3D Secure and SCA: is your business ready? Fondy can help …
If you operate an eCommerce business in Europe, you must support the 3D Secure version 2 protocol in compliance with strong customer authentication (SCA) as per Europe’s Second Payment Services Directive (PSD2) across the European Economic Area (EEA).
This deadline will come into effect throughout the EEA and those countries within the European Free Trade Agreement (EFTA) on December 31, 2020. The current deadline for the United Kingdom is September 14, 2021.
This security policy applies to all merchants regardless of whether they engaged with version 1 of 3D Secure or not.
Fondy supports the latest 3D Secure version 2 protocol and complies with SCA.
About Strong Customer Authentication (SCA)
The PSD2 directive requires that payment service providers use strong customer authentication in the following circumstances:
- Cardholder (or payer) is making an online payment (card not present)
- Cardholder (or payer) initiates an electronic payment transaction
- Cardholder (or payer) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses
The directive defines “strong customer authentication” as a multi-factor authentication procedure that involves two or more ‘knowledge’ elements.
Knowledge—Something only the cardholder/payer knows, i.e. PIN or password
Possession—Something only the cardholder/payer has to hand, i.e. mobile device
Inherence—Something the cardholder/payer is, i.e. thumbprint or facial recognition
Any of these elements are independent so that if one element becomes known to a fraudster, other elements are not compromised. SCA is designed to protect the confidentiality of the authentication data itself.
How 3D Secure works
3D Secure—3-domain structure—and also referred to as cardholder/payer authentication is a security protocol that helps prevent fraud when payments are made online.
The ‘three domains’ refer to the domains that interact with the protocol:
- Merchant/acquirer domain
- Card issuer domain
- Interoperability domain. The interoperability domain requires direct input from the cardholder for verification of their identity and intention to proceed with the payment.
3D Secure validates online payments and credit card transactions. 3D Secure offers secure transactions through SSL encryption. The card data and device information are encrypted and sent to the Access Control Server (ACS). The decryption occurs at the Card Network Directory Server (DS) that is trusted by the ACS.
This means the data is securely delivered to the ACS which operates in the domain of the card issuer—this is where the cardholder authentication occurs for a card number and device type.
3D Secure version 2 provides a modern approach to online payments whereby the cardholder is no longer required to register their card and create a ‘static’ password. For a given eCommerce site, the cardholder is required to confirm their identity in one of the following ways:
- Single-use SMS code which they receive from their card issuing bank
- Biometric verification the first time they make a purchase on that site
Should the cardholder decide to save their card details for future purchases on the site, the card is tokenised and securely stored on the payment gateway’s server with no further intervention required. This is favourable for merchants as it provides a more seamless journey for their shoppers, especially with mobile payments.
See Fondy’s response parameters for 3DS transactions
Benefits of 3D Secure version 2 (3DS2)
The initial 3D Secure protocol has been revised by EMVCo who in 2016 produced 3D Secure version 2 (3DS2) to address shortcomings in the version 1 protocol. The benefits of the 3D Secure 2 protocol for online payments made within the EEA and EFTA regions are described here.
Reduced risk of fraud and chargebacks
With this new technology misuse of cards and loss of payments in the form of chargebacks are significantly reduced.
The quality and accuracy of the data being authenticated occurs in a frictionless manner at checkout. In one example of Visa analysis adding just one extra data element–i.e. device ID– improves fraud detection rates by more than 200%.
More security and reduced merchant liability
3D Secure 2 provides merchants with security against loss of income due to fraud and shifts liability away from the merchant to the card issuing bank who must authenticate the identity of its cardholder.
With 3D Secure 2, card issuers have transparency on transactions, cardholder data and cardholder devices in order to authenticate cardholder identity prior to authorisation. This new protocol ensures valid card authorisations and ultimately reduces ‘false’ or ‘soft’ declines which cause lost revenue in sales.
Merchant satisfaction with payments
With reduction in fraud cases and chargebacks, merchants can take advantage of the opportunity to increase sales and decrease transaction disputes.
Fondy’s payment gateway makes it simple and easy for you to offer fully secure online payments for your shoppers because the gateway is fully PCI compliant and secure with the 3D Secure 2 protocol. Your site will instill confidence in your customers and enhance their online shopping experience with secure checkout and frictionless journey.
Greater customer satisfaction
Using 3D Secure 2 protection provided by the major card schemes means customers are more confident with online shopping and checkout security.. Online shoppers may also feel reassured that it is more difficult for their card details to be used by fraudsters. Furthermore, 3D Secure 2 is more accurate and quicker with authentication when compared with 3D Secure version 1.
Merchants will display any of the card scheme 3D Secure brands they support as follows:
- Verified by Visa
- MasterCard SecureCode
- Discover ProtectBuy
- JCB International J/Secure
- American Express SafeKey
Consumers can pay with more certainty upon seeing these logos on the Checkout page.
Increase in eCommerce sales
With new customer confidence there is an increase in online and mobile app sales and conversion rates.
Recent studies and analysis conducted by Visa indicate the 3D Secure 2 protocol may:
- Decrease the shopper’s checkout journey time by up to 85% (faster checkout)
- Reduce card abandonment by nearly 70% (increase conversion rates)
Frictionless payment with mobile devices
The excitement about 3D Secure 2 is that relatively no friction occurs with mobile payments because payments can be made quickly with mobile devices. Using mobile SDKs, merchants can integrate 3D Secure 2 authentication with their mobile apps. It is relatively simple for the merchant to keep the authentication process in line with the design of the overall app.
With millennials and generation Zers shopping almost entirely using their mobile devices, merchants can reach a wider audience on a variety of platforms while protecting their customers against fraud. Furthermore, 3D Secure 2 facilitates authentication for users who enter their card details into mobile wallets.
The authentication process is completely unnoticeable by the cardholder and in cases where interaction is required by the cardholder, biometric authentication is generally a welcome security feature and part of the natural flow for the shopper.
Making payments in-app with 3D secure is truly a frictionless experience!
3D Secure 2 avails of risk-based authentication
Thanks to risk-based authentication, 3D Secure 2 improves the customer experience through ‘frictionless flow’ by allowing issuers to authorise a transaction without any interaction with the cardholder.
Authentication based on low-risk and high-risk criteria works by the merchant capturing cardholder data elements during a given transaction and passing that data on to the card issuing bank (issuer).
The issuer’s ACS analyses the captured data elements and assesses the cardholder’s transaction history to determine the risk. If the fraud risk value is low, the transaction is authorised without any verification from the cardholder—this is frictionless flow. If the fraud risk value is greater than the predefined limit or threshold, the transaction is challenged and interaction is initiated by the issuer with the cardholder to authenticate the cardholder’s identity and validity of the payment.
Typical elements used to calculate the fraud risk value are listed as follows:
- Transaction value—Transactions that are less than €30/£30 are automatically deemed low risk
- Recurring payments—Payments that cardholders have agreed to pay on a scheduled basis do not require extra verification
- Transaction/purchase history—Customer makes purchases regularly from the same eCommerce site
- Device information—If the device is not recognised in the customer’s transaction history, authentication may be required
- New or existing customers—Existing customers are lower risk and authentication can be bypassed. For a new customer with no transaction history, the risk is high and authentication is required
Faster, frictionless checkouts
Needless to say, the new 3D Secure 2 protocol improves the quality of eCommerce for everyone involved, especially shoppers and merchants. Gone are the days of jarring pop-up windows or trying to remember a static password.
Customers benefit the most as they can enjoy online and mobile in-app shopping with more confidence in the security of their card details.
Checkout is now easier, faster and more secure than ever!
The 3D Secure 2 protocol enables authentication for quicker checkout, greater security and significantly higher conversion rates. 3D Secure 2 is inherently part of Fondy’s payment gateway solution.