To help us direct you question to the best team to provide an answer please select which option best descibes you.
Plug into Paysafe.
From April 2019 new rules are being introduced by the card schemes that mandate the adoption of 3D Secure 2.0
We have prepared the FAQs below to help you navigate through this subject.
3DSv2 FAQs
3D Secure V1 will be fully retired in October 2022. Effective 15 October 2022, Visa, Mastercard and American Express will discontinue support of 3D Secure 1 and related technology. Any transaction sent for Authentication with this version will result in an error. It is important to update your integration to 3D Secure 2 (EMV® 3D Secure) now if you are currently on 3D Secure 1 as deadlines are quickly approaching.
Q. What is Strong Customer Authentication (SCA)?
SCA is an additional layer of security introduced under PSD2 regulation and provides two-factor authentications (2FA) for consumers. Issuers will have the ability to authenticate the customer by asking for two different methods of authentication. This could take the form of a biometrics feature via the Banks’ app (something you are), the input of a SMS OTP (something you have), or a PIN number/password known by the customer (something you know).
Q. Who performs the Strong Customer Authentication?
The Strong Customer Authentication is always performed by the issuer and they will manage the serving of the pages to collect credentials or the delivery of SMS where appropriate. However, everyone from the payments industry should be supporting 3DS 2 – compliant with SCA.
Q. What is 3DSv2?
3DSv2 is a cross scheme authentication standard designed to improve the security and efficiency of transaction processing. It is being rolled out in Europe first in order to help merchants and acquirers comply with the PSD2 European Commission mandate for eCommerce transactions to have the opportunity to be "Strong Customer Authenticated" i.e. the customer's issuing bank has the possibility of triggering multi-factor authentication where they are concerned about the risk of processing the transaction.
More details on 3DS can be found on: https://www.paysafe.com/en/3ds-2/
Q. Do I have to integrate it?
All European and UK merchants must integrate to 3DSv2 by 1st of January 2021 for EEA and 14th March 2022 for UK respectively. All Issuers must be live on EMV 3D Secure 2 by the same date as well. It remains optional in other markets as the mandate is particular to the European regulatory regime. If your merchants are outside of those regions but expect to accept transactions from European and UK customers, 3D Secure 2 still applies to you. More details on this can be found on: https://www.paysafe.com/en/3ds-2/
It is recommended that you commence your integration now to ensure you are prepared in advance of this date.
If ou have not integrated 3D Secure 2 by now, you will not be compliant with European payment regulations and there is a likelihood that the issuing banks will decline your transactions.
By October 2022, 3D Secure V1 will be fully retired in Europe and North America. Effective 15th October 2022, Visa, Mastercard and American Express will discontinue support of 3D Secure 1 and related technology. All transactions will require to use 3D Secure 2 flow to ensure acceptance.
Q. I have 3DSv1 do I still have to switch to 3DSv2?
Yes, by October 2022, 3D Secure V1 will be fully retired in Europe and North America. Effective 15th October 2022, Visa, Mastercard and American Express will discontinue support of 3D Secure 1 and related technology. All transactions will require to use 3D Secure 2 flow to ensure acceptance.
There are some significant differences in version 2 that enable the Strong Customer Authentication (SCA) required to comply with the latest regulation. In any case, there are also some customer experience enhancements for the new service such as a focus on mobile experience optimization.
In Europe and UK, 3D Secure is mandated. Before October 2022, 3D Secure 1 still complies with local regulations but it will shortly be deprecated and merchants are highly encouraged to migrate to 3DS2 as soon as possible.
In North America, 3D Secure 2 is not mandated. However, merchants who are currently using 3D Secure 1 need to upgrade to 3D Secure 2 prior to October 2022, to ensure that their transactions would not be declined due to 3D Secure 1 sunset.
Q. What changes are required based on the product I use?
Documentation on how to integrate to 3DSv2 has been published in June 2019 https://developer.paysafe.com/en/3d-secure-2/api/#/introduction/overview
Q. Can I use a different 3DS provider?
If you are using one of our hosted solutions, it is highly recommended to use our 3D Secure 2 service as both authorization and authentication are linked together. If you are using a server to server API call, technically it is possible to use different 3D Secure 2 provider, but this is not recommended. It might lead to an overcomplicated process of onboarding and transactions authorization and authentication. We strongly recommend using Paysafe 3D Secure 2 flow, due to its benefits - an all-in-one solution.
In case you still consider not taking advantage of Paysafe’s 3DS2 solution, please contact Paysafe directly at: uk.customerservice@paysafe.com.
If you are in North America, please contact us at technicalsupport@paysafe.com in English or soutientechnique@paysafe.com in French.
Q. How do I start?
We are automatically enrolling all our Paysafe acquiring merchants with the relevant card schemes and our 3DSv2 service. Integration guidelines have been published in June 2019 which enable you to start integrating https://developer.paysafe.com/en/3d-secure-2/api/. If you require further assistance, please contact “customer services” email uk.customerservice@paysafe.com.
If you are in North America, please contact us at technicalsupport@paysafe.com in English or soutientechnique@paysafe.com in French.
Q. I take customer orders over the phone how does this work with 3DSv2?
Mail Order or Telephone Order transactions are considered "Out of Scope" for PSD2 and therefore 3DSv2. No Strong Customer Authentication will be required as part of this transaction.
Q. I have a card on file solution how does this work with 3DSv2?
Any new card added to a card on file solution post 1st January 2021 in EEA and 14th March 2022 in UK will need to be Strong Customer Authenticated using Step-up (Challenged) authentication. This process is mandated under PSD2 to ensure that the customer is consenting to the establishment of this relationship between the customer and the merchant. If a payment is made at the same time as a card being added only one SCA needs to be applied. Any card added to your card on file solution pre 1st January 2021 in EEA and 14th March 2022 does not require to be authenticated to confirm its addition to the vault/card on file service.
Any subsequent payments made using the card on file that was initially created post 1st January 2021 in EEA and 14th March 2022 in UK need to contain a Transaction Identifier to the original payment. This Identifier will be used as reference by the issuing bank to retrieve the necessary authentication data from the original transaction and comply with the mandates.
Q. How does the process of recurring payments/subscription payments work with 3DS?
Same amount collected over regular periods is called Recurring transactions. An example of this might be a £6.99 monthly TV subscription.
Varying amounts collected at regular or irregular intervals is called Merchant Initiated Transactions. This could be a utility bill payment as an example.
In both cases, there would be a Strong Customer Authentication for the initial transaction only using Step-up (Challenged) authentication, but no 3D Secure 2 authentication would be required for any subsequent transactions. However, all subsequent transactions should include a reference to the initial one so the issuing bank can retrieve the necessary authentication data from the original transaction and comply with the mandates.
Q. What does Soft Decline mean?
The transaction has been declined due to no Strong Customer Authentication applied. In such cases, the transaction can be attempted again after Strong Customer authentication is performed (via 3DS 2).
Q. What does ‘One Leg Out’ transaction mean?
A two-legged transaction is one where both merchant and the customer are located within the EEA or UK. This means Strong Customer Authentication is required on those transactions.
In the case where only one of the two parties is within the EEA, SCA may not be required but is advised. This type of transaction is known as a ‘One Leg Out’ transaction, and it falls within the scope of PSD2. The following is the European Banking Authority guidance on ‘One Leg Out’ transactions:
In the case of card-based payments where the payee’s PSP (the acquirer) is located outside the Union (the so-called “one-leg out transactions”), the acquirer is not subject to PSD2. Where the payer wishes to make a card-based payment at the point of sale (POS) or in an online environment of a merchant whose acquirer is located outside the Union and the issuer cannot technically impose the use of SCA, the issuer shall make its own assessment whether to block the payment or be subject to the liability requirements under Article 73 PSD2 vis-à-vis the payer in the event that the payment has been unauthorised. — https://www.eba.europa.eu/single-rule-book-qa/-/qna/view/publicId/2018_4233
In summary, it is up to the EEA/UK Issuers to accept and decide whether to take on the liability for any transactions that do not have SCA data, as they do fall under PSD2 regulations. As most issuing banks typically do not prefer to take on the liability, they can still impose Soft Declines on non-authenticated transactions initiated from merchants outside the EEA/UK (one-leg-out).
Q. What are the risks of not implementing 3DS2?
EEA payment providers and banks are legally required to enforce SCA. Online businesses who don’t fulfil the SCA/3DS2 requirements will experience a growth in their decline rates and conversion rates will fall as customer banks reject non-authenticated payments. Non-compliance will put both sellers and payment providers at risk of losing transaction volume. National regulators have the power to impose fines and even revoke a payment provider’s license.
Q. North American merchants integrated into 3DS 1.0.2. Are they mandated to migrate to 3DS 2.x.0?
Merchants are strongly encouraged to use EMV 3DS (3DS2) due to the benefits for their business and customers. In North America, it is not mandated yet. However, merchants who are currently using 3D Secure 1 need to upgrade to 3D Secure 2 prior to October 2022, to ensure that their transactions would not be declined due to 3D Secure 1 sunset.
Also, if you expect to have customers from EEA and UK, you should consider implementing 3D Secure 2 as the PSD2 regulation still applies to those transactions and you may see increased declines.
Q. Will North American merchants lose liability shift from using 3DS 1.0.2 ?
Liability shift will remain with 3D Secure 1 authenticated transactions until the protocol’s retirement on 15th October 2022.
Q. NA Merchants currently not integrated neither into 3DS 1.0.2 nor into 2.x.0 – Are they mandated to integrate with 3DS 2.x.0 by the end of 2020?
There is no direct mandate for merchants to adopt the new protocol.
Q. Who helps me if I have issues with the integration
Our freephone telephone numbers continue to be UK: +44 (0) 118 928 5075 / International: 0800 249 1404
And, if you need to reach out to our internal teams, you can continue to email us at uk.customerservice@paysafe.com for our Customer Service Team
If you are in North America, please contact us at technicalsupport@paysafe.com for support in English or soutientechnique@paysafe.com for French.
Important Dates:
Source: VISA
