Here is our basic guide to 3DS2 for all those concerned
Over the last decade, the share of global cash transactions has fallen to 77%. The move away from cash, as illustrated by the Chinese digital market, will ultimately become the single-largest cause of global electronification. The share of electronification in China has impressively increased from 4% in 2012 to 34% in 2017. Meanwhile, North America has become the first region to display over 50% of its transactions executed electronically. At the same time, individual European countries such as Sweden and Norway are processing less than 20% of their transactions in cash, while every citizen generates 520 non-cash transactions per year on average. This evident growth has given rise to increased online fraud prevention measures.
A new level of security in online payments is legally required by the Second Payment Services Directive (PSD2). This long-anticipated regulation was going to provide improved banking and payment facilities in Europe and initiate Open Banking in the UK. VISA and Mastercard’s solution for compliance with the new Strong Customer Authentication (SCA) technical standards mandates the adoption of 3D Secure 2.
Here is our basic guide to 3DS2 for all those concerned.
3D Secure 2.0 is a new authentication protocol for online debit/credit card payments developed in accordance with the new EMVCo security standard. EMVCo is a consortium of financial companies that manages, maintains, and enhances the EMV (Europay, MasterCard and VISA) integrated circuit card specifications for chip-based payment cards and acceptance devices.
In general, 3D Secure (Three Domain Secure) is a messaging protocol that involves three domains, which include the issuer’s domain, the acquirer’s domain (which receives the money) and the compatibility domain (provided by the payment system).
The 2.0 version is aimed to reshape the user’s experience and optimise the protection strategies across a variety of devices, including mobile and in-app. The old protocol was created back in the times when mobile phones were not even part of our everyday lives.
Today, mobile commerce, including in-app payments and mobile browser payments, is the dominant factor driving strong digital commerce growth, due to rising smartphone adoption, an increasing shift towards online shopping, and improvements in network bandwidth. Mobile commerce accounts for 48% of digital commerce sales globally as of 2017, and is forecast to reach 70% by 2022. It is crucial then to make the payment security protection technically flexible and adapted for mobile interfaces.
The update of the initial protocol is characterised by:
- increased fraud prevention;
- reduced friction in mobile shopping which can increase conversions;
- Java Script integration;
- seamless authentication for customers;
- old-fashioned static passwords replaced by tokens and biometrics;
- the risk-based authentication based on numerous data which helps to make smarter, more informed decisions;
- the same look and feel of their interfaces across various devices;
- enabling mobile, in-app and digital wallet payment methods;
- a liability shift for fraud-related chargebacks.
According to PSD2, banks are required to permit registered third parties access to customer accounts (with the customer’s permission) directly through open APIs. The second facet of PSD2 compels banks to give third parties visibility of an account holder’s data in order to consolidate multiple accounts or financial services in one place.
To accept payments and meet SCA requirements mentioned in the PSD2, you need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements:
- Information known by the customer (password, PIN, etc);
- Device or hardware token used by the customer
Banks will decline payments that require SCA and don’t meet these criteria soon.
As the industry prepares for 3D Secure 2.0 and as 3D Secure solution providers are introducing certified solutions, merchants and issuers should work with their vendors to assess their current eCommerce authentication capabilities and identify migration opportunities.
SCA applies to online payments initiated by customers within Europe. Recurring direct debits, such as credit card and utility bills, are considered initiated by merchants and don’t require SCA. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.
For online card payments, these requirements apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). We also expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.
For merchants who have no presence in Europe or any other markets where two-factor authentication such as 3DS is required, the protocol’s adoption is voluntary.
PSD2 has set out deadlines for businesses to comply with its regulations.
The EBA requires strong customer authentication on every electronic transaction from 14 September 2019, unless one of the permitted exceptions applies. The rest of the world is supposed to comply with the requirements by the end of 2020.