Content 3DSV2
The new Payment Services Directive (DSP2) initiated by the European Commission has been applied since 01/13/2018.
Objective: Strengthen the security of online payments
The European Banking Authority (EBA) has developed implementing measures called Regulatory Technical Standards (RTS) which will come on 09/14/2019.
DSP2 will make SCA (Strong Customer Authentication) or two-factor authentication mandatory for online transactions.
To strengthen the protection of buyers during remote payments, the PSD2 makes mandatory SCA (Strong Customer Authentication) authentication, also known as “two-factor authentication”.
Strong buyer authentication requires verification of at least two of the following 3 factors:
which are independent of each other in the sense that the compromise of one does not lead to the compromise of the other.
Catégorisation des facteurs d’authentification forte (SCA)
|
Although not recognized as a strong authentication method by the European banking authority, the SMS-OTP will still be used until new methods (biometrics for example) take over.
This method, adopted massively by buyers, has helped to significantly lower the fraud rates for e-commerce card payments. It is currently the most common among banks (86%).
PSD2 applies to banks and not to merchants, which means that issuing banks that accept non-compliant transactions run the risk of being outlawed.
All transactions are not subject to RTS (see out-of-scope cases and exemptions).
Strong authentication impacts the user journey and the acceptance rate, in particular on mobile, so it should only be triggered for risky transactions.
The objectives for the merchant are therefore:
We provide you with the tools to achieve these goals.
The rules describing SCA are technically neutral and do not impose any particular method.
The 3DS V2 protocol provides a mechanism which enables strong authentication to be carried out in accordance with the DSP2.
The main advantage of 3DS is to shift the responsibility for possible fraud from the merchant to the card issuer, which reduces chargebacks.
However, many merchants do not use the 3DS solution due to loss of conversion rates and service costs.
As a reminder, the main disadvantage of the 3D-Secure 1.0 version :
Major developments in the new 3-D Secure 2.0 specification.
Functionality | Profit |
---|---|
Risk-Based Authentication (RBA) | Allows frictionless authentication, without challenge, for the cardholder. |
Data-driven risk management | Use the following data to assess the payment risk:
|
Native mobile devices support | Designed to support native mobile interfaces, thus providing the buyer a fluid experience to the m-commerce buyers. |
Flexible integration in the merchant's customer journey | Allows the merchant to embed seamlessly the authentcation in the checkout process, thus maintaining a consistent user experience. |
Support for biometrics and other methods | Reduces friction in the user experience. |
Flags in messages to support derogations related to DSP2 | Allows meAllowserchantts andnd acquiirers to tto tellll isssuwheetheyrs wwhen they wato nt to applyy aan exemption aand ttakeke responsiibilityy for theforthe transaction. |
The biggest difference with 3DS 1.0 is the “frictionless” flow which allows the issuer to approve a transaction without cardholder interaction based on risk-based authentication performed in the ACS.
Thanks to these developments, buyers' banks will have access to more information allowing them to refine decision support scoring for triggering strong authentication (or not / frictionless).
3DS 2.0 solves several technical issues of 3DS v1.0. Such as optimizing buyer journeys, making the payment process smoother for browser and inapp purchases, the introduction of a frictionless authentication flow and enhanced security.
3DS V1 authentication will remain possible until the end of 2020. From 2021, all 3DS authentications must use version 2.
The 3DSecure authentication method will meet the requirements of RTS - SCA from 09/14/2019.
We must however distinguish the following cases:
In any case, we recommend that you consider migrating to the 3DS V2 protocol now in order to be ready to benefit from its advantages and in particular frictionless.
In order to integrate the 3DS V2 protocol, please consult the following article 3DSv2 :