3D Secure 2: Authentication solutions

The most secure option for your payments

The implementation of the new PSD2 Directive (Payment Services Directive) in September 2019 means that online retailers who accept credit cards will need to bring themselves in line with the new security standards. For example, more data fields or additional steps within the transaction flow will be required in order to achieve strong customer authentication (SCA).

To help you meet the necessary requirements quickly and easily, please find below the 3D Secure 2 solutions from Wirecard for the various methods of integration. 

First steps for a smooth 3D Secure 2 implementation

To ensure a smooth transition to 3D Secure 2, we strongly recommend the following steps as best practices for the implementation phase:

  1. Familiarize yourself with 3D Secure 2 and how it will impact your business.
  2. Check the technical documentation we have provided for your integration type to the Wirecard Payment Gateway.
  3. Ensure that additional transactional data are collected in order to fulfill the mandatory field requirements for 3D Secure 2. For the full list, please refer to the 3D Secure 2 table.
  4. Proceed with 3D Secure 2 transaction testing activity in the Wirecard test environment using our preconfigured test cards to simulate the different 3D Secure 2 scenarios.
  5. Check with your Legal team if any update is needed to the Terms and Conditions on your website.
  6. Update the 3D Secure program logos on your website.
  7. Go live with 3D Secure 2. You can monitor transactions directly from the Wirecard Enterprise Portal.

Easy 3D Secure 2 integration

The table below lists the implementation guides for each of the integration methods. You can contact our Support team with questions and comments by email anytime at: 3ds.support@wirecard.com

If you use our solutions via a third-party provider, please contact them directly for more information.

REST API

Are you connected to our payment solutions via a program interface, in other words via URL paths? 

Payment Page

Do you use Wirecard Payment Page (v1 or v2) to process online payments?

Find the solutions for your Wirecard Payment Page here:

Mobile SDK

Do your customers have the option of making payments using a mobile app (either for iOS or Android devices)?

Shop Extension

Do you use one or more shop extensions for the shop systems with which you process your payments? 

Visit our download page  to find 3D-Secure-compliant shop extensions for the following shop systems:

  • Magento 1
  • Magento 2
  • OpenCart
  • PrestaShop
  • Salesforce Commerce Cloud
  • SAP Commerce
  • Shopify
  • WooCommerce

Our 3D-Secure-compliant solutions for the following shop extensions are currently still under development:

  • OXID
  • Shopware

FAQs about 3D Secure 2

If your acquirer is located within the European Economic Area and you accept online credit cards, you have to enable 3D Secure 2.

3D Secure 2 is the credit card schemes’ answer to strong customer authentication (SCA) requirements. Participation in the 3D Secure 2 program is the easiest way to enable SCA.

SCA has been mandatory since 14 September as part of the EU’s revised Payment Services Directive (PSD2). However, the migration period has been extended.

In its 16 October opinion, the European Banking Authority (EBA) recently communicated that the SCA migration for online transactions must be completed by 31 December 2020.

Subsequent to this EBA announcement, we expect that national competent authorities (NCAs) will publish additional communications to align with the EBA migration deadline.

For specific market requirements and timelines, please refer to the above “flags” section. Click on the country flags to view the relevant information.

We strongly advise merchants to start implementing 3D Secure 2 for their online payments as soon as possible. To learn more about how to implement 3D Secure 2, please refer to the different integration methods with Wirecard. 

https://www.wirecard.com/3d-secure-2/merchantform/static/ 

As of September 2019, strong customer authentication (SCA) is mandatory for online payments in European Economic Area markets.

Merchants have to migrate to 3D Secure 2 before the 31 December 2020 deadline set by the European Banking Authority.

After 31 December 2020, financial institutions will decline transactions that are not SCA compliant and non-SCA compliant online merchants may be subjected to legal sanctions.

 Even though strong customer authentication (SCA) generally needs to be applied for payment transactions in the European Economic Area, there are several cases in which it will not be mandatory (even after SCA requirements have come into effect in September 2019). For a comprehensive list of exemptions, please visit
www.wirecard.com/3d-secure-2/strong-customer-authentication/.

The technical steps needed to support 3D Secure 2 mostly depend on two factors:

1) Whether you already support 3D Secure 1, and
2) The type of technical integration with Wirecard.

Find out more about how to implement 3D Secure 2 on our website:
https://www.wirecard.com/3d-secure-2/merchantform/static/

Wirecard Bank AG processes cardholders’ personal data for the purpose of payment processing as a Controller in the meaning of Art. 4 (7) GDPR. The merchant provides cardholders with information to be given by Wirecard according to Art. 13, 14 GDPR. The aforementioned information is available under https://www.wirecardbank.com/GDPR and should be added to the merchant’s terms and conditions or displayed in a suitable manner to the cardholders.

We strongly encourage you to support both 3D Secure 2 as well as 3D Secure 1 so as not to receive false declines from issuers that don’t support the new 3D Secure 2 protocol yet. To enable you to support both protocols with minimal effort, we have designed our APIs to be downward-compatible.

You can start using 3D Secure 2 immediately. The Wirecard Payment Gateway already supports it. Since we expect more and more issuers to support 3D Secure 2 over the coming months, we recommend that you switch to the new protocol as soon as possible.

Recurring transactions (i.e. subscriptions) are processed at regular intervals, with the same, recurring amount. When you set up a recurring agreement, the first transaction requires strong customer authentication. Subsequent transactions are then considered to be Merchant Initiated transactions, therefore no SCA is needed.

Payment in installments occurs when a consumer purchases goods and settles the bill with multiple partial payments, over an agreed period. As in the recurring transactions scenario, the first transaction requires strong customer authentication and the subsequent transactions are considered as Merchant Initiated transactions, therefore no SCA is needed.

In both cases, the consumer must be clearly informed about the terms of the agreement.

In case of agreements established before PSD2, the principle of “grandfathering” will be applied. This means that SCA only applies to Recurring/Installment Payments, which are initiated after PSD2 comes into effect.

Marketplaces are defined as environments where a single entity brings together buyers & sellers on a single platform, collecting payments on behalf of the sellers who provide goods or services to the customer under the marketplace branded platform. The marketplace owns the overall customer relationship, is responsible for the transactions and often regulates the terms and conditions of the sale.

From a 3D Secure 2 perspective, the Marketplace is the entity responsible for sending 3D Secure 2 authentication and authorization requests.

Generally, the rules of liability shift for 3D Secure 2 are comparable with those from 3D Secure 1: Whenever a merchant successfully requests authentication from an issuer, the chargeback liability shifts to the issuer.

However, it is worth noting that there are some exceptions applicable within the European Economic Area where strong customer authentication (SCA) is mandatory:

  • If an exemption (see exemptions: doc.wirecard.com/creditcard.html) is applied by merchants and their acquirer (e.g. the merchant decides to avoid a challenge), then the liability generally remains with the merchant.
  • If an issuer does not support 3D Secure 2 after SCA requirements have come into effect in September 2019, there are cases where only attempting to apply 3D Secure 2 will lead to a shift in liability.


 Please note: The above advice should be considered as a generalization of credit card scheme regulations. For the specific regulations, please refer to the 3D Secure 2 implementation guides issued by the credit card schemes.

     

PS2 regulation requires strong customer authentication each time a consumer (or payee) initiates any form of electronic payment. This also applies to POS transactions.

EMV payment cards, which are now the standard payment method in Europe, already comply with PSD2 SCA, where the Cardholder enters the PIN at the POS. The more recent contactless payment cards, where a PIN does not need to be entered to enable faster payments are exempt from SCA if:

  • the individual amount for the contactless transaction lower than €50, and
  • the cumulative sum from previous contactless transactions does not exceed €150, and 
  • the cumulative number of contactless payments does not exceed five.


If any of these criteria are not fulfilled, then the contactless transaction will require SCA by entering the PIN at the POS.

The mandate to apply SCA also applies to other means of payment. Not all of them, however, are handled using 3D Secure 2. Here's how some of the most frequently requested payment methods handle SCA:

  • Wallets: Depending on the payment method that consumers use to top up their wallet, different SCA methods may be required.
  • Google Pay / Apple Pay: Apple Pay and Google Pay directly use the consumer devices to perform SCA. Only Google Pay will use 3D Secure 2 for non-device bound transactions (e.g. on desktop transactions).
  • Online bank transfers: Online bank transfers are typically carried out by redirecting to the consumer's bank account, where SCA has been standard practice for years. Typically, this is achieved by providing a log-in password combined with a one-off password.
  • SEPA Direct Debit: SEPA Direct Debit transactions are considered to be "Merchant Initiated Payments". These types of payments are not affected by the PSD2 regulations and thus do not require SCA to be applied in the first place.

As per PSD2 RTS, payments are considered low value if they are less than or equal to €30 or equivalent in other currencies. The EBA included this topic in the Final Q&A stating: "

For non-euro transactions, the payment service providers (PSPs) and card schemes should convert EUR thresholds as required under Articles 11, 16, 18 of Commission Delegated Regulation (EU) 2018/389 into non-euro currency thresholds, using the average ECB reference exchange rate. In practice, PSPs and card schemes may wish to keep the threshold in euro. Rounding the threshold amount in a non-euro currency can only be done if the threshold in the other currency is rounded to a value, which is unlikely to breach the EUR threshold in the Delegated Regulation, based on the ECB reference exchange rate. Any such rounded amount may require adjusting from time to time. For example, the EUR 50 threshold for remote payments would be equivalent to a UK sterling threshold of £44.50 as of 12 September 2018; the lowest it would have been over the previous 12 months is £43. So if the UK sterling threshold was rounded down to £40, it would probably always comply with the EUR 50 threshold for the period given in this example (September 2017 – September 2018)."