AllSecure Exchange Platform 3-D Secure 2 Compliance

Even if the European Banking Authority has granted regulators in individual European countries a longer transition period, the EU’s Payment Services Directive (PSD) will shortly be replaced by PSD2 (effective: 14 September 2019), ensuring Strong Customer Authentication (SCA) for credit and debit cards transactions across the EU. We would like to take this opportunity to outline what this means for our payment ecosystem and by extension for our customers, mainly by focusing on the introduction of 3-D Secure 2 (3DS2) standard .

The second European Payment Services Directive (PSD2) is a EU directive which came into force across the European Economic Area on January 13, 2018. PSD2 was established to drive payments innovation and data security by reducing competitive barriers, mandating new security processes and encouraging standardized technology to protect the confidentiality and integrity of payment service users’ personalized security credentials. PSD2 requires banks to support Open APIs to enable consumers to make payments directly from their bank accounts via newly-regulated third-party payment service providers. The primary focus of this document is the introduction of the Regulatory Technical Standards (RTS) around strong customer authentication (SCA). These standards will come into effect on September 14, 2019.

Strong Customer Authentication

Even if the EU Banking Authority has granted regulators in individual EU countries a longer transition period, the PSD will shortly be replaced by PSD2 (14.09.2019). This ensuring Strong Customer Authentication (SCA) for credit and debit cards transactions across the EU. We would like to outline what this means for our payment ecosystem and by extension for our customers.

The SCA introduced with PSD2 will provide even greater fraud prevention for online payments. For this to apply, both the card owner’s bank and the vendor’s payment service processor need to be based in EU. During the online purchase, SCA is used to determine the identity of the customer and authentication is carried out using two factors. The 3-D Secure 2 (3DS2) standard was introduced for card payments, which – depending on the card provider – requires security checks such as “Visa Secure” (previously known as “Verified by Visa”), “Mastercard Identity Check” and “American Express SafeKey”. Transactions that do not adhere to the new authentication directive can be rejected by the issuing bank of the customer. Transferring the information provided in predefined fields allows real-time transaction monitoring and risk analysis at the acquirer.

Exceptions

At the heart of the new EU directive are “seamless and safe payments” for card-based transactions. Exceptions include, among others, transactions with a value of less than 30 euros, recurring transactions, MoTo transactions. As well as payments where the acquirer of the card or the issuer are not based in EU.

3D-Secure 2 means merchants are facing large challenges regarding the transfer of data required for a seamless checkout. We are excited and proud that after months of work on the integration and intensive coordination with card schemes like VISA and Mastercard, the transition will be kept as simple as possible for our vendors. This solution allows our customers to secure transactions via 3DS independent of the acquirer.

The difference between 3DS1 and 3DS2

The shopping experience when using 3DS1 was very inflexible. Each customer needed to go through an authentication process that involved being forwarded to a security form in a new browser window or iFrame. Furthermore, these forms were also not adapted to meet the requirements of modern web applications and web shops. On the one hand, 3-D Secure 2 opens up the opportunity for “frictionless flows” (meaning no forwarding is required). On the other hand it makes it easier for vendors to control the security forms. For example, the desired size of the iFrame can be defined, or a dedicated 3D-Secure SDK can be integrated in mobile apps. This provides seamless integration with vendor’s native apps, resulting in higher conversion rates and better protection against fraud.

Enhancements

There are several benefits to merchants, issuers and shoppers as a result of 3-D Secure V2. Broadly, the changes ensure a streamlined customer journey with fewer friction points. This should reduce the high rate of shopping cart abandonment from 3-D Secure V2. These enhancements include:

• Risk-based authentication. 3-D Secure V2 will support the transmission of additional rich data during transactions, making authentication assessments and decisions more
  accurate. The issuer will be able to evaluate the fraud risk and bypass full authentication if the risk is low enough, resulting in a smoother customer journey for low-risk shoppers. This risk-based approach to authentication is entirely aligned with PSD2 guidance on SCA.
• Biometric or two-factor authentication. If the issuer (after performing an initial assessment) determines that authentication is required, either biometric or two-factor
  authentication will be performed to validate the shopper. The biometric authentication methods available will depend on what is supported.
• Eliminates initial enrollment. The removal of this one-time step in the 3-D Secure flow eliminates a major point of friction in the customer journey upon first-time use.
• Support for in-app purchases. Unlike 3DS V1, which required a browser call-out to complete authentication, 3DS V2 can handle in-app purchases natively. This avoids compatibility issues experienced within some apps for browser authentication callouts.
• Allows for bespoke checkout integration. Should they wish, merchants can now integrate the 3-D Secure authentication process into their own checkout process, resulting in a much smoother experience for shoppers.
• Support for non-payment authentications. The latest 3-D Secure version offers support for no-value authorizations, such as tokens for card-on file. Note that it is mandatory to perform an SCA check such as 3-D Secure to add a new card as a card-onfile. Subsequent transactions do not have to go through 3-D Secure, but need to reference the original transaction and the amount cannot differ by more than 15%.

Exceptions

In response to industry uncertainty and unreadiness for the 14.09.2019 deadline, the EU Banking Authority have issued an opinion paper. The EBA concludes that the national competent authority (NCA) of each EU country may work with merchants and payment service providers to “provide limited additional time” for issuers, acquirers and merchants to migrate to SCA-compliant solutions.

Per country regulations

What next ?

However, the EBA opinion does not specify what form this migration plan should take. Furthermore, the delegation of this responsibility to each region’s NCA is likely to result in a divergent EU regulatory environment that poses challenges to organizations operating internationally.

In light of this, AllSecure with its partners supports the recommendation of the European Association of Payment Service Providers for Merchants (EPSM). The EPSM have proposed that extended timeframes should be harmonised across all regions affected by this regulation. Mastercard have similarly called on NCAs to agree on ‘collective migration plans [based on] a harmonized European roadmap.’

Until confirmation has been received on the process merchants should follow to request an extension, customers are still recommended to work towards meeting SCA requirements in advance of September 14, 2019.

How do customers implement 3-D Secure V2?

Instructions for Exchange Payments Gateway customers on upgrading to 3-D Secure 2 are available now on the developer portal. The 3D Secure 2.0 facilitates a lot more options to identify your customer. Generally there are 2 possible authentication flows available:

• Frictionless flow
• Challenge flow

Depending on the data provided, the card issuing bank determines which flow to apply. In the frictionless flow no further customer interaction is required, in the challenge flow the customer will be redirected to its bank’s authentication page (as with 3D Secure 1.0). The Gateway automatically handles any necessary data exchanges and redirects. The transaction response will only ask your system once to redirect the customer.

To improve your chances for the frictionless flow, you should transmit as many 3DS related data as you have. Refer to 3-D Secure 2 Fields for detailed field documentation.