3D Secure, PSD2 & SCA – What you need to know
Posted by Screen Pages on 19/03/2019
The rules around authenticating your customers online transactions are changing this year and you will need to make some changes to how you accept payments on your website to be ready for the new rules that come into force in September 2019.
Most payment gateways already include functionality to ask a customer for their 3D Secure password information when checking out on your website. Most of your customers online transactions will go through this process although in some cases they won’t have to enter their password. Some of you won’t have enabled this check on your website in order to keep the checkout process as smooth as possible.
3D Secure 2.0 is being introduced to make the process of authenticating your customers more secure and hopefully for most of them, smoother than 3D Secure 1.0.
Your bank/payment provider may have already reached out to you about these changes coming but you may still have questions about how will this affect your website. We’ll try and answer a few of those questions for you.
First, a few definitions might help…
What is Payment Services Directive 2?
PSD2 (Payment Services Directive 2) is an update to the 2007 European Union directive that regulates payment service providers (among other things) and was designed to foster innovation in the payment markets in Europe. PSD2 is an update to this directive that seeks to make online payments in Europe even safer for customers by ensuring that far more stringent checks are made on a users identity when they’re making an online transaction.
What is Strong Customer Authentication?
SCA (Strong Customer Authentication) is one of the ways that banks and businesses will comply with the new PSD2. In simple terms it means making sure that transactions are definitely being conducted by the right person. In practice this means that in future, customers might be asked to verify their identity when conducting transactions online through a number of different means, i.e. at least two of the following:
- Something only the user knows, e.g. static password, code, personal identification number.
- Something only the user possesses, e.g. token, smart card, mobile phone.
- Something the user is, e.g. biometric characteristic, such as a fingerprint or face scan.
Most people conducting online transactions in the last decade will be familiar with number 1 on this list, because that’s where 3D Secure 1.0 fits in. This process involves the customer being “challenged” to prove their identity through the provision of these other types of identification.
This will become a requirement for all transactions going into, out of or through Europe from September 2019. It’s expected that this will be adopted world-wide in 2020.
What is 3D Secure 2.0?
3DS 2.0 (3D Secure 2.0) is the main way that online transactions will comply with SCA. It’s an attempt by the card networks (Visa, MasterCard, etc) to address some of the shortfallings of 3D Secure 1.0 and make it easier for customers to conduct online transactions while still ensuring that they’re only done by the right people. It means that instead of relying on some basic transaction information about what you’re ordering and from where combined with your card details and 3D Secure password, your bank will now be able to accept over 100 elements of data about your transaction to make an assessment on whether to allow a “frictionless authentication” for your transaction.
What is a Frictionless Authentication?
A frictionless authentication is one where your bank has enough information about the transaction to be sure that the real cardholder is making the transaction and they let that transaction go through without requesting any additional information. It’s likely that when SCA becomes a requirement in September 2019, all transactions will have to go through the SCA process, unless they’re exempt.
What is an Exempt Transaction?
There are certain transactions that are exempt from the PSD2 and they include:
- Low risk transaction
- If the payment service provider deems the transaction to be low enough risk, then it may be exempt. This is something your payment service provider will decide and it’s not something you’ll have individual control over.
- Low value transactions
- Individual transactions lower than €30 are considered low value and are normally exempt. If a customer has initiated six or more consecutive low value transactions or if the total transactions total more than €100, SCA will be required and the low value exemption doesn’t apply.
- Recurring payments
- If the transaction is a recurring payment, e.g. a subscription, then as long as the initial transaction was done through SCA it will be exempt. If the value of the transaction changes each time, e.g. an electricity or gas bill, then this won’t be exempt.
- Whitelisted beneficiary
- As a customer, you’ll be able to “trust” certain merchants after your first SCA transaction. This means that generally, if your card issuer believes this transaction is consistent with your purchasing behaviour, you won’t have to go through SCA but if they have reason to suspect this transaction may be fraudulent, it will still have to go through SCA.
- Secure corporate payments
- Certain purchases by businesses (e.g. corporate cards) may also be exempt from SCA provided the card issuer has decided that the identity of the card user has been determined sufficiently.
- MOTO transactions
- If the cardholder is not the one actually conducting the transaction, e.g. a phone or mail order order, then these transactions are exempt.
What does this mean for my website?
In order to support the new 3DS 2.0 process, your payment provider(s) will be working on adding in 3D Secure 2.0 to their solutions. Once they’ve made this available, the Magento extension developers will then be working on adding this to their payment provider integrations and making those update extensions available for purchase and download.
Sometimes, the extension developer is the payment provider themselves and sometimes it’s a 3rd party developer that has created the integration extension.
Some payment gateways are built into Magento and we’re expecting Magento to release updated versions of the platform that include support for 3D Secure 2.0.
Once the updated extensions or Magento versions are available, Screen Pages will need to purchase, download and install this update just like we would any other update or upgrade.
We’ll be able to provide an estimate on the cost and effort involved in getting your payment gateway integration up to date so that you can take advantage of the new 3D Secure 2.0 system.
For the latest news on each payment providers progress on supporting 3D Secure 2.0, please click their icon below to see what’s happening:
Last updated: 16/07/2019
Adyen have released versions of their Magento 1 and Magento 2 extensions that support 3SD 2.0. The Magento 2 module should be updated to version 4.2.0 or above. The Magento 1 module should be updated to version 2.15.0 or above.
Adyen have also announced that they will no longer process payments for customers using Magento 1 beyond 1st June 2020. Further information on this announcement can be found here.
Braintree haven’t yet released a firm date when their support for 3DS2.0 will be rolled out.
Stripe have announced that any customer using v3.4.0 or above of the Cryozonic extension will automatically have support for 3DS2.0. These module versions haven’t yet been released for download.
AmazonPay have released a 3DS2.0 compatible version of their Magento 1 extension. You should request that your agency install this update for you by September.
Magento have released v2.3.2 which includes support for 3DS2.0 through Amazon Pay. You should plan to upgrade to this version by September to continue to use AmazonPay.
PayPal will automatically handle 3DS2.0 transactions within their hosted checkout so no changes are required, unless you’re using PayPal Pro Direct, in which case you’ll need to update your checkout to handle the new checks.
Verifone don’t have a fixed ETA yet on when support for 3D Secure 2.0 will be added to their payment gateway.
Barclaycard have released their 3DS2.0 implementation into testing.
The extension developers who provide Barclaycard ePDQ integration for Magento 1 and Magento 2 have released versions that support 3DS2.0 and you should update to the latest version.
SagePay will be rolling out test versions of their support for 3DS2.0 from July 8th 2019.
Ebizmarts have released extension versions that support 3DS2.0 for the FORM or SERVER integration methods. You’ll need to update to the latest version of Ebizmarts SagePay Suite Pro now. If you’re using the DIRECT or PI integration methods you’ll need to update your extension in August when the new versions are released.
We don’t believe an extension update will be required for WorldPay if you’re using the Hosted Payment Page (HPP) integration. If you’re using a different integration method, you will mostly likely have to update your extension. We don’t have a fixed ETA yet on when support for 3D Secure 2.0 will be added to their Magento extensions.