menu

Payment API

What's on this page

Online Payments / Payment Features / 3D-Secure 2 / SCA And 3D-Secure 2

Strong Customer Authentication and 3D Secure 2

On September 14th, 2019, changes were introduced to the online payment environment in the European Union, which mandates Strong Customer Authentication (SCA) when a consumer starts an electronic payment transaction. These changes are described by the second Payment Services Directive (PSD2) and are aimed at reducing fraud and increasing protection for consumers. The requirements defined by SCA are part of PSD2, and are in effect from January 1st, 2021.

To meet the new SCA requirements, two-factor authentication is required for online card payments in Europe. Without authentication, merchants risk an increase in payment declines from the customer’s banks.

In this article, we provide more information on the new requirements known as Strong Customer Authentication (SCA). We’ll also cover 3D Secure and how it relates to SCA. Finally, we would like to inform you how CCV is preparing for these changes and how they might affect your business.

What is Strong Customer Authentication?

The Strong Customer Authentication specification or SCA brings a new set of requirements that will change how consumers and business customers confirm their identity when making purchases online. The goal of these requirements is to improve fraud protection for both parties.

The SCA regulation applies to all online (website or app) card-based payments, unless one of the limited exemptions allowed under the rules can be applied. For full details please refer to the Regulatory Technical Standards (RTS) .

SCA requires at least two of the following three elements for authentication:

Knowledge Possession Inherence
Something only the customer knows

e.g. password or PIN		 Something only the customer has

e.g. phone or hardware token		 Something the customer is

e.g., fingerprint or face recognition

To comply with SCA the payment industry has introduced the 3D Secure protocol. All transactions have to use EMV 3DS (3DS2).

Warning

Issuers may decline transactions that do not meet the new SCA criteria.

What is 3D Secure?

3D Secure is a security protocol used for authentication of online card-based payments and is recommended for SCA compliance. The protocol adds a verification step that identifies card owners during the transaction process (e.g. providing a fingerprint with their phone).

There are two 3D Secure protocol versions:

  • 3D Secure 2 (3DS 2): Also known as EMV 3DS which is the current standard method . In this version, the cardholder performs authentication within your website or mobile application for entering authentication data without redirections. The authentication data provided by the cardholder can be e.g., biometrics, token, etc.

  • 3D Secure 1 (3DS 1): Also known as Visa Secure which was introduced in 2001. This version is deprecated, replaced by 3DS 2.

The introduction of 3DS had a clear benefit for businesses as the request for additional information creates an extra layer of fraud protection that ensures payments only have legitimate customers. As a result, liability for fraud disputes could shift from merchants to issuers.

Features of 3D Secure 2:

  • Support for a frictionless authentication flow.
  • Collecting relevant data for each payment request, allowing better risk assessment by the issuing bank to enable a frictionless authentication flow.
  • Fraud protection due to the availability of more data.
  • Streamlined user experience by providing support for a native mobile authentication process without the need for a redirect.

3D Secure 2: Authentication Process

The authentication of a cardholder can either be frictionless or with a challenge, depending on the issuer’s requirements. This should result in high conversion rates due to a lower dropout of customers during the checkout process.

Frictionless flow

A frictionless authentication flow requires no interaction of the cardholder with the issuer during a transaction. This may be achieved by sending more data elements with each transaction. Based on the provided information the issuer can decide if the transaction qualifies for a frictionless flow. Transactions that follow a frictionless flow benefit from the same liability shift as transactions that pass through the challenge flow.

Note

The issuer always has the last say in whether or not a frictionless flow can be applied.

If the issuer decides further proof of authentication is required the customer will be sent through the Challenge flow.

Challenge flow

The Challenge flow is applied when the issuer requires more information to complete the authentication process. In this flow the issuer decides how the cardholder has to provide proof of authentication, it can be through the use of biometrics, two-factor authentication, or similar authentication methods based on the SCA criteria.

An issuer is not limited to one authentication method and can support multiple methods. It is up to the issuer to decide which methods are supported and how they should be implemented.

3D Secure 2: User Experience

3D Secure 1 was designed in a period before mobile applications. As a result, the customer was left with outdated browser-based user experience. 3D Secure 2 improves this experience by adding the following:

  • More Out-of-band authentication options. Instead of entering a password or SMS verification code, the cardholder can now authenticate using smartphone features like a fingerprint or facial recognition.
  • Support for embedded browser/app-based authentications and digital wallets, no more redirects. Allowing merchants the create a seamless look and feel for their interfaces across various devices.

What is 3D Secure chargeback liability shift?

When you implement 3D Secure 2 authentication, you can shift the liability for fraud-related chargebacks (such as when a customer denies making a purchase, or has their card stolen or lost) from you to the card issuer. This shift occurs when a payment is successfully authenticated. Typically, this happens when a customer completes a 3DS2 challenge authentication flow, which requires additional interaction from the customer. In some regions, a liability shift can also occur after a successful frictionless flow, where the transaction is approved through passive authentication without additional customer interaction.

Mastercard liability shift rules

Transaction type Liability shift
3DS authentication failed,
or could not be attempted
3DS authentication processed
by a stand-in service,
and is classed as successful
Successful 3DS authentication
Frictionless authentication
via the Mastercard Identity
Check Data Only service
SCA exemption used,
or transaction is out of scope
of SCA
Successful 3DS authentication;
recurring transaction secured
by 3DS.

Visa, American Express liability shift rules

Transaction type Liability shift
Successful 3DS authentication
3DS authentication processed
by a stand-in service,
and is classed as successful
SCA exemption used,
3DS authentication failed,
or could not be attempted

How is CCV helping you with SCA compliance and the 3D Secure 2 transition?

The transition to mandatory SCA compliance in Europe is inevitable. As a result, more transactions will be declined for merchants not sending essential data.

CCV offers an integration guide that provides you with the necessary information to make your SCA transition a success.