As of September 2019 all European banks will be required to implement ‘Strong Card Authentication’ (SCA) in order to comply with PSD2, but what exactly is PSD2 and why must banks comply?
PSD2 is the second Payment Services Directive, designed by the countries of the European Union and first introduced in 2017 with the aim to break down the banks’ monopoly on their users’ data. It allows merchants to retrieve their customers’ account data from their bank with their permission. PSD2 aims at achieving this by requiring stronger identity checks when paying online.
A key element of PSD2 is the introduction of additional security authentications for online transactions, known as strong customer authentication (SCA). It means customers will no longer be able to check out online using just their credit or debit card details. They will also need to provide an additional form of identification. Strong Customer Authentication (SCA) is defined as “an authentication based on the use of two or more elements categorized as:
– Knowledge (Password, PIN, Secret question, Numerical sequence)
– Possession (Mobile phone, Wearable devices, Token, Smartcard)
– Inherence (Fingerprint, Voice recognition, Iris recognition, Facial features)
These three criteria must be independent from one another. Starting September 14, 2019 issuers are likely to decline payments that require SCA but do not meet these criteria.
Strong Customer Authentication will be a hard requirement for both Point-of-Sales (POS) and for e-commerce transactions. From an online perspective, the enforcement of SCA in September 2019 makes 3DSecure 2.0 all the more important for merchants doing business in Europe.
What is 3DSecure?
3DSecure, also known as payer authentication, is a security protocol initiated and created by Visa and MasterCard. Its aim is to provide extra protection for merchants and customers doing online payments. 3DSecure authenticates the cardholder during online payment processing similar to the way cardholders are authenticated when entering a PIN for a POS transaction.
3DSecure 2.0 – The game-changer
One major change of 3DS 2.0 is that it will offer the ability to authenticate a transaction using a biometric method, something that many mobile phones offer these days. By using fingerprints or facial recognition the amount of fraud is potentially going to be greatly reduced while also increasing convenience for consumers. There are other upgrades too: the troublesome payment window will be removed and 3DS 2.0 will also be available for mobile and digital wallet payment methods. This is a major change as previously only cards could be used. Among others, support for native iOS and Android SDKs will be provided.
Additionally, the new version also helps reduce the occurrence of authentication challenges by requiring issuing banks to accept and utilize a larger number of data points in a risk-assessment to determine if a challenge is warranted. Some of these data points, such as the email address or billing address, will be supplied by customers, while others come from the customer’s device and browser data.
Finally, another major implication of 3DS 2.0 is that when a customer makes a purchase, the issuer will have the option of agreeing to ‘frictionless flow’ – where the payment is authorized without additional security measures. Alternatively, they can request that the payment is challenged resulting in the issuer making a risk-based authentication of the consumer and potentially asking for further security, such as two-factor authentication. Having frictionless payment is beneficial for customers and therefore merchants, as their payments can be made quickly and seamlessly.
The key takeaway for these changes: it is the issuer that has the last call. If the issuing banks have sufficient data about the customer attempting the transaction, it will reduce the need for authentication challenges.
PSD2 SCA Exemptions
If a transaction is out of scope of the PSD2 regulation, PSD2 will not require merchants to present an additional challenge to shopper. Such transactions are represented by Mail Orders and Telephone Orders.
If a transaction falls into one of the Strong Customer Authentication (SCA) exemptions, merchants will most likely not be required to present a challenge, unless the issuer decides otherwise. The decision always belongs to the issuing bank. Below are the transactions that are exempted from SCA (challenge flow):
3DS 2.0 – How it works
As stated above, one of the new features of 3DS 2.0 is the existence of a new authentication flow called the Frictionless Flow. This is one of the fundamental differences between 3DS 1 and 3DS 2.0. With Frictionless flow, the issuer can approve a transaction without cardholder interaction based on risk-based-authentication (RBA) performed in the ACS.
Another difference can be found in the way the result of a challenge is communicated from the issuer to the merchant. In 3DS 1 this is done via the cardholder while in EMV 3DS 2.0 this is communicated through the Directory Server. This way the merchant is informed about the authentication results via a separate channel, enhancing the security.
3DS 2.0 – What can merchants do to prepare for 3DS 2.0?
3DSecure v2.0 will be available on our customer interfaces including WebServices 2010, Device REST APIand Payment Page.
If you want to use the Worldline 3DS v2.0 solution the first step is upgrading to the latest version of your client interface. If you are using the WebServices API, you will notice that in the new version the classic Init3D and Complete3D calls will be replaced by not two, but three new 3DS calls. We will also add a few new fields in the InitPayment in addition to the XID, CAVV and ECI parameters. The more information that you are able to pass in the 3DSecure 2.0 message, the lower the possibility of an authentication challenge from the issuer.
Both 3DSecure 1 and 2.0 exist independently and are maintained in parallel with no backward compatibility. Should the issuer not support 3DSecure 2.0, we will initiate a 3DSecure 1 fallback by default. To handle this scenario please ensure you have implemented 3DSecure 1.
If you do not want to automatically fall back to 3DSecure 1, please contact us, but note this may negatively affect your authorization rates in some areas.
Keep an eye out for updates and stay tuned in the coming months as technical documentation and more authentication options and data elements are made available.
What is PSD2?
The Revised Payment Services Directive (PSD2) is defined by the European Banking Authority and aims at regulating new stakeholders and improving the security of exchanges. Among these rules is the RTS-SCA (Regulatory Technical Standard – Strong Customer Authentication) rule which requires strong customer authentication as of the 14th of September 2019.
Are all transactions affected?
MOTO (Mail Order Telephone Order) type distance selling transactions, payments initiated by the merchant and unrelated to the customer as well as transactions between cardholders or merchant acquirers outside the European economic area are not subject to this RTS-SCA rule.
What happens on the 14th of September if my transactions are not authenticated?
You risk denials of authorisation for non-authenticated transactions. If an exemption defined by the RTS-SCA can be applied, Strong Customer Authentication of the cardholder does not apply. It is important to note that exemptions can bypass Strong Customer Authentication, but are not an obligation. Remember also that even if the conditions for exemption are met, the final decision rests with the card Issuers which may not grant it, depending on its own criteria (technical capacity to manage it, risk of fraud, arrangements agreed with the cardholder, etc.).
Why do you need to act now?
The aim of Strong Customer Authentication through 3DS v2 is to reduce remote payment fraud, at the same time strongly improving user-friendliness for the cardholder, in particular by providing the issuer (the bank of the cardholder) with more information on the context of the transaction, in order to allow the latter to decide whether it should or should not proceed with Strong Customer Authentication of the cardholder.
What is new in the 3D Secure v2 program?
The major additions of 3D Secure v2 are:
What is Frictionless?
Depending on the context and the information provided in the payment request, the card issuer performs a risk analysis and may decide not to authenticate the transaction. If the Frictionless initiative comes from the issuer then the merchant will benefit from the liability shift. Conversely, if the merchant has done their own risk analysis and requests Frictionless from the issuer, then they will not benefit from the liability shift.
What are the exemptions from Strong Customer Authentication (SCA) for remote payments?
The RTS stipulates 5 exemption options for remote payments (e-commerce):
White-Listing is the option for a cardholder to name, to the issuer of his card, in general his bank, a merchant whom he trusts and for whom he does not wish to make a Strong Customer Authentication while executing remote transaction, provided the latter meets the security criteria set by the bank.
An exemption from Strong Customer Authentication is applied for a series of remote transactions for the same amount to a single beneficiary. However, Strong Customer Authentication is required for the first transaction (the contract) or for each modification of the series conditions.
An exemption from Strong Customer Authentication for a low value remote payment can be invoked:
Exemptions are also valid for payments initiated by businesses with a debit from the business account (for example, central settlement cards, centralized accounts and virtual cards). In contrast, corporate cards (with debit from the employee’s bank account under special conditions) are similar to B2C transactions and are not covered by this special exemption.
The exemption from Strong Customer Authentication for a remote transaction referred to as ‘risk analysis’ can be invoked by the acquirer (on behalf of the merchant) and by the issuer if the following two conditions are met:
What happens if an exemption fails?
The exemptions are not routine and even if the conditions for exemption are met, the final decision rests with the issuer (the cardholder’s bank) which may or may not grant it. The Issuer will send a soft decline for the payment leading to a resubmission of the payment requesting Strong Customer Authentication from the cardholder.
When will 3D Secure v2 be implemented?
The 3D Secure v2 implementation, which requires changes throughout the electronic payment chain, will be carried out gradually depending on the various payment stakeholders (payment module, merchant banks, networks, issuer banks), starting in September 2019.
We advise you to contact your PSP gateway provider as soon as possible to know if it is already able to support you in implementing 3DS v2.
When will 3D Secure v1 come to an end?
The end of 3D Secure v1 is announced for December 2020 for Visa and Mastercard.
What will happen for subsequent recurring transactions in case the first transaction has been performed without SCA before September 14th?
Worldline, acquirer and issuer will not block subsequent transactions of an initial transaction that occurred before September 14th whose initial in a first step and will continue to accept the subsequent transactions.
For recurring payments conducted after September 14th, Worldline recommend to perform SCA for the first one and reference this one in subsequent transaction in order to keep the same approval rate.