Are you ready for 3D Secure 2.0? – a breakdown
Posted by Screen Pages on 08/04/2019
The rules around authenticating your customers’ online transactions are changing in September 2019.
As explained in more depth in our previous post on 3D Secure, PSD2 & SCA, 3D Secure 2.0 is being introduced to make the process of authenticating your customers more secure and hopefully for most of them, smoother than 3D Secure 1.0.
We have a breakdown of everything you need to know:-
September 14th, 2019
On September 14th 2019, new rules come into force for any transaction conducted where both the issuing bank (e.g. your credit card issuer) and the merchant acquirer (i.e. the customers bank provider) are based in the EEA (European Economic Area). All such transactions have to be Strongly Authenticated by at least two of three possible factors:
- Something you have (e.g. the credit card)
- Something you know (e.g. a pin number)
- Something you are (i.e. a biometric ID such as face scan, thumb print)
It is expected that this will become mandatory worldwide by the end of 2020.
3D Secure 2.0
3D Secure 2.0 has been devised as a way to meet the requirements of Strong Customer Authentication (SCA).
This will apply to every offline & online transaction, with a few notable exceptions:
- Unattended payment situations, e.g. parking meters or the Underground.
- Recurring transactions where the value of the transaction doesn’t change, e.g. subscriptions.
- Transactions of below €30 (Up to a maximum of €150 total value or 5 transactions, whichever comes first).
- Each time you perform a Strong Customer Authentication (SCA) transaction, this value and number count is reset.
- MOTO (telephone) payments (although this is expected to come into force in a few years once some of the technical challenges have been worked out).
- Low risk transactions (as determined by the payment provider and issuing bank, rather than by the merchant).
- White-listed merchants (a customer can choose to whitelist a merchant to not request SCA in future).
The UK is the second largest global market
The UK is the second largest global market in terms of percentage of total eCommerce order value conducted on mobile devices behind China.
- There was around £506 million worth of “card not present” fraud conducted in the UK in 2018 and this had increased 24% from 2017.
- 3D Secure 2.0 will eventually replace 3D Secure 1.0
- This won’t be until later in 2021 and so both will need to work together as it’s expected only 70% of card issuers will be ready for 3D Secure 2.0 by 14th September.
- On each transaction that needs to be passed through SCA, the systems involved will attempt 3D Secure 2.0 first, falling back to 3D Secure 1.0 if that’s not available.
- If neither are available, the customer will probably have the transaction rejected by their bank.
- Mastercard SecureCode is being re-branded as Mastercard Identify Check
- Some of you may have already seen this through some of your own transactions.
Adyen will be rolling out test versions of their support for 3DS2.0 in April, SagePay will be doing this in June.
- Every website will need to update their payment method extensions in order that they can handle the new 3DS2.0 workflow.
- This is unless they use a hosted payment function, like PayPal, where PayPal will then handle this bit.
- SagePay are rolling out support for Apple Pay & Amazon Pay through their SERVER and FORM payment methods in Q4 2019.
- SagePay are rolling out a “pay by link” feature in Q3 2019 where you’ll be able to send someone a payment request, like you can do with PayPal.
- More details about the exact rollout of 3DS2.0 by SagePay and all other payment gateways will be coming in the next few months.