*IMPORTANT* 3D Secure 2.0 - Information for online merchants

The new security protocol 3D Secure 2.0 and how to integrate it into your shop

On September 14, 2019, the legal requirements for strong customer authentication (according to PSD2) will come into force. The associated strong customer authentication also affects you as an online retailer, because there is a new security protocol. 3D Secure now becomes EMV 3D Secure 2.0.

Mastercard and Visa have developed the security protocol EMV 3D Secure 2.0 (EMC 3DS). It includes additional security mechanisms such as biometrics. As an online retailer, EMV 3DS protects you better against fraud attempts and, at the same time, reduces purchase interruptions to a minimum.

How to integrate the new security protocol into your online shop

1. Present the new logos

"Mastercard Secure Code" has become "Mastercard Identity Check" and "Verified by Visa" has become "Visa Secure". These are the new brand names, under which the customers will know the authentication method EMV 3D Secure 2.0. The first thing the online merchant should do is the inclusion of the new logos


 


2. Adapt your interface

What you need to do to integrate the new security protocol into your shop depends on which solution you use. Kindly see the detailed explanation on a specific page for [OPEN - SecurePay ] [OPEN - Server-to-Server] [EXCHANGE - Payment.Js]

3. Update your privacy policy

Make sure that your contract conditions allow the collection and transfer of customer data in accordance with the General Data Protection Regulation (GDPR). Take the opportunities and inform your customers about the 3DS 2.0 and make the adjustments in a timely manner.

The background and how strong customer authentication works

PSD2 includes 112 articles and 11 mandates (specific topics that the regulators asked the European Banking Association to examine). One of these mandates is around strong customer authentication (SCA) and includes guidance around exemptions and challenges.

Two-factor authentication will be required for all electronic payments, although there are exemptions to allow “frictionless flow”. Within the cards space there is already a scheme in place to ensure SCA called 3-D Secure.

One of the main implications of PSD2 is that it provides clear guidelines about how the process of determining if a payment flow should be frictionless can be managed. Transactions that are under €30 will not need to be challenged, it is entirely up to the discretion of the merchant. For transactions above €30, a new procedure kicks in, one that depends on the reference fraud rates of the acquiring bank and the issuer – not the merchant. Under PSD2, if the fraud rate is below 13 basis points (bps) there’s no requirement for a challenge for transactions of up to €100. But if the fraud rate is below 6bps that ceiling rises to €250. For those with a rate of under 1bps a transaction can be as high as €500 before there’s a need for a challenge.

The 3DS 2.0 specification is fully aligned with the PSD2 principles as it allows taking into account the inherent risk of any given transaction to decide what level of customer authentication is needed. This risk-based approach allows taking into account in the decision-making process transaction and device related data. An explicit Consumer Authentication is performed only when a transaction is assessed to be above a pre-determined risk level and can be achieved using a variety of mechanisms requiring direct Consumer interaction and actions: a validated Biometric, OTP (One Time Passcode), verification achieved using a successful mobile online banking log-in, etc.