PSD2 and 3DS2
IMPORTANT INFORMATION TO OUR CARD-PROCESSING CUSTOMERS
How PSD2, Strong Customer Authentication and 3DS2 will impact your business
There are two upcoming significant changes within e-commerce payments. PSD2, a new EU directive that will come into effect on September 14 2019, and 3DS 2.0, a new directive from EMVco and successor to 3DS 1.0 to improve the customer experience. The following information aims to assist you in understanding these upcoming changes.
On September 14 2019, new requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2). In these new requirements Strong Customer Authentication (SCA) is introduced which will impact the online card payments process.
Strong Customer Authentication (SCA) is a two-factor verification to identify the user when processing a card payment online. If the user is actively triggering the payment on his/her phone or computer it is considered a “Customer-Initiated Transaction”. The user is then required to authenticate by entering information on two of the following three factors:
Knowledge: Something the user knows (such as password or pin)
Possession: Something the user has (such as phone or credit card)
Inherence: Something the user is (such as fingerprint or face recognition)
Exemptions from SCA
There are several exemptions from Strong Customer Authentication in order to make it easier to process transactions on the users behalf.
1. Subscriptions and Merchant-initiated transactions
For subscriptions with recurring amount, SCA is required on the initial transaction. An exemption will be sent by us to the bank to avoid any further SCA.
If you are using stored credentials to process a transaction with no interaction from the user, these will be handled as Merchant-initiated transactions, and shall not require SCA.
When PSD2 is in effect, you must use 3DS and SCA when storing new customer card credentials. Please see the “Initial Registration API” section below.
Please note that it will be the cardholder’s bank that will ultimately decide if Strong Customer Authentication is required or not, regardless if we send an exemption.
Initial Registration API
To save a profile and/or verify a card with two-factor authentication (3DS) without charging the customer, we have introduced new functionality to verify the card details and store them. For more technical information, see the “Initial Registration” API documentation here.
2. Whitelisted merchants
Customers will be able to choose if a business is trustworthy by adding them to a “Trusted Beneficiaries” whitelist, which is maintained by their bank. The purpose is to exempt customers from 3D Secure for a specific merchant if the customer chooses so.
3. MOTO Transactions
Mail Order and Telephone order (MOTO) will be exempt from Strong Customer Authentication, as they are not considered electronic payments.
EMV 3DS or 3DS 2.0 will allow us to send more than 100 data elements for each transaction to the issuing banks Access Control Server, ACS. This includes payment and delivery specific data like the shipping address, as well as extra data such as device ID.
The issuing bank can use all the new information provided in EMV 3DS authentication flow to better assess the risk level of the transaction (Transaction Risk Analyses, TRA) and select an appropriate authentication level, in some cases without Strong Customer Authentication (SCA) and at the same time offer a more frictionless payment experience to the cardholders than with 3DS 1.0. We will send the data points to perform the frictionless payment experience to TRA from our hosted payment page, but only with the latest “paynova_responsive_2” layout.
There is currently no specific end dates for 3DS 1.0 but will be slowly phased out during 2020.
During the transition period, for each card transaction we will perform a “Check Enrollment Status” to see which flow (3DS1 or 3DS2) the bank will approve. If the bank is eligible for 3DS2, we will try to perform a frictionless payment flow and the TSA will decide wether they require an SCA.
A SCA in 3DS2, compared to 3DS1, will not require a redirect and the bank challenge page will be shown directly in our Hosted Payment Page. This will enhance the customer experience, minimize dropout rates and, depending on the banks’ adoption, minimize challenges over time.
We will inform you when the first version 3DS2 flow is available in our environments.
More information on the API changes will follow in upcoming period.
Any further questions? Please feel free to get in touch with our Merchant Support.