3D Secure 2: Authentication solutions

We strongly advise merchants to start implementing 3D Secure 2 for their online payments as soon as possible. To learn more about how to implement 3D Secure 2, please refer to the different integration methods with Wirecard. 

https://www.wirecard.com/3d-secure-2/merchantform/static/ 

As of September 2019, strong customer authentication (SCA) is mandatory for online payments in European Economic Area markets.

Merchants have to migrate to 3D Secure 2 before the 31 December 2020 deadline set by the European Banking Authority.

After 31 December 2020, financial institutions will decline transactions that are not SCA compliant and non-SCA compliant online merchants may be subjected to legal sanctions.

 Even though strong customer authentication (SCA) generally needs to be applied for payment transactions in the European Economic Area, there are several cases in which it will not be mandatory (even after SCA requirements have come into effect in September 2019). For a comprehensive list of exemptions, please visit
www.wirecard.com/3d-secure-2/strong-customer-authentication/.

The technical steps needed to support 3D Secure 2 mostly depend on two factors:

1) Whether you already support 3D Secure 1, and
2) The type of technical integration with Wirecard.

Find out more about how to implement 3D Secure 2 on our website:
https://www.wirecard.com/3d-secure-2/merchantform/static/

Wirecard Bank AG processes cardholders’ personal data for the purpose of payment processing as a Controller in the meaning of Art. 4 (7) GDPR. The merchant provides cardholders with information to be given by Wirecard according to Art. 13, 14 GDPR. The aforementioned information is available under https://www.wirecardbank.com/GDPR and should be added to the merchant’s terms and conditions or displayed in a suitable manner to the cardholders.

We strongly encourage you to support both 3D Secure 2 as well as 3D Secure 1 so as not to receive false declines from issuers that don’t support the new 3D Secure 2 protocol yet. To enable you to support both protocols with minimal effort, we have designed our APIs to be downward-compatible.

You can start using 3D Secure 2 immediately. The Wirecard Payment Gateway already supports it. Since we expect more and more issuers to support 3D Secure 2 over the coming months, we recommend that you switch to the new protocol as soon as possible.

Recurring transactions (i.e. subscriptions) are processed at regular intervals, with the same, recurring amount. When you set up a recurring agreement, the first transaction requires strong customer authentication. Subsequent transactions are then considered to be Merchant Initiated transactions, therefore no SCA is needed.

Payment in installments occurs when a consumer purchases goods and settles the bill with multiple partial payments, over an agreed period. As in the recurring transactions scenario, the first transaction requires strong customer authentication and the subsequent transactions are considered as Merchant Initiated transactions, therefore no SCA is needed.

In both cases, the consumer must be clearly informed about the terms of the agreement.

In case of agreements established before PSD2, the principle of “grandfathering” will be applied. This means that SCA only applies to Recurring/Installment Payments, which are initiated after PSD2 comes into effect.

Marketplaces are defined as environments where a single entity brings together buyers & sellers on a single platform, collecting payments on behalf of the sellers who provide goods or services to the customer under the marketplace branded platform. The marketplace owns the overall customer relationship, is responsible for the transactions and often regulates the terms and conditions of the sale.

From a 3D Secure 2 perspective, the Marketplace is the entity responsible for sending 3D Secure 2 authentication and authorization requests.

Generally, the rules of liability shift for 3D Secure 2 are comparable with those from 3D Secure 1: Whenever a merchant successfully requests authentication from an issuer, the chargeback liability shifts to the issuer.

However, it is worth noting that there are some exceptions applicable within the European Economic Area where strong customer authentication (SCA) is mandatory:

• If an exemption (see exemptions: doc.wirecard.com/CreditCard_3DS2.html) is applied by merchants and their acquirer (e.g. the merchant decides to avoid a challenge), then the liability generally remains with the merchant.
• If an issuer does not support 3D Secure 2 after SCA requirements have come into effect in September 2019, there are cases where only attempting to apply 3D Secure 2 will lead to a shift in liability.

 Please note: The above advice should be considered as a generalization of credit card scheme regulations. For the specific regulations, please refer to the 3D Secure 2 implementation guides issued by the credit card schemes.

PS2 regulation requires strong customer authentication each time a consumer (or payee) initiates any form of electronic payment. This also applies to POS transactions.

EMV payment cards, which are now the standard payment method in Europe, already comply with PSD2 SCA, where the Cardholder enters the PIN at the POS. The more recent contactless payment cards, where a PIN does not need to be entered to enable faster payments are exempt from SCA if:

• the individual amount for the contactless transaction lower than €50, and
• the cumulative sum from previous contactless transactions does not exceed €150, and 
• the cumulative number of contactless payments does not exceed five.

If any of these criteria are not fulfilled, then the contactless transaction will require SCA by entering the PIN at the POS.

The mandate to apply SCA also applies to other means of payment. Not all of them, however, are handled using 3D Secure 2. Here's how some of the most frequently requested payment methods handle SCA:

• Wallets: Depending on the payment method that consumers use to top up their wallet, different SCA methods may be required.
• Google Pay / Apple Pay: Apple Pay and Google Pay directly use the consumer devices to perform SCA. Only Google Pay will use 3D Secure 2 for non-device bound transactions (e.g. on desktop transactions).
• Online bank transfers: Online bank transfers are typically carried out by redirecting to the consumer's bank account, where SCA has been standard practice for years. Typically, this is achieved by providing a log-in password combined with a one-off password.
• SEPA Direct Debit: SEPA Direct Debit transactions are considered to be "Merchant Initiated Payments". These types of payments are not affected by the PSD2 regulations and thus do not require SCA to be applied in the first place.

As per PSD2 RTS, payments are considered low value if they are less than or equal to €30 or equivalent in other currencies. The EBA included this topic in the Final Q&A stating: "

For non-euro transactions, the payment service providers (PSPs) and card schemes should convert EUR thresholds as required under Articles 11, 16, 18 of Commission Delegated Regulation (EU) 2018/389 into non-euro currency thresholds, using the average ECB reference exchange rate. In practice, PSPs and card schemes may wish to keep the threshold in euro. Rounding the threshold amount in a non-euro currency can only be done if the threshold in the other currency is rounded to a value, which is unlikely to breach the EUR threshold in the Delegated Regulation, based on the ECB reference exchange rate. Any such rounded amount may require adjusting from time to time. For example, the EUR 50 threshold for remote payments would be equivalent to a UK sterling threshold of £44.50 as of 12 September 2018; the lowest it would have been over the previous 12 months is £43. So if the UK sterling threshold was rounded down to £40, it would probably always comply with the EUR 50 threshold for the period given in this example (September 2017 – September 2018)."