Greater security in e-commerce
Payment fraud remains an issue that merchants must need to address seriously, particularly in online shopping. The challenge for merchants is that they often have to choose between a lower risk of fraud and a lower risk of cart abandonment. To increase the security of credit card payments in e-commerce throughout Europe, new regulatory technical standards came into force on September 14, 2019 within the framework of the European Union’s revised Payment Services Directive (PSD2).
PSD2: New rules for payment transactions
This directive regulates payment processing within the European Economic Area. The latest supplement to the directive stipulates, among other things, strong customer authentication (SCA) for all e-commerce transactions. This means that customers making purchases by credit card must do more than provide information such as their credit card’s number, expiry date, and verification code—they must also undergo additional authentication. To pave the way for SCA, a new version of 3D Secure has been published. One of the features of 3D Secure 2 is authentication with the help of biometrics, thus ensuring more secure transactions in e-commerce.
Update on the coming PSD2 changes
Following the entry into force of stricter security standards for online payments based on PSD2, the European Banking Authority published an opinion in June. It acknowledges the challenges that come with these changes due to the complexity of the payment markets across the EU. We are prepared to help you through the transition and recommend reading through the latest updates.
The European Bank Authority (EBA) allowed National Competent Authorities (NCAs) to provide a limited transition period beyond 14 September 2019 to allow a smooth migration to SCA requirements in the EEA markets.
In its most recent opinion published on 16 October 2019, EBA announced the SCA migration completion deadline of 31 December 2020 for online payments throughout the EEA markets.
Subsequent to this announcement, we expect that the NCAs will publish further communications and align with the EBA migration deadline. Wirecard will keep the information updated for each country.
Limited transition period for PSD2 SCA implementation
You can find an overview of the most recent publications from the main regulators here:
Prepare yourself and your company for 3D Secure 2
With the previous standard, 3D Secure, the customer experience was compromised considerably for the sake of security. That’s why Mastercard, Visa, American Express, UPI, Diners Club, Discover, JCB and Cartes Bancaires saw the new security requirements of PSD2 as an opportunity to work on user-friendliness too. With 3D Secure 2, the card schemes are introducing a method that, thanks to the new authentication technology, promises not only fewer cases of fraud, but also a higher conversion rate compared with the first version of 3D Secure.
A comparison: 3D Secure and 3D Secure 2
What are the concrete differences?
- Better fraud detection
- No more static passwords
- Support for mobile devices
- Merchant opt-out
- More flexibility for merchants
What advantages does the customer have with 3D Secure 2?
- Better customer experience
- Reduction of false declines
- Greater comfort due to risk-based authentication
A detailed look at the benefits of 3D Secure 2 for you
Flexible use across all end devices
Smooth and consistent user experience across all channels, including wallets and apps
Optimized user experience
Seamless integration of the authentication process with the shopping experience, as well as fast, simple, and convenient authentication for cardholders
Improved data exchange
The option of risk-based authentication provides additional protection against fraud and thus boosts sales
Learn more about 3D Secure 2 in our webinars
Strong customer authentication as an EU-wide measure against fraud
There are many ways for companies to actively combat fraud, from predicting and preventing fraud through machine learning to manually checking payments. A particularly effective method is comprehensive authentication to verify the identity of a customer before an online payment is even accepted. There are three different types: single-factor authentication (e.g. using a password), two-factor authentication (e.g. using a unique authentication code combined with a password), or multi-factor authentication.
FAQs about 3D Secure 2
If your acquirer is located within the European Economic Area and you accept online credit cards, you have to enable 3D Secure 2.
3D Secure 2 is the credit card schemes’ answer to strong customer authentication (SCA) requirements. Participation in the 3D Secure 2 program is the easiest way to enable SCA.
SCA has been mandatory since 14 September as part of the EU’s revised Payment Services Directive (PSD2). However, the migration period has been extended.
In its 16 October opinion, the European Banking Authority (EBA) recently communicated that the SCA migration for online transactions must be completed by 31 December 2020.
Subsequent to this EBA announcement, we expect that national competent authorities (NCAs) will publish additional communications to align with the EBA migration deadline.
For specific market requirements and timelines, please refer to the above “flags” section. Click on the country flags to view the relevant information.
We strongly advise merchants to start implementing 3D Secure 2 for their online payments as soon as possible. To learn more about how to implement 3D Secure 2, please refer to the different integration methods with Wirecard.
https://www.wirecard.com/3d-secure-2/merchantform/static/
As of September 2019, strong customer authentication (SCA) is mandatory for online payments in European Economic Area markets.
Merchants have to migrate to 3D Secure 2 before the 31 December 2020 deadline set by the European Banking Authority.
After 31 December 2020, financial institutions will decline transactions that are not SCA compliant and non-SCA compliant online merchants may be subjected to legal sanctions.
Even though strong customer authentication (SCA) generally needs to be applied for payment transactions in the European Economic Area, there are several cases in which it will not be mandatory (even after SCA requirements have come into effect in September 2019). For a comprehensive list of exemptions, please visit
www.wirecard.com/3d-secure-2/strong-customer-authentication/.
The technical steps needed to support 3D Secure 2 mostly depend on two factors:
1) Whether you already support 3D Secure 1, and
2) The type of technical integration with Wirecard.
Find out more about how to implement 3D Secure 2 on our website:
https://www.wirecard.com/3d-secure-2/merchantform/static/
Wirecard Bank AG processes cardholders’ personal data for the purpose of payment processing as a Controller in the meaning of Art. 4 (7) GDPR. The merchant provides cardholders with information to be given by Wirecard according to Art. 13, 14 GDPR. The aforementioned information is available under https://www.wirecardbank.com/GDPR and should be added to the merchant’s terms and conditions or displayed in a suitable manner to the cardholders.
We strongly encourage you to support both 3D Secure 2 as well as 3D Secure 1 so as not to receive false declines from issuers that don’t support the new 3D Secure 2 protocol yet. To enable you to support both protocols with minimal effort, we have designed our APIs to be downward-compatible.
You can start using 3D Secure 2 immediately. The Wirecard Payment Gateway already supports it. Since we expect more and more issuers to support 3D Secure 2 over the coming months, we recommend that you switch to the new protocol as soon as possible.
Recurring transactions (i.e. subscriptions) are processed at regular intervals, with the same, recurring amount. When you set up a recurring agreement, the first transaction requires strong customer authentication. Subsequent transactions are then considered to be Merchant Initiated transactions, therefore no SCA is needed.
Payment in installments occurs when a consumer purchases goods and settles the bill with multiple partial payments, over an agreed period. As in the recurring transactions scenario, the first transaction requires strong customer authentication and the subsequent transactions are considered as Merchant Initiated transactions, therefore no SCA is needed.
In both cases, the consumer must be clearly informed about the terms of the agreement.
In case of agreements established before PSD2, the principle of “grandfathering” will be applied. This means that SCA only applies to Recurring/Installment Payments, which are initiated after PSD2 comes into effect.
Marketplaces are defined as environments where a single entity brings together buyers & sellers on a single platform, collecting payments on behalf of the sellers who provide goods or services to the customer under the marketplace branded platform. The marketplace owns the overall customer relationship, is responsible for the transactions and often regulates the terms and conditions of the sale.
From a 3D Secure 2 perspective, the Marketplace is the entity responsible for sending 3D Secure 2 authentication and authorization requests.
Generally, the rules of liability shift for 3D Secure 2 are comparable with those from 3D Secure 1: Whenever a merchant successfully requests authentication from an issuer, the chargeback liability shifts to the issuer.
However, it is worth noting that there are some exceptions applicable within the European Economic Area where strong customer authentication (SCA) is mandatory:
- If an exemption (see exemptions: doc.wirecard.com/CreditCard_3DS2.html) is applied by merchants and their acquirer (e.g. the merchant decides to avoid a challenge), then the liability generally remains with the merchant.
- If an issuer does not support 3D Secure 2 after SCA requirements have come into effect in September 2019, there are cases where only attempting to apply 3D Secure 2 will lead to a shift in liability.
Please note: The above advice should be considered as a generalization of credit card scheme regulations. For the specific regulations, please refer to the 3D Secure 2 implementation guides issued by the credit card schemes.
PS2 regulation requires strong customer authentication each time a consumer (or payee) initiates any form of electronic payment. This also applies to POS transactions.
EMV payment cards, which are now the standard payment method in Europe, already comply with PSD2 SCA, where the Cardholder enters the PIN at the POS. The more recent contactless payment cards, where a PIN does not need to be entered to enable faster payments are exempt from SCA if:
- the individual amount for the contactless transaction lower than €50, and
- the cumulative sum from previous contactless transactions does not exceed €150, and
- the cumulative number of contactless payments does not exceed five.
If any of these criteria are not fulfilled, then the contactless transaction will require SCA by entering the PIN at the POS.
The mandate to apply SCA also applies to other means of payment. Not all of them, however, are handled using 3D Secure 2. Here's how some of the most frequently requested payment methods handle SCA:
- Wallets: Depending on the payment method that consumers use to top up their wallet, different SCA methods may be required.
- Google Pay / Apple Pay: Apple Pay and Google Pay directly use the consumer devices to perform SCA. Only Google Pay will use 3D Secure 2 for non-device bound transactions (e.g. on desktop transactions).
- Online bank transfers: Online bank transfers are typically carried out by redirecting to the consumer's bank account, where SCA has been standard practice for years. Typically, this is achieved by providing a log-in password combined with a one-off password.
- SEPA Direct Debit: SEPA Direct Debit transactions are considered to be "Merchant Initiated Payments". These types of payments are not affected by the PSD2 regulations and thus do not require SCA to be applied in the first place.
As per PSD2 RTS, payments are considered low value if they are less than or equal to €30 or equivalent in other currencies. The EBA included this topic in the Final Q&A stating: "
For non-euro transactions, the payment service providers (PSPs) and card schemes should convert EUR thresholds as required under Articles 11, 16, 18 of Commission Delegated Regulation (EU) 2018/389 into non-euro currency thresholds, using the average ECB reference exchange rate. In practice, PSPs and card schemes may wish to keep the threshold in euro. Rounding the threshold amount in a non-euro currency can only be done if the threshold in the other currency is rounded to a value, which is unlikely to breach the EUR threshold in the Delegated Regulation, based on the ECB reference exchange rate. Any such rounded amount may require adjusting from time to time. For example, the EUR 50 threshold for remote payments would be equivalent to a UK sterling threshold of £44.50 as of 12 September 2018; the lowest it would have been over the previous 12 months is £43. So if the UK sterling threshold was rounded down to £40, it would probably always comply with the EUR 50 threshold for the period given in this example (September 2017 – September 2018)."
Important dates for 3D Secure 2 and SCA
