Last Updated: 9th July 2019
Online payments as we know them are changing. New EU legislation coming in on the 14th September 2019 tightens regulations and requirements around the handling of payments and card data. The new legislation will be known as PSD2.
The FCA, however, have announced they won't be taking enforcement actions from the 14th, so long as businesses have taken necessary steps towards compliance. It can be a daunting topic so our commerce experts have broken down everything you as a merchant need to know.
- What is PSD2 & Strong Consumer Authentication
- Types of Card Payments
- The Three Domains of a Card Payment
- 3D Secure 1.0 - Protecting Card Payments Online
- How 3D Secure 1.0 works
- The many names of 3D Secure
- Issues with 3D Secure 1.o
- Introducing 3D Secure 2.0
- Strong Consumer Authentication
- 3D Secure 2.0 - User Flows
- Strong Customer Authentication Exemptions
- Risks of non-compliance
- Next Steps for Businesses
- Further Reading
On the 14th September 2019, new requirements for handling card holder authentication will come into force. These changes are part of the new Payment Services Directive known as PSD2.
The PDS2 directive is now part of EU Law and will come into force Regardless of the Brexit Decision. The directive comprises of over 90 pages of legislation which are designed to achieve two main goals:
- Increase the security of card payments: by implementing ‘Strong Consumer Authentication’ (SCA) for ‘Card Holder Not Present’ (CNP Transactions)
- Increase the level of competition in the payment service sector: By Leveling the playing field for payment service providers (including new players) to enhance competition.
For the purpose of this post we will only focus on how to implement ‘Strong Customer Authentication’ using 3D Secure 2.0.
Note: The PSD2 directive will require Strong Customer Authentication when one or more of the following requirements are met:
- The customer card issuing bank is within the European Economic Area
- The merchants card issuing bank is within the European Economic Area
When it comes to taking card payments, there are essentially two key ways for a merchant to take funds from a customer.
- Electronically - Via Chip & Pin, Contactless, Digital Wallet or Magnetic Stripe.
- Manually - When the card holder keys in their card information manually.
The latter option is what is used to make payments online and is classed as a ‘card holder not present’ transaction.
The problem that merchants who process online transactions face is that fraud is substantially higher in ‘card holder not present’ scenarios as the ‘authentication process’ (confirming the buyer is who they say they are) is weaker.
This can lead to an increase in Chargebacks due to non-authorised / fraudulent transactions.
To take funds from a customer’s bank account and send them to a merchant’s bank account there are ‘Three Domains’ that all need to operate. These are:
- Issuser Domain - This represents the customer’s bank i.e. Barclays, Halifax, Lloyds TSB.
- Acquirer Domain - This represents the bank which the merchant banks with.
- Interoperability Domain - This represents the card issuer which you are using. If you’re based in the UK, the three largest issuers are Visa, Mastercard and American Express.
Initially developed by Visa, the 3D Secure 1.0 specification was designed to address poor authentication for Card Holder Not Present transactions.
The 3D Secure 1.0 specification introduced an additional authentication layer to online transactions flow. This additional step presented customers with a ‘Challenge’ which usually consists of entering a password.
Since its initial launch over a decade ago, the 3D Secure 1.0 specification has since been rolled out across all major card schemes (Visa, Mastercard, American Express) and is widely used online today.
Did You Know? The ‘3D’ of 3D Secure represents the Three Domains that are part of a transaction.
When 3D Secure 1.0 is enabled, consumers will be served with an additional authentication screen after they have entered their payment details.
The authentication screen asks them to successfully answer a ‘security question’. This is designed to confirm the cardholder is actually who they claim to be.
Upon fulfilling the security challenge successfully, the customer can proceed with completing their transaction.
Each card issuer has their own name for 3D Secure which are represented in the table below:
3D Secure Name
|Visa Verification||MasterCard Verification||
American Express Verification
Despite solving several problems for authentication online, the existing 3D Secure 1.0 specification has several drawbacks:
- Unless specifically required by your Merchant Bank, merchants previously had the option to enable or disable 3D Secure within their payment gateway configuration settings. This leads to a hit and miss approach of 3D Secure implementation.
- The authentication process either directed customers to a 3rd party site to verify their identity. As such, these ‘Verification’ challenges are not served by the website where the user is shopping, the card issuing bank or the card issuer.
- Whilst the 3D Secure challenge can be served from within an iFrame on the existing page, there are still several usability issues.
- Customers only had one authentication method: they were asked to confirm a ‘password’ or ‘memorable word’. Customers may not be able to remember these details and subsequently abandon the checkout process.
The 3D Secure 2.0 specification is created, owned and managed by EmvCo and all of the major card scheme providers. Its mission is to improve the existing 3DS1 specification whilst also providing provide stronger consumer authentication (SCA) when making online payments.
Strong Consumer Authentication requires a minimum of two of the following authentication elements:
- Something the customer knows: One-time password emailed to them, SMS Code, PIN Number, password, security question.
- Something the customer owns: Credit or Debit Card, Mobile Device, Card Reader or Key Fob.
- Something the customer is: Biometric data like Facial Recognition, Retina Scanner or Voice Recognition.
3-D Secure 2.0 delivers 10 times more data, such as device channel and payment history, than a previous version to speed up authentication and boost security, giving shoppers a fast pass through checkout.
Benefits for customers:
- Increased security and trust: Multi-factor authentication will assure customers that they are secure from potential payment fraud.
- Speed and convenience: By removing the redirect included in 3DS1, checkout time will be reduced by up to 85%.
- More choice and a personalised approach: By offering various modes of authentication, customers can choose the most convenient way for them.
Benefits for merchants:
- Compliance: All merchants are required to comply with new EU laws for strong customer authentication. Enabling 3DS2 is the most efficient way to meet the new industry standard.
- Reduce cart abandonment: Making the checkout process quicker, easier and less susceptible to errors will see customer drop-off rates decline by 70 percent.
- Lower fraud risk: By enabling 3D Secure 2 payments, merchants are no longer liable for fraudulent transactions. Instead, payment providers and issuing banks will be primarily responsible for chargebacks.
Infographic from Visa
When a customer makes a payment using 3D Secure 2.0 specification the customer’s card issuing bank will perform a “Risk Based Authentication”.
The authentication process will score the level of risk associated with the transaction by using the following data points:
- Value of Transaction
- New vs Returning Customer
- Transactional History
- Behavioural History
- Device Information
The level of risk associated with the transaction will then determine which 3D Secure 2.0 flow the customer will follow.
Depending on the transaction, there are two possible authentication flows:
Frictionless flow, whereby the customers card issuing bank performs a risk-based analysis on the transaction and decides that no additional verification steps are needed.
Challenge flow, which occurs when card issuing banks requires additional information from the shopper to authenticate them. This may include inputting a password and memorable information or entering a one-time code sent via SMS.
3DS2 Support Flow Diagram
It is important to note that the EU has laid out the following exemption rules in the PSD2 directive in which ‘Strong Customer Authentication’ is not required. These are:
- Low value (under €30) or low risk transactions
- B2B transactions
- Corporate transactions
- Merchant-initiated payments such as subscriptions.
- Mail order, telephone order (MOTO)
- Inter-regional/cross-border transactions are also out of scope.
The PSD2 directive does not clearly detail what will happen if merchants have not implemented PSD2 by 14th September. But, it’s likely that:
- You will see an increase in declined transactions from the card issuing banks.
- You will see an increase in failed transactions.
- Your merchant bank will enforce you to comply.
The FCA, however, have announced they won't be taking enforcement actions from the 14th, so long as businesses have taken necessary steps towards compliance.
In order for your business to prepare for the PSD2 directive we recommend the following course of action:
- Audit your website and make a list of your Payment Gateway Providers.
- Consult with each Payment Gateway Provider on the steps you need to take.
- Speak with your merchant bank to see if you need to take any additional measures.
- Work with a strong eCommerce partner to help you through the implementation process.
A word from our payment partner...
This post was brought to you in partnership with Adyen. Adyen is the payment platform of choice for many of the world’s leading companies, including, but not-limited to Uber, Spotify, Superdry, Brompton, Daniel Wellington, and L'Oreal.
Adyen + 3D 2.0 Secure
Adyen are leading the way with SDKs (Software Development Kits) to integrate 3D Secure 2 into eCommerce sites quickly and efficiently providing a pain-free way of realising the PSD 2.0 directive.
If you’d like to find out more about the Payment Services Directive or 3D Secure 2.0 then please see the following links for further reading.
- Payment Services Directive - EU
- Payment Services Directive - Law
- Frictionless Flow - 3D Secure 2.0
- Adyen and 3D Secure 2.0