and no further changes are necessary. However, if you are using v1 of our JavaScript Library, you will need to migrate to the latest version. Click here for further information

Webservices API and/or STAPI

To ensure EMV 3DS is enabled, you will need to work with your developer/software provider to review your existing integration and choose one of the three paths below:

Integrate using our JS Library – You can embed our JS Library into your checkout to complete the EMV 3DS authentication. Click here to get started.

Migrate to our hosted Payment Pages solution – Click here to get started. 

If you are using your own 3DS Server, follow this guide

If your system is returned a 71000 Soft decline response following processing an Authorisation (AUTH) Request to Trust Payments, this has occurred because card issuer declined the request due to absence of Strong Customer Authentication (SCA).

Action to take

You will need to resubmit the transaction with the necessary EMV 3DS authentication.

Background

The Revised Directive on Payment Services (PSD2) mandates that a form of SCA is performed on all transactions initiated by the customer through their browser. To comply with this mandate, you will need to utilise EMV 3DS.

There are exceptions to this rule that are permitted by the card issuer and do not need to be declared, examples of which include Mail or Telephone Order (MOTO) payments and Merchant Initiated Transactions (MIT) against a customer’s stored card. However, there are additional exemptions that do require flagging to the card issuer, by including the field scaexemptionindicator (click here for the field specification).

Failure to declare exemptions correctly or to meet conditions specified by the card issuer may lead to the 71000 Soft decline error.

3-D Secure version 1 minimum is already required by the card schemes (Visa, Mastercard, Amex, Discover/Diners) for e-commerce transactions.

3-D Secure version 2 (EMV 3DS):

  • If you are processing e-commerce payments from a card issued and acquired in the European Economic Area (EEA), the deadline for EMV 3DS compliance was 31 December 2020.
  • If you are processing e-commerce payments from a card issued and acquired in the UK, you will need to be up and running with the new EMV 3DS standard by the end of September 2021 to ensure full compliance with EU laws and to avoid unnecessary card declines, as card schemes will begin to remove 3-D Secure version 1 functionality. From June 2021, some card issuers have already started to soft decline some transactions that are sent without SCA in preparation for this change.

3-D Secure is an implementation of Strong Customer Authentication (SCA) that is commonly used to authenticate cardholders before seeking authorisation for online credit and debit card transactions (Visa, Mastercard, Amex, Discover/Diners), reducing the likelihood of a fraudulent payments from being processed.

During EMV 3DS authentication, card issuers typically perform security checks in the background without interrupting the checkout process, resulting in a frictionless experience for the customer. But in the interest of security, if certain pre-determined conditions defined by the card issuer have been met, they may decide to deploy additional multi-factor authentication methods to verify the customer's identity (e.g. sending a verification code to be typed into the checkout form or requesting explicit approval for the transaction via online banking). Following successful authentication, the merchant can benefit from a liability shift for fraud chargebacks.

EMV 3DS must be supported by Trust Payments merchants to meet the Strong Customer Authentication (SCA) requirements of Payment Services Directive 2 (PSD2).

Payment Services Directive (PSD2) is a European regulation for electronic payment services. It seeks to make payments more secure, boost innovation and help banking services adapt to new technologies. You can find out more below: 

Strong Customer Authentication (SCA) is a requirement of PSD2. This mandate requires that e-commerce payments are performed with multi-factor authentication to increase the security of the transactions and help prevent fraudulent use of payment cards.

This directive requires that the consumer provides information from at least two of the three categories below:

• Knowledge – something you know (PIN, passcode, memorable information).

• Possession – something you have (Mobile phone, tablet, key fob).

• Inherence – something you are (fingerprint, voice, facial scan).

EMV 3DS has been approved by the EU as a method of Strong Customer Authentication (SCA).

If you attempt to process e-commerce card payments without SCA, card issuers may return a soft decline response. When a soft decline response is received, you must retry EMV 3DS authentication including scaexemptionindicator = 14 to request a mandated challenge. Click here for more information.

For Hosted Payment Pages, JavaScript Library, and shopping cart plugins: https://help.trustpayments.com/hc/en-us/articles/4403290773905

For Mobile SDK: https://help.trustpayments.com/hc/en-us/articles/21808054078993

For Webservices API: https://help.trustpayments.com/hc/en-us/articles/23278388008593-Webservices-API-testing


Security statement

Security is our top priority at Trust Payments and we strive to ensure that all data is kept secure at all times We keep all customer data safe with AES256 encryption, SSL Certificates, and a minimum of TLS1.2, between your website and our datacentres.

Our systems are scanned quarterly using the Qualys PCI Platform, an independent Qualified Security Assessor (QSA) and approved vendors – Omnicybersecurity (UK) & Forgenix (US) – to ensure compliance with the security requirements of the card schemes.

We follow a number of rigorous security procedures on a daily basis including, but not limited to, continuous monitoring of our perimeter, dark web monitoring, and internal checks to ensure that CIA triad is maintained at all times.

Keep up with the latest in payments!

Fill the form below to sign up to our mailing newsletter.