Strong e-commerce customer authentication
Are you ready for 3-D Secure 2.0?
3-D Secure 2.0
Prepare for the new security standard.
Online merchants, acquirers, card issuers and customers now face a new challenge in the e-commerce marketplace: The Regulatory Technical Standards (RTS) under the Second EU Payment Services Directive (PSD 2) are due to take effect on 14 September 2019. They mainly require strong customer authentication (also known as two-factor authentication) for online payments. To comply with this requirement, the card organisations - together with the technical body EMVCo - have further developed the 3-D Secure security process: 3-D Secure 2.0 is PSD 2-compliant and is valid in EU countries as well as Switzerland. The new standard will be introduced by Visa and Mastercard in April 2019, and online merchants will need to support it. You can find the introduction date for individual countries here.
A positive shopping experience and fewer cancelled orders at checkout
3-D Secure 2.0 is much easier to use than 3-D Secure 1.0 and even more secure for you and your customers, and that’s thanks to a wide range of data, biometric authentication and an improved, uniform online experience.
Customers no longer have to remember passwords and can easily confirm payments from a mobile app. Customer authentication is fully integrated into the 3-D Secure 2.0 sales process. Liability for fraudulent transactions passes entirely to the card issuer.
3-D Secure 2.0 relies on a risk-based authentication process and uses additional transaction data to check with merchants and card issuers whether the payment was initiated by the cardholder and if the payment process should be allowed or aborted. Other factors of strong customer authentication, such as payment habits or fingerprints, are also included in the verification process.
Low-risk transactions are identified in what is known as a frictionless flow. Genuine customer authentication is not required and thus the cardholder’s checkout process is seamless.
Your advantages with 3-D Secure 2.0
- Smooth payment process (frictionless flow)
- Increase your conversion rate
- Fewer payment disruptions thanks to risk-based authentication
- Complete integration in web shop and app
- Intelligent fraud detection mechanisms to reduce credit card fraud
Strong customer authentication – what exactly does this mean?
With strong customer authentication, all payment transactions – except for defined exceptions – must be “strongly” secured. This means that at least two out of three of the following factors must be applied:
A customer wants to buy a pair of shoes in an online shop. He has already entered his card data in the corresponding fields. A short time later, he gets a push notification on his smartphone: The customer must enter the two-factor authentication code (or one-time password) sent by SMS or confirm the purchase in an extra app with a fingerprint.
Strong Customer Authentication (SCA) exceptions
PSD 2 allows for some exceptions in which the cardholder does not need to perform SCA, but the transaction is still carried out as being “fully 3DS authenticated”.
The most important SCA exceptions:
- Very small payments (Payments up to 30 EUR - up to the limit of 100 EUR cumulatively or five consecutive payments)
- Recurring payments (All subsequent payments - the first payment must still be made with SCA)
- Transaction risk analysis (Risk assessment of a transaction with amounts within the specified threshold values)
- Merchant whitelisting (e.g. customers who regularly purchase from the same company)
Worldline will offer the following exceptions in future: Very small payments, recurring payments and transaction risk analysis.
Not affected by SCA:
- Anonymous prepaid cards
- Mail order and telephone orders (MOTO transactions)
- Interregional / “One Leg” transactions
- Transactions initiated by the payee
Card organizations’ specified dates
All e-commerce merchants who process credit card and/or debit card transactions must support EMV 3-D Secure 2.0 starting from the following dates:
Mastercard
- 1 April 2019: Denmark, Estonia, Finland, Iceland, Ireland, Latvia, Lithuania, Norway, Sweden, UK, Andorra, Belgium, France, Gibraltar, Italy, Luxembourg, Monaco, Netherlands, Portugal, San Marino, Spain, Vatican City, Germany, Liechtenstein, Switzerland
- 1 September 2019: Albania, Austria, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Greece, Hungary, Israel, Kosovo, Macedonia, Malta, Montenegro, Poland, Romania, Serbia, Slovakia, Slovenia
- 31 December 2019: Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkey, Turkmenist., Ukraine, Uzbekistan
Visa
- 13 April 2019: Europe
What do you have to do?
Please liaise with your solution providers to ensure that the 3-D Secure 2.0 security standard is properly implemented:
- Please contact your payment service provider with respect to the technical implementation of the new security standard.
- Please ensure that your web shop provider supports integration through the payment service provider (so the interface between your payment service provider and your web shop may have to be updated or other adjustments need to be done).
- For customer-friendly, risk-based authentication, 3-D Secure 2.0 uses 10 times more cardholder or web shop data - thus enabling more checkpoints and lower fraud rates. This data also includes personal data such as the name of the cardholder, phone number, e-mail address, IP address, invoice address and delivery address. We therefore recommend that you expand your data protection declaration in accordance with the General Data Protection Regulation (GDPR).
- Please also replace Mastercard SecureCode logos and names stored in your web shop with Mastercard Identity Check.
| Switzerland/International | e-commerce@six-payment-services.com +41 58 399 9232 |
|---|---|
| Germany | e-com.de@six-payment-services.com +49 40 325 967 260 |
| Austria | e-commerce.austria@six-payment-services.com +43 1 717 01 6374 |
