What is PSD2?
The second European Payment Services Directive (PSD2) is a European directive which came into force across the European Economic Area (EEA) on January 13, 2018. PSD2 was established to drive payments innovation and data security by reducing competitive barriers, mandating new security processes and encouraging standardized technology to protect the confidentiality and integrity of payment service users’ personalized security credentials. PSD2 requires banks to support Open APIs to enable consumers to make payments directly from their bank accounts via newly-regulated third-party payment service providers. However, the primary focus of this document is the introduction of the Regulatory Technical Standards (RTS) around strong customer authentication (SCA). These standards will come into effect on September 14, 2019.
What is Secure Customer Authentication (SCA)?
The security measures defined around SCA introduce requirements that issuers and acquirers must observe when they process payments or provide payment-related services. In general terms, card issuers will be obliged to perform an SCA check for every electronic payments transaction above €30 that does not meet specified exemption criteria. The SCA check requires authentication using two of the following three factors: (i) Something the cardholder knows (E.g., a password or PIN), (ii) Something the cardholder has (E.g., a token, a mobile phone), (iii) Something the cardholder is (E.g., a fingerprint or voice match). The advice to merchants from card schemes and most issuers is to implement the latest version of 3-D Secure, which is rolling out in 2019 as the primary authentication method used to meet SCA requirements.
Is there any flexibility on the September 14, 2019 deadline?
In response to industry uncertainty and unreadiness for the September 14, 2019 secure customer authentication (SCA) deadline, the European Banking Authority (EBA) have issued this opinion paper.
The EBA concludes that the national competent authority (NCA) of each European country may work with merchants and payment service providers (PSPs) to "provide limited additional time" for issuers, acquirers and merchants to migrate to SCA-compliant solutions. This flexibility is contingent on PSPs having a migration plan agreed with their NCA, and on the quick execution of that plan.
When is an SCA check required, and what are the exemptions?
SCA checks are mandated for every electronic payment over €30 – and for those under €30 where either there have been five previous transactions on the same card without SCA being applied or the card has accumulated transactions totaling more than €100 without an SCA check being applied. Transactions out of scope for SCA include:
- Recurring transactions (after the first transaction has been authenticated)
- MOTO transactions (Mail/Telephone order)
- One-leg-out transactions (where the card is issued or the merchant is based outside the EEA)
- Direct debits
While card issuers can try to reduce the number of cases in which SCA is required, there is no way to prevent it fully. In cases where SCA is required but does not take place, the issuer has to soft decline the authorization request.
Transactions that are in scope may be rendered exempt from SCA if the cardholder has applied to have the merchant with which they are transacting whitelisted with their bank (card issuer), and the bank has agreed. Under PSD2, individual cardholders may ask their issuers to “whitelist” merchants they use regularly — but the decision will ultimately be at the bank’s discretion — and will depend on the level of fraud exposure the bank has experienced with the chosen merchant.
Issuers and acquirers may also render a transaction that is under €500 exempt if they have demonstrably low levels of fraud. This requires that transaction risk analysis (TRA) is in place and fraud is kept below set exemption threshold values (ETV). These values are:
- 0.13% for transactions up to €100
- 0.06% for transactions up to €250
- 0.01% for transactions up to €500
It is expected that issuers will apply the TRA exemption as much as possible to reduce the friction and frequency of SCA that their cardholders will encounter during remote purchases. In some cases, issuers may request SCA even if the acquirer has implemented an exemption — if they are suspicious about the transaction.
Only issuers and acquirers can exempt a transaction from SCA. There are exemption flags in 3DS for a merchant to request an exemption. For a full list of exemptions, see the final report of the draft RTS.
What happens with fraud liability in the case of exemptions?
The liability for transactions will sit with the issuer when a transaction has been authenticated using SCA. The liability remains with the issuer if the issuer applies a TRA exemption to SCA. When an exemption to SCA is applied by the acquirer using a TRA exemption, the liability will be transferred to the acquirer, unless the issuer challenges the transaction.
Should SCA be applied for one-leg out or recurring transactions?
One-leg-out transactions are those where either the issuer or the acquirer are located outside the European Economic Area (EEA). While these transactions are out of scope for SCA, it is expected that SCA should be applied on a ‘best effort’ basis. As for recurring transactions, any transactions/installments after the initial authorization are flagged as merchant-initated transactions (MIT). MIT is out of scope for SCA, and as such it does not need to be applied. This applies even if the initial authorization did not go through SCA.
What is 3-D Secure?
3-D Secure is a customer authentication protocol introduced by EMVCo and leading card schemes, designed to reduce fraud rates and provide security to merchants and shoppers for card-not-present transactions. 3-D Secure V1 is already widely in use today, but does not enforce modern secure authentication methods and frequently relies on archaic authentication methods such as static passwords.
What is 3-D Secure V2?
3-D Secure V2 is the latest version of the 3-D Secure protocol. 3-D Secure V2 includes several key changes to the handling of card-not-present payments. Critically, these changes ensure the protocol is fully in line with the PSD2 regulatory technical standards around SCA, which come into effect on September 14, 2019. Furthermore, the updated protocol is designed to help streamline the customer journey by reducing or removing points of friction, ultimately improving checkout conversion rates as well as reducing fraud.
What are the benefits of 3-D Secure V2 compared to previous versions?
There are several benefits to merchants, issuers and shoppers as a result of 3-D Secure V2. Broadly, the changes ensure a streamlined customer journey with fewer friction points to reduce the high rate of shopping cart abandonment from 3-D Secure V2. These enhancements include:
- Risk-based authentication. 3-D Secure V2 will support the transmission of additional rich data during transactions, making authentication assessments and decisions more accurate. The issuer will be able to evaluate the fraud risk and bypass full authentication if the risk is low enough, resulting in a smoother customer journey for low-risk shoppers. This risk-based approach to authentication is entirely aligned with PSD2 guidance on SCA.
- Biometric or two-factor authentication. If the issuer (after performing an initial assessment) determines that authentication is required, either biometric or two-factor authentication will be performed to validate the shopper. The biometric authentication methods available will depend on what is supported.
- Eliminates initial enrollment. The removal of this one-time step in the 3-D Secure flow eliminates a major point of friction in the customer journey upon first-time use.
- Support for in-app purchases. Unlike 3DS V1, which required a browser call-out to complete authentication, 3DS V2 can handle in-app purchases natively. This avoids compatibility issues experienced within some apps for browser authentication callouts.
- Allows for bespoke checkout integration. Should they wish, merchants can now integrate the 3-D Secure authentication process into their own checkout process, resulting in a much smoother experience for shoppers.
- Support for non-payment authentications. The latest 3-D Secure version offers support for no-value authorizations, such as tokens for card-on file. Note that it is mandatory to perform an SCA check such as 3-D Secure to add a new card as a card-onfile. Subsequent transactions do not have to go through 3-D Secure, but need to reference the original transaction and the amount cannot differ by more than 15%.
What are “frictionless flow” and “challenge flow”?
As mentioned previously, risk-based authentication based on rich data is a key feature of 3-D Secure V2. If the issuer determines the transaction is low-risk, they can bypass full authentication altogether – this is referred to as “frictionless flow”. If the issuer decides to go ahead with full authentication, this triggers what is known as the “challenge flow”, which more closely mirrors the 3-D Secure V1 workflow.
In the authentication phase, the 3DS server sends information about the cardholder to the directory server. It is then forwarded on to the correct access control server, which performs a risk check to determine next steps.
If risk is determined to be low, the payment continues with no further interaction between the issuer and cardholder. This is frictionless flow.
If the issuer decides the shopper needs additional authentication, the cardholder interacts with the issuer to authenticate themselves biometrically or using two-factor authentication. This is the challenge flow.
Will 3-D Secure V1 remain available?
AllSecure will continue to support 3-D Secure V1 alongside V2, until further notice from card schemes on timings for deprecation of the older version.
What are “the differences between 3-D Secure 2.0, 2.1 and 2.2?
The specs for EMV 3-D Secure 2.0 were first published by EMVCo in 2016, with subsequent versions adding additional functionality. Version 2.1 introduced frictionless authentication, shorter transaction times, and uses 10 times more data than version 1.0. The payments ecosystem is currently adapting to the latest version (2.2), which includes support for exemptions for additional types of frictionless authentication. This includes acquirer-side transactional risk assessment and whitelisting of merchants. Current plans for future versions include further enhancements to transaction risk assessment and support for devices other than web browsers and mobile devices.
Is an upgrade to 3-D Secure V2 required, and if so when by?
Europe
Customers in Europe are strongly recommended to migrate to 3-D Secure V2 by September 14, 2019, when the PSD2 regulatory technical standards on SCA are scheduled to come into effect. This is because 3-D Secure V2 offers support for exemptions and enforcing of secure authentication methods. Mastercard reporting on UK Finance’s interpretation of the EU-wide regulatory technical standards describes this as offering merchants “operational readiness”. Per the same Mastercard reporting on the UK Finance interpretation, 3-D Secure V1 remains compliant with the ‘letter of the law’ of SCA, referred to as “compliance readiness” by Mastercard. Transactions in the EEA that do not meet SCA requirements (those that do not pass through 3-D Secure or equivalent authentication) are liable to be declined by the issuer after this date.
Rest of the world
Even if release dates for other countries are not yet defined, it will most likely come in 2020 as well.
How do customers implement 3-D Secure V2?
Open Platform
Instructions for Open Payments Gateway customers on upgrading to 3-D Secure V2 are available on developer portal.
Exchange Platform
Instructions for Exchange Payments Gateway customers on upgrading to 3-D Secure V2 are available on developer portal.