Plug into Paysafe.
From April 2019 new rules are being introduced by the card schemes that mandate the adoption of 3D Secure 2.0
We have prepared the FAQs below to help you navigate through this subject.
Q. What is Strong Customer Authentication (SCA)?
Potential example: SCA is an additional layer of security introduced under PSD2 regulation and provides two-factor authentications for consumers. Issuers will have the ability to authenticate the customer by asking for two different methods of authentication. This could take the form of a biometrics feature via the Banks app (something you are), the input of a SMS OTP (something you have), or a PIN number/password known by the customer (something you know).
The Strong Customer Authentication is always performed by the issuer and they will manage the serving of the pages to collect credentials or the delivery of SMS where appropriate. However, everyone from the payments industry should be supporting 3DS 2 – compliant with SCA.
3DSv2 is a cross scheme authentication standard designed to improve the security and efficiency of transaction processing. It is being rolled out in Europe first in order to help merchants and acquirers comply with the PSD2 European Commission mandate for eCommerce transactions to have the opportunity to be "Strong Customer Authenticated" i.e. the customer's issuing bank has the possibility of triggering multi-factor authentication where they are concerned about the risk of processing the transaction.
More details on 3DS can be found: https://www.paysafe.com/en/3ds-2/
All European merchants must integrate to 3DSv2 by 14th of March 2020. All Issuers must be live on EMV 3DS 2 by the same date as well. It remains optional in other markets as the mandate is particular to the European regulatory regime. It is recommended that you commence your integration now to ensure you are prepared in advance of this date.
If you have not integrated 3DSv2 by March, you will not be compliant with European payment regulations and there is a likelihood that the issuing banks will decline your transactions.
Yes, there are some significant differences in version 2 that enable the Strong Customer Authentication (SCA) required for PSD2 regulation. In any case, there are also some customer experience enhancements for the new service such as a focus on mobile experience optimization which mean that even merchants outside of Europe without the mandate should consider the upgrade.
Because it will take time for both merchants and issuers to support 3DSv2 globally it is recommended that issuers continue to support both version 1 and version 2 in parallel. We provide and manage a fallback from 2 to 1 through the single 3DSv2 integration. This will allow for example a merchant in the UK who has implemented 3DSv2 to comply with PSD2 regulations to still perform a 3DS risk check on a card issued by an issuer in the US who has not yet implemented version 2.
Documentation on how to integrate to 3DSv2 has been published in June 2019 https://developer.paysafe.com/en/3d-secure-2/api/#/introduction/overview
If you are using one of our hosted solutions, it is highly recommended to use our 3DS 2 service as both authorization and authentication are linked together. If you are using a server to server API call, technically it is possible to use different 3DS 2 provider, but this is not recommended. It might lead to an overcomplicated process of onboarding and transactions authorization and authentication. We strongly recommend using Paysafe 3DS 2 flow, due to its benefits - the all in one solution.
In case you still consider not taking advantage of Paysafe’s 3DS2 solution, please contact Paysafe directly at e: email@example.com.
We are automatically enrolling all our Paysafe acquiring merchants with the relevant card schemes and our 3DSv2 service. Integration guidelines have been published in June 2019 which enable you to start integrating https://developer.paysafe.com/en/3d-secure-2/api/. If you require further assistance, please contact “customer services” email firstname.lastname@example.org
Mail Order or Telephone Order transactions are considered "Out of Scope" for PSD2 and therefore 3DSv2. No Strong Customer Authentication will be required as part of this transaction.
Any new card added to a card on file solution post 14th of March 2020 will need to be Strong Customer Authenticated. This process is mandated under PSD2 to ensure that the customer is consenting to the establishment of this relationship between the customer and the merchant. If a payment is made at the same time as a card being added only one SCA needs to be applied. Any card added to your card on file solution pre 14th of March 2020 does not require to be authenticated to confirm its addition to the vault/card on file service.
Subsequent transactions post 14th of March 2020 may have Strong Customer Authentication applied by the issuer. The issuer will make a risk-based decision if they would like to step up the authentication or not.
Same amount collected over regular periods is called Recurring transactions. An example of this might be a £6.99 monthly TV subscription.
Varying amounts collected at regular or irregular intervals is called Merchant Initiated Transactions. This could be a utility bill payment as an example.
In both cases, there would be a Strong Customer Authentication for the initial transaction only, but no 3DS2 authentication would be required for any subsequent transactions. However, all subsequent transactions should include reference to the initial one and the issuer is still the final decision maker.
The transaction has been declined due to no Strong Customer Authentication applied. In such cases, the transaction can be attempted again after Strong Customer authentication is performed (via 3DS 2).
Under PSD2, Strong Customer Authentication is required on all payer-initiated transactions when both the card issuer and acquirer are within the EEA. If only one of the two is within the EEA, SCA is not required - so a merchant with acquiring bank in US and a customer with a card issuer within EEA, would not be required to enforce SCA. This type of transaction is called 'one leg out'.
EEA payment providers and banks are legally required to enforce SCA. Online businesses who don’t fulfil the SCA/3DS2 requirements will experience a growth in their decline rates and conversion rates will fall as customer banks reject non-authenticated payments. Non-compliance will put both sellers and payment providers at risk of losing transaction volume. National regulators have the power to impose fines and even revoke a payment provider’s license.
Merchants are strongly encouraged to use EMV 3DS (3DS2), but it is not mandated yet.
Not currently. 3DS1 will be retired in the future.
N.A. Merchants currently not integrated neither into 3DS 1.0.2 nor into 2.x.0 - Q. Are they mandated to integrate with 3DS 2.x.0 by the end of 2020?
There is no direct mandate for merchants to adopt the new protocol.
Our freephone telephone numbers continue to be UK: +44 (0) 118 928 5075 / International: 0800 249 1404
And, if you need to reach out to our internal teams, you can continue to email us at:
email@example.com (for our Customer Service Team)