3D Secure 2.0 FAQs

SCA is an additional layer of security introduced under PSD2 regulation and provides two-factor authentications (2FA) for consumers. Issuers will have the ability to authenticate the customer by asking for two different methods of authentication. This could take the form of a biometrics feature via the Banks’ app (something you are), the input of a SMS OTP (something you have), or a PIN number/password known by the customer (something you know).

The Strong Customer Authentication is always performed by the issuer and they will manage the serving of the pages to collect credentials or the delivery of SMS where appropriate. However, everyone from the payments industry should be supporting 3DS 2 – compliant with SCA.

3DSv2 is a cross scheme authentication standard designed to improve the security and efficiency of transaction processing. It is being rolled out in Europe first in order to help merchants and acquirers comply with the PSD2 European Commission mandate for eCommerce transactions to have the opportunity to be "Strong Customer Authenticated" i.e. the customer's issuing bank has the possibility of triggering multi-factor authentication where they are concerned about the risk of processing the transaction.

More details on 3DS can be found on: https://www.paysafe.com/en/3ds-2/

All European and UK merchants must integrate to 3DSv2 by 1st of January 2021 for EEA and 14^th March 2022 for UK respectively. All Issuers must be live on EMV 3D Secure 2 by the same date as well. It remains optional in other markets as the mandate is particular to the European regulatory regime. If your merchants are outside of those regions but expect to accept transactions from European and UK customers, 3D Secure 2 still applies to you. More details on this can be found on: https://www.paysafe.com/en/3ds-2/

It is recommended that you commence your integration now to ensure you are prepared in advance of this date.

If ou have not integrated 3D Secure 2 by now, you will not be compliant with European payment regulations and there is a likelihood that the issuing banks will decline your transactions.

By October 2022, 3D Secure V1 will be fully retired in Europe and North America. Effective 15th October 2022, Visa, Mastercard and American Express will discontinue support of 3D Secure 1 and related technology. All transactions will require to use 3D Secure 2 flow to ensure acceptance.

Yes, by October 2022, 3D Secure V1 will be fully retired globally. Effective 15th October 2022, Visa, Mastercard and American Express will discontinue support of 3D Secure 1 and related technology. All transactions will require to use 3D Secure 2 flow to ensure acceptance. Some countries have received network extensions but these don’t apply to Paysafe as they are only for domestic traffic (where the acquirer and merchant are located in the same country.

Documentation on how to integrate to 3DSv2 has been published in June 2019 https://developer.paysafe.com/en/3d-secure-2/api/#/introduction/overview

If you are using one of our hosted solutions, it is highly recommended to use our 3D Secure 2 service as both authorization and authentication are linked together. If you are using a server to server API call, technically it is possible to use different 3D Secure 2 provider, but this is not recommended. It might lead to an overcomplicated process of onboarding and transactions authorization and authentication. We strongly recommend using Paysafe 3D Secure 2 flow, due to its benefits - an all-in-one solution.

In case you still consider not taking advantage of Paysafe’s 3DS2 solution, please contact Paysafe directly at: uk.customerservice@paysafe.com.

If you are in North America, please contact us at technicalsupport@paysafe.com in English or soutientechnique@paysafe.com in French.

We are automatically enrolling all our Paysafe acquiring merchants with the relevant card schemes and our 3DSv2 service. Integration guidelines have been published in June 2019 which enable you to start integrating https://developer.paysafe.com/en/3d-secure-2/api/. If you require further assistance, please contact “customer services” email uk.customerservice@paysafe.com. 

If you are in North America, please contact us at technicalsupport@paysafe.com in English or soutientechnique@paysafe.com in French.

Mail Order or Telephone Order transactions are considered "Out of Scope" for PSD2 and therefore 3DSv2. No Strong Customer Authentication will be required as part of this transaction.

Any new card added to a card on file solution post 1st January 2021 in EEA and 14^th March 2022 in UK will need to be Strong Customer Authenticated using Step-up (Challenged) authentication. This process is mandated under PSD2 to ensure that the customer is consenting to the establishment of this relationship between the customer and the merchant. If a payment is made at the same time as a card being added only one SCA needs to be applied. Any card added to your card on file solution pre 1st January 2021 in EEA and 14^th March 2022 does not require to be authenticated to confirm its addition to the vault/card on file service.

Any subsequent payments made using the card on file that was initially created post 1st January 2021 in EEA and 14^th March 2022 in UK need to contain a Transaction Identifier to the original payment. This Identifier will be used as reference by the issuing bank to retrieve the necessary authentication data from the original transaction and comply with the mandates.

Same amount collected over regular periods is called Recurring transactions. An example of this might be a £6.99 monthly TV subscription.

Varying amounts collected at regular or irregular intervals is called Merchant Initiated Transactions. This could be a utility bill payment as an example.

In both cases, there would be a Strong Customer Authentication for the initial transaction only using Step-up (Challenged) authentication, but no 3D Secure 2 authentication would be required for any subsequent transactions. However, all subsequent transactions should include a reference to the initial one so the issuing bank can retrieve the necessary authentication data from the original transaction and comply with the mandates.

The transaction has been declined due to no Strong Customer Authentication applied. In such cases, the transaction can be attempted again after Strong Customer authentication is performed (via 3DS 2).

A two-legged transaction is one where both merchant and the customer are located within the EEA or UK. This means Strong Customer Authentication is required on those transactions.

In the case where only one of the two parties is within the EEA, SCA may not be required but is advised. This type of transaction is known as a ‘One Leg Out’ transaction, and it falls within the scope of PSD2. The following is the European Banking Authority guidance on ‘One Leg Out’ transactions:

In the case of card-based payments where the payee’s PSP (the acquirer) is located outside the Union (the so-called “one-leg out transactions”), the acquirer is not subject to PSD2. Where the payer wishes to make a card-based payment at the point of sale (POS) or in an online environment of a merchant whose acquirer is located outside the Union and the issuer cannot technically impose the use of SCA, the issuer shall make its own assessment whether to block the payment or be subject to the liability requirements under Article 73 PSD2 vis-à-vis the payer in the event that the payment has been unauthorised. — https://www.eba.europa.eu/single-rule-book-qa/-/qna/view/publicId/2018_4233

In summary, it is up to the EEA/UK Issuers to accept and decide whether to take on the liability for any transactions that do not have SCA data, as they do fall under PSD2 regulations. As most issuing banks typically do not prefer to take on the liability, they can still impose Soft Declines on non-authenticated transactions initiated from merchants outside the EEA/UK (one-leg-out).

EEA payment providers and banks are legally required to enforce SCA. Online businesses who don’t fulfil the SCA/3DS2 requirements will experience a growth in their decline rates and conversion rates will fall as customer banks reject non-authenticated payments. Non-compliance will put both sellers and payment providers at risk of losing transaction volume. National regulators have the power to impose fines and even revoke a payment provider’s license.

Merchants are strongly encouraged to use EMV 3DS (3DS2) due to the benefits for their business and customers. In North America, it is not mandated yet. However, merchants who are currently using 3D Secure 1 need to upgrade to 3D Secure 2 prior to October 2022, to ensure that their transactions would not be declined due to 3D Secure 1 sunset.

Also, if you expect to have customers from EEA and UK, you should consider implementing 3D Secure 2 as the PSD2 regulation still applies to those transactions and you may see increased declines.

Liability shift will remain with 3D Secure 1 authenticated transactions until the protocol’s retirement on 15^th October 2022.

There is no direct mandate for merchants to adopt the new protocol.

Our freephone telephone numbers continue to be UK: +44 (0) 118 928 5075 / International: 0800 249 1404

And, if you need to reach out to our internal teams, you can continue to email us at uk.customerservice@paysafe.com for our Customer Service Team

If you are in North America, please contact us at technicalsupport@paysafe.com for support in English or soutientechnique@paysafe.com for French.

3DS Exemptions can be requested by merchants as part of the payment Authorization. A merchant can requests an exemption from the issuing bank for the transaction to not require 3D Secure Authentication. An exemption can be requested only when there is a valid reason for 3D Secure to not be required. The reasons include:

• Transaction is Merchant Initiated (MIT)
• Transaction is of Low-Value (<=30 EUR or the equivalent in the target currency)
• Secure Corporate Exemption
• Trusted Beneficiary
• Transaction Risk Analysis has been performed
• There was an Authentication Outage while attempting to authenticate the customer.

 

When any of these exemptions for 3D Secure are requested, the liability will be shifted back to the merchant as essentially there is no authentication data to prove the customer attempted the payment. Requesting exemptions can potentially open the door to additional fraud so should be mainly used in low-risk scenarios.

Exemptions are a way to improving Payment acceptance and reducing friction during checkout.

In Europe and UK, 3D Secure (or the relevant exemption) is required as part of the payment for every merchant category and this includes gaming & gambling.

For the rest of the world, there is a mandate that gaming & gambling merchants must EITHER provide the CVV OR request the customer is authenticated with 3D Secure. In the regions where 3D Secure is not required, gaming & gambling merchants can provide the CVV only.