AllSecure Exchange Platform 3-D Secure 2 Compliance

Even if the European Banking Authority has granted regulators in individual European countries a longer transition period, the EU’s Payment Services Directive (PSD) will shortly be replaced by PSD2 (effective: 14 September 2019), ensuring Strong Customer Authentication (SCA) for credit and debit cards transactions across the EU. We would like to take this opportunity to outline what this means for our payment ecosystem and by extension for our customers, mainly by focusing on the introduction of 3-D Secure 2 (3DS2) standard .

The second European Payment Services Directive (PSD2) is a EU directive which came into force across the European Economic Area on January 13, 2018. The European Union established PSD2 to drive payments innovation and enhance data security by reducing competitive barriers, mandating new security processes, and encouraging standardized technology to protect the confidentiality and integrity of payment service users’ personalized security credentials. PSD2 requires banks to support Open APIs to enable consumers to make payments directly from their bank accounts via newly-regulated third-party payment service providers. The primary focus of this document is the introduction of the Regulatory Technical Standards (RTS) around strong customer authentication (SCA). These standards will come into effect on September 14, 2019.

Strong Customer Authentication

Even if the EU Banking Authority has granted regulators in individual EU countries a longer transition period, the PSD will shortly be replaced by PSD2 (14.09.2019). This ensuring Strong Customer Authentication (SCA) for credit and debit cards transactions across the EU. We would like to outline what this means for our payment ecosystem and by extension for our customers.

The SCA introduced with PSD2 will provide even greater fraud prevention for online payments. For this to apply, both the card owner’s bank and the vendor’s payment service processor need to be based in EU. During the online purchase, merchants use SCA to verify the customer’s identity, and authentication relies on two factors. Card networks introduced the 3-D Secure 2 (3DS2) standard for card payments, requiring security checks such as “Visa Secure” (previously “Verified by Visa”), “Mastercard Identity Check,” and “American Express SafeKey,” depending on the card provider. The customer’s issuing bank can reject transactions that do not adhere to the new authentication directive.

Exceptions

At the heart of the new EU directive are “seamless and safe payments” for card-based transactions. Exceptions include, among others, transactions with a value of less than 30 euros, recurring transactions, MoTo transactions. As well as payments where the acquirer of the card or the issuer are not based in EU.

3D-Secure 2 means merchants are facing large challenges regarding the transfer of data required for a seamless checkout. We are excited and proud that, after months of integrating and coordinating closely with card schemes like VISA and Mastercard, we have ensured a smooth and simple transition for our vendors.

The difference between 3DS1 and 3DS2

The shopping experience when using 3DS1 was very inflexible. Each customer had to complete an authentication process that required forwarding to a security form in a new browser window or iFrame. Additionally, these forms did not meet the requirements of modern web applications and web shops. On the other hand, 3-D Secure 2 enables “frictionless flows,” eliminating the need for forwarding.On the other hand it makes it easier for vendors to control the security forms. For example, the desired size of the iFrame can be defined, or a dedicated 3D-Secure SDK can be integrated in mobile apps. This provides seamless integration with vendor’s native apps, resulting in higher conversion rates and better protection against fraud.

Enhancements

There are several benefits to merchants, issuers and shoppers as a result of 3-D Secure V2. Broadly, the changes ensure a streamlined customer journey with fewer friction points. This should reduce the high rate of shopping cart abandonment from 3-D Secure V2. These enhancements include:

• Risk-based authentication. 3-D Secure V2 will support the transmission of additional rich data during transactions, making authentication assessments and decisions more
  accurate. The issuer will be able to evaluate the fraud risk and bypass full authentication if the risk is low enough, resulting in a smoother customer journey for low-risk shoppers. This risk-based approach to authentication is entirely aligned with PSD2 guidance on SCA.
• Biometric or two-factor authentication. If the issuer determines after an initial assessment that authentication is necessary, the shopper must complete either biometric or two-factor authentication. The available biometric authentication methods will depend on the supported options.
• Eliminates initial enrollment. The removal of this one-time step in the 3-D Secure flow eliminates a major point of friction in the customer journey upon first-time use.
• Support for in-app purchases. Unlike 3DS V1, which required a browser call-out to complete authentication, 3DS V2 can handle in-app purchases natively. This avoids compatibility issues experienced within some apps for browser authentication callouts.
• Allows for bespoke checkout integration. Should they wish, merchants can now integrate the 3-D Secure authentication process into their own checkout process, resulting in a much smoother experience for shoppers.
• Support for non-payment authentications. The latest 3-D Secure version offers support for no-value authorizations, such as tokens for card-on file. Note that it is mandatory to perform an SCA check such as 3-D Secure to add a new card as a card-onfile. Subsequent transactions do not have to go through 3-D Secure, but need to reference the original transaction and the amount cannot differ by more than 15%.

Exceptions

In response to industry uncertainty and unreadiness for the 14.09.2019 deadline, the EU Banking Authority have issued an opinion paper. The EBA concludes that the national competent authority (NCA) of each EU country may work with merchants and payment service providers to “provide limited additional time” for issuers, acquirers and merchants to migrate to SCA-compliant solutions.

Per country regulations

What next ?

However, the EBA opinion does not specify what form this migration plan should take. Furthermore, the delegation of this responsibility to each region’s NCA is likely to result in a divergent EU regulatory environment that poses challenges to organizations operating internationally.

In light of this, AllSecure with its partners supports the recommendation of the European Association of Payment Service Providers for Merchants (EPSM). The EPSM have proposed that extended timeframes should be harmonised across all regions affected by this regulation. Mastercard have similarly called on NCAs to agree on ‘collective migration plans [based on] a harmonized European roadmap.’

Until merchants receive confirmation on the extension request process, they should continue working toward compliance with SCA requirements before the September 14, 2019 deadline.

How do customers implement 3-D Secure V2?

Instructions for Exchange Payments Gateway customers on upgrading to 3-D Secure 2 are available now on the developer portal. The 3D Secure 2.0 facilitates a lot more options to identify your customer. Generally there are 2 possible authentication flows available:

• Frictionless flow
• Challenge flow

Depending on the data provided, the card issuing bank determines which flow to apply. In the frictionless flow, the customer does not need to take any further action. In the challenge flow, however, the customer is redirected to their bank’s authentication page, similar to 3D Secure 1.0. The Gateway automatically handles any necessary data exchanges and redirects. The transaction response will only ask your system once to redirect the customer.

To improve your chances for the frictionless flow, you should transmit as many 3DS related data as you have. Refer to 3-D Secure 2 Fields for detailed field documentation.