Last Updated: 16th February 2021
Online payments as we know them have changed. New EU legislation came in on the 14th September 2019 which tightened regulations and requirements around the handling of payments and card data. The new legislation is known as PSD2. However, the FCA confirmed the new SCA enforcement date won't be until the 14th September 2021. After this date business need to show that they have taken necessary steps towards compliance.
It can be a daunting topic so our commerce experts have broken down everything you as a merchant need to know.
Learn more about PSD2 compliance and the effects of the new legislation at our expert webinar!
On the 14th September 2019, new requirements for handling card holder authentication will come into force. These changes are part of the new Payment Services Directive known as PSD2, but won't be enforced by the FCA until the 14th September 2021.
The PSD2 directive is now part of EU Law and will come into force Regardless of the Brexit Decision. The directive comprises of over 90 pages of legislation which are designed to achieve two main goals:
For the purpose of this post we will only focus on how to implement ‘Strong Customer Authentication’ using 3D Secure 2.0.
Note: The PSD2 directive will require Strong Customer Authentication when one or more of the following requirements are met:
When it comes to taking card payments, there are essentially two key ways for a merchant to take funds from a customer.
The latter option is what is used to make payments online and is classed as a ‘card holder not present’ transaction.
The problem that merchants who process online transactions face is that fraud is substantially higher in ‘card holder not present’ scenarios as the ‘authentication process’ (confirming the buyer is who they say they are) is weaker.
This can lead to an increase in Chargebacks due to non-authorised / fraudulent transactions.
To take funds from a customer’s bank account and send them to a merchant’s bank account there are ‘Three Domains’ that all need to operate. These are:
Initially developed by Visa, the 3D Secure 1.0 specification was designed to address poor authentication for Card Holder Not Present transactions.
The 3D Secure 1.0 specification introduced an additional authentication layer to online transactions flow. This additional step presented customers with a ‘Challenge’ which usually consists of entering a password.
Since its initial launch over a decade ago, the 3D Secure 1.0 specification has since been rolled out across all major card schemes (Visa, Mastercard, American Express) and is widely used online today.
Did You Know? The ‘3D’ of 3D Secure represents the Three Domains that are part of a transaction.
When 3D Secure 1.0 is enabled, consumers will be served with an additional authentication screen after they have entered their payment details.
The authentication screen asks them to successfully answer a ‘security question’. This is designed to confirm the cardholder is actually who they claim to be.
Upon fulfilling the security challenge successfully, the customer can proceed with completing their transaction.
IMAGE
Each card issuer has their own name for 3D Secure which are represented in the table below:
Card Scheme |
3D Secure Name |
---|---|
Visa |
|
Mastercard |
|
American Express |
Visa Verification | MasterCard Verification |
American Express Verification |
Reference: http://www.visaeurope.com/making-payments/verified-by-visa/
Despite solving several problems for authentication online, the existing 3D Secure 1.0 specification has several drawbacks:
The 3D Secure 2.0 specification is created, owned and managed by EmvCo and all of the major card scheme providers. Its mission is to improve the existing 3DS1 specification whilst also providing provide stronger consumer authentication (SCA) when making online payments.
Strong Consumer Authentication requires a minimum of two of the following authentication elements:
3-D Secure 2.0 delivers 10 times more data, such as device channel and payment history, than a previous version to speed up authentication and boost security, giving shoppers a fast pass through checkout.
Visa
Benefits for customers:
Benefits for merchants:
Infographic from Visa
When a customer makes a payment using 3D Secure 2.0 specification the customer’s card issuing bank will perform a “Risk Based Authentication”.
The authentication process will score the level of risk associated with the transaction by using the following data points:
The level of risk associated with the transaction will then determine which 3D Secure 2.0 flow the customer will follow.
Depending on the transaction, there are two possible authentication flows:
Frictionless flow, whereby the customers card issuing bank performs a risk-based analysis on the transaction and decides that no additional verification steps are needed.
Challenge flow, which occurs when card issuing banks requires additional information from the shopper to authenticate them. This may include inputting a password and memorable information or entering a one-time code sent via SMS.
3DS2 Support Flow Diagram
It is important to note that the EU has laid out the following exemption rules in the PSD2 directive in which ‘Strong Customer Authentication’ is not required. These are:
The PSD2 directive does not clearly detail what will happen if merchants have not implemented PSD2 by 14th September. But, it’s likely that:
The FCA, however, have announced they won't be taking enforcement actions from the 14th, so long as businesses have taken necessary steps towards compliance.
In order for your business to prepare for the PSD2 directive we recommend the following course of action:
This post was brought to you in partnership with Adyen. Adyen is the payment platform of choice for many of the world’s leading companies, including, but not-limited to Uber, Spotify, Superdry, Brompton, Daniel Wellington, and L'Oreal.
Adyen are leading the way with SDKs (Software Development Kits) to integrate 3D Secure 2 into eCommerce sites quickly and efficiently providing a pain-free way of realising the PSD 2.0 directive.
If you’d like to find out more about the Payment Services Directive or 3D Secure 2.0 then please see the following links for further reading.
Speak to our Secure Cyber Essentials Accredited UK experts about 3D Secure, or discover more about our eCommerce services here.