The proliferation of mobile technologies and alternative payment channels has made it easier for consumers to make online purchases and led to the rapid growth of e-commerce. But while digital commerce continues to gain in popularity, incidents of fraud are on the rise as the verification of customer identity in card not present transactions becomes a real challenge.
Starting in September 2019, the latest Payment Service Directive, also known as PSD2 will introduce new requirements and begin enforcement of Strong Customer Authentication (SCA) standards for online payments to combat. The 3D Secure 2 messaging protocol will be the preeminent method to help you comply with PSD2- SCA requirements. In this basics guide, we’ll explain what 3D Secure 2 is, its benefits, and help you understand what you’ll need to do to get your operations 3D secure 2 compliant.
What is Strong Customer Authentication (SCA) under PSD2?
In 2015, the first Payment Services Directive (PSD1) was introduced to regulate payment services and providers throughout the European Union and European Economic Area. Since then, rapid changes in the payments sector have led the EU to upgrade the first Payment Services Directive. The Second Payment Services Directive (PSD2) includes several articles and mandates, one of which focuses on Strong Customer Authentication (SCA). SCA stipulates that two-factor authentication will be required for all electronic payments, with exemptions possible for certain transactions.
SCA requires the use of at least two of the following three elements:
Up until now, additional security steps, aka two-factor authentication, have only been a requirement for transactions considered high risk. To accept transactions after SCA gets introduced in Europe in September 2019, merchants with sales to European consumers will need to upgrade their authentication capabilities to allow for two-factor authentication or face declines. In other words, two-factor authentication is going to become the default for all customer-initiated transactions within Europe, unless an exemption applies.
Moving from 3DS 1.0 to 3DS 2.0
EMV Three Domain Secure also known by merchants as 3DS 2 is an authentication tool or protocol introduced by EMVCo and major card brands to help consumers authenticate their identity when making card-not-present transactions by providing an additional security layer.
You’ll already be familiar with 3D Secure 1.0 (3DS 1.0) which shared data among critical stakeholders in the payments ecosystem to authenticate transactions.
3D Secure 2 is the updated version of this authentication protocol, which provides improvements that take into consideration SCA regulatory requirements from the European Union, the need to support new payment channels like digital wallets, and declining conversion rates. With 3DS 2 merchants will be able to integrate an additional security layer into their checkout processes which will help them comply with new SCA regulations and fight fraud more effectively without sacrificing the customer experience.
Whereas the flow of 3DS 1.0 focused mainly on a simple challenge (insertion of a code on a static webpage, SMS authentication etc.), 3DS 2 facilitates rich data exchange between merchants, card-holders and issuers, more so than ever before to achieve more accurate authentication. Transactions can be verified by merchants using the customer’s issuing bank instead of a customer needing to remember a PIN or getting redirected to a new webpage. The result is a more frictionless payment experience, although in some cases a challenge may be required to verify user identity. Check out the two flows below to get a better understanding of the process:
Rules have exemptions, and 3DS 2 is no different
Some transactions will be exempted from the 3DS 2 protocol. These cases may include:
- Whitelisted Merchants (or trusted beneficiaries) - Customers will have the opportunity to whitelist any merchant that they deem trustworthy after an initial authentication has occurred. By doing so, most future authentication steps will no longer be required.
- Mail order and telephone orders - Card data that is collected from customers over the telephone.
- Low-value transactions - Transactions that total less than 30 Euros each, with no more than five transactions allowed in a row. If the total amount on a single card is higher than 100 EUR in 24 hours, SCA will be required.
- Low-risk transactions - A transaction is to be considered low risk if it passes an acquirer’s real-time risk assessment and is approved by an issuer on a case-by-case basis.
- Recurring transactions/ subscriptions - A subscription-based service that features recurring payments of the same/different value. However, a customer’s first payment will still require authentication.
6 benefits 3DS 2 brings to merchants
Harnessing 3DS 2 delivers several benefits for merchants. These include:
1. 3DS 2 helps comply with new SCA mandates which stipulate two-factor authentication as a requirement for all electronic payments. If you have a large number of customers in Europe, employing 3DS 2.0 is a necessity to continue operating.
2. 3DS 2 protects operations with robust security, and has the potential to fight cases of fraud.
3. 3DS 2 provides a great customer experience. Frictionless customer identification has the potential to contribute to a shortened check-out process and to reduce cart abandonment.
4. 3DS 2 increases authorization rates as authentication is quick and can take place on the same page.
5. 3DS 2 allows to easily build authentication flows natively into Apps or websites.
6. 3DS 2 helps to shift liability away from the merchant (the issuing bank assumes the risk).
3DS 2 will have a profound effect on the entire payment ecosystem. ZOOZ is working hard to enable its customers to comply with these regulations in the quickest and most streamlined-way possible. Further information on how ZOOZ is preparing itself for 3DS 2 can be found here.
We hope that the information provided above helps to shed some light and to demystify the fears revolving 3DS 2.0.
Want to learn more? stay tuned for more articles coming up in this series by signing up to our newsletter below: