Integrate our products into your software. Let's make payment happen together!
Look at all the possibilitiesOn September 14th, 2019, changes were introduced to the online payment environment in the European Union, which mandates Strong Customer Authentication (SCA) when a consumer starts an electronic payment transaction. These changes are described by the second Payment Services Directive (PSD2) and are aimed at reducing fraud and increasing protection for consumers. The new requirements defined by SCA are part of PSD2, and are in effect from January 1st, 2021.
To meet the new SCA requirements, two-factor authentication is required for online card payments in Europe. Without authentication, merchants risk an increase in payment declines from the customer’s banks.
In this article, we provide more information on the new requirements known as Strong Customer Authentication (SCA). We’ll also cover 3-D Secure and how it relates to SCA. Finally, we would like to inform you how CCV is preparing for these changes and how they might affect your business.
The Strong Customer Authentication specification or SCA brings a new set of requirements that will change how consumers and business customers confirm their identity when making purchases online. The goal of these requirements is to improve fraud protection for both parties.
The SCA regulation applies to all online (website or app) card-based payments, unless one of the limited exemptions/ allowed under the rules can be applied. For full details please refer to the Regulatory Technical Standards (RTS) .
SCA requires at least two of the following three elements for authentication:
Knowledge | Possession | Inherence |
---|---|---|
Something only the customer knows e.g. password or PIN |
Something only the customer has e.g. phone or hardware token |
Something the customer is e.g., fingerprint or face recognition |
To comply with SCA the payment industry has introduced the 3-D Secure protocol. All transactions that take place from January 1st, 2021 will have to use either the 3-DS 1 or EMV 3-DS (3-DS2) version of the protocol. Please note that 3-DS 1 is compliant for the time being and will be replaced by 3-DS2. For more information check out our next topic.
Warning
Issuers may decline transactions that do not meet the new SCA criteria.
3-D Secure is a security protocol used for authentication of online card-based payments and is recommended for SCA compliance. The protocol adds a verification step that identifies card owners during the transaction process (e.g. providing a fingerprint with their phone).
There are two 3-D Secure protocol versions available:
3-D Secure 1 (3-DS 1): Also known as Visa Secure which was introduced in 2001. In this version, the cardholder performs authentication through a redirect to the card issuer’s site for entering authentication data. The authentication data provided by the cardholder can for example be a password generated by a hardware token device or an SMS verification code.
3-D Secure 2 (3-DS 2): Also known as EMV 3-DS and will become the standard method in 2020/2021 replacing 3-D Secure 1. In this version, the cardholder performs authentication within your website or mobile application and is no longer redirected for entering authentication data. The authentication data provided by the cardholder can be e.g., biometrics, token, etc.
The introduction of 3-DS 1 had a clear benefit for businesses as the request for additional information creates an extra layer of fraud protection that ensures payments only have legitimate customers. As a result, liability for fraud disputes could shift from merchants to issuers. However, the noticed drawback of an additional verification step cause a lower conversion rate due to customers dropping out of the authentication process.
The 3-D Secure version 2 tries to overcome this drawback by:
In short, 3-D Secure 2 introduces a less disruptive authentication process and better user experience compared to 3-D Secure 1. This should result in higher conversion rates due to a lower dropout of customers during the checkout process.
In 3-D Secure 2 the authentication of a cardholder can either be frictionless or with a challenge, depending on the issuer’s requirements. A fallback mechanism exists in case 3-D Secure 2 is not supported by the issuing bank.
A frictionless authentication flow requires no interaction of the cardholder with the issuer during a transaction. This may be achieved by sending more data elements with each transaction. Based on the provided information the issuer can decide if the transaction qualifies for a frictionless flow.
Please note, transactions that follow a frictionless flow benefit from the same liability shift as transactions that pass through the challenge flow.
Note
The issuer always has the last say in whether or not a frictionless flow can be applied.
The Challenge flow is applied when the issuer requires more information to complete the authentication process. In this flow the issuer decides how the cardholder has to provide proof of authentication, it can be through the use of biometrics, two-factor authentication, or similar authentication methods based on the SCA criteria.
An issuer is not limited to one authentication method and can support multiple methods. It is up to the issuer to decide which methods are supported and how they should be implemented.
CCV Pay provides a fallback mechanism to overcome the transition period from 3-D Secure 1 to 3-D Secure 2. It is designed to offer a seamless solution for the customer in case the customer’s bank (issuer) has not yet adopted the 3-D Secure 2 protocol.
3-D Secure 1 was designed in a period before mobile applications. As a result, the customer was left with outdated browser-based user experience. 3-D Secure 2 tries to improve this experience by adding the following:
The transition to mandatory SCA compliance in Europe is inevitable. As a result, more transactions will be declined for merchants not sending essential data.
CCV offers an integration guide that provides you with the necessary information to make your SCA transition a success. Our solutions provide build-in support for both 3-D Secure 1 and 3-D Secure 2, as well as an automatic fallback system that takes care of issuer readiness towards 3-D Secure 2.