3DS 2.0 Explained: Part II
In preparation for the Revised Payment Services Directive (PSD2) requirements, Checkout.com has launched a proprietary 3DS 2.0 solution for our customers to ensure a smooth transition and implementation of the new 3DS 2.0 protocol. Here’s everything you need to know.
What is 3DS 2.0 and PSD2 SCA?
The Revised Payment Services Directive (PSD2) was outlined from January 13, 2018. PSD2 requires that by September 14, 2019, Strong Customer Authentication (SCA) must be implemented for all remote electronic transactions, including e-commerce, unless an exemption applies. As a means to implement SCA, merchants must send authentication requests using the 3DS 2.0 protocol to avoid issuers declining their e-commerce transactions. PSD2 applies in the 31 European Economic Area (EEA) countries that comprise of the 28 EU countries, as well as Norway, Iceland, and Liechtenstein.
3DS 2.0 is the next generation of the current customer authentication protocol known as 3DS 1. 3DS 2.0 will allow an enhanced exchange of transaction and consumer data designed to improve issuers’ and merchants’ decision making as it relates to authorization of transactions and the application of SCA exemptions. In addition, 3DS 2.0 supports in-app and mobile payments.
How is Checkout.com getting ready for 3DS 2.0 and PSD2 SCA mandate?
Checkout.com’s proprietary 3DS 2.0 solution was recently certified by EMVCo in January 2019. EMVCo consists six member organizations which include American Express, Discover, JCB, Mastercard, UnionPay, and Visa, and is supported by other industry stakeholders, issuers, acquirers, processors, vendors, and merchants. EMVCo manages and evolves the EMV® Specifications and related testing processes.
We have undergone the implementation of new risk engine rules while obtaining relevant Card Schemes certifications under PSD2.
Checkout.com will apply a phased approach intended to minimize the impact on the majority of merchants who are currently using Checkout.com’s 3DS 1 solution. This will also give merchants time to prepare for an integration method that best suits their needs. The approach will coincide with the EMVCo rollout of the next 3DS 2.0 protocol version and the newly supported workflows and features such as ‘merchant-initiated payment authentication requests’ and ‘merchant-applicable SCA exemption flags’ in the authentication requests.
Phase I will have no impact on merchants who are already using 3DS 1. Phase II will introduce merchants to a wider selection of integration options and use of exemption flags in the authentication. Subsequent phases will offer more features and value-added services as they become available.
Key Dates: Mark your calendar and start planning!
Phase I: April 2019
Checkout.com launches our 3DS 2.0 solution, a fully integrated browser solution that uses the existing Checkout.com 3DS 1 integration. Checkout.com will gather all required information on behalf of the merchant and there is no need to change your current 3DS 1 integration.
3DS 2.0 does not currently support ‘merchant-initiated payment authentication requests’ nor the ‘merchant-applicable exemption flags’ in the authentication workflow. Therefore, Phase I will support the merchant-applicable exemption flags in the authorization workflow. This may result in ‘soft-decline’ authorization responses where the issuer will request a 3DS authentication prior to authorizing the transaction.
Merchant-initiated transactions such as recurring transactions (except the initial transaction and given that the recurring amount does not change) are PSD2 exempt and can be submitted directly during authorization. Our systems are prepared to properly flag these authorization requests as ‘merchant-initiated recurring transactions’ and as ‘PSD2 exempt’ to ensure the highest conversion rates.
Phase II: October 2019 (or earlier if supported by the Card Scheme networks)
Checkout.com launches the next version of our 3DS 2.0 solution, a fully-integrated browser, SDK solution, and 3DS 2.0 API for merchants who already have the ability to gather and submit all required information. This solution also applies to merchants who have the ability to manage the PSD2 SCA logic either on their own or via an intermediate provider.
In Phase II, merchants will be able to submit additional optional fields to help with issuer RBA decisioning; this will require integration changes. Merchants will also be able to submit authentication and authorization in two steps, submit authentications through Checkout.com, and submit authorizations through a third-party, and vice-versa.
Moving the industry to the next 3DS 2.0 version is dependent on the EMVCo certification lab and Card Scheme networks’ readiness. The current expectation is that the industry will not be ready to support the next 3DS 2.0 version by the PSD2 mandate on September 14, 2019. We will provide further updates on the next 3DS 2.0 version as they become available.
When should you begin transitioning?
Merchant readiness and Card Scheme 3DS 2.0 onboarding activities are already underway. For existing customers, Checkout.com will ensure a seamless transition. Merchants based in Europe will automatically be enrolled in the new protocol in time for the PSD2 mandate.
Checkout.com will switch traffic onto 3DS 2.0 gradually, starting with European-based merchants whose issuers support the new protocol. If the new version is not yet supported by the issuer, the request will automatically default to 3DS 1. Checkout.com will switch on full 3DS 2.0 support in each region in conjunction with the Card Scheme networks’ rollout schedule.
Current Card Scheme networks rollout plan:
- April 2019 in Europe
- October 2019 in the U.S., Canada, and Latin America countries
- April 2020 in Asia Pacific, Central and Eastern Europe and Middle East countries
How should I start preparing?
- All EEA merchants will need to ensure that they can support 3DS 2.0 by September 14, 2019. This includes merchants who have not previously used 3DS 1.
- All merchants should plan to adopt or migrate to the next 3DS 2.0 version between April and September 2019 to ensure you fully benefit from SCA exemptions, including the support of additional optional fields.
- Merchants who take advantage of the SCA exemption without an authentication request, and the issuer responds with a ‘soft-decline,’ should be prepared to automatically send a 3DS 2.0 authentication with a challenge request and if successful, follow with another authorization. Similarly, if an issuer does not yet support 3DS 2.0 authentications then a merchant should use 3DS 1 as the default.
- Merchants should ensure that they can provide all required data elements and, later on, optional fields as per the phased schedule in order to fully benefit from RBA-frictionless flow.
- Merchants who take a more complex approach to risk management and the check out user experience should work with their Checkout.com Customer Success Managers to develop exemption strategies that best suits their business needs.
- Merchants that have regular returning customers, and who are able to demonstrate a low fraud rate, should make use of the trusted beneficiaries exemption available in Phase II.
- Merchants should make changes to their websites to support 3DS 2.0 and update with Card Schemes’ new 3DS 2.0 program logos.
How can I optimize the payment experience under PSD2?
Not all transactions require SCA under PSD2. Some transactions are out-of-scope or are exempt. In these cases, SCA is determined based on the merchant and/or Checkout.com’s transaction risk assessment.
Checkout.com will offer 3DS decisioning based on a combination of factors including whether a transaction is out-of-scope or qualifies for an exemption, risk assessment, optimization of user experience, and liability protection.
Merchants are encouraged to use exemptions as much as possible to ensure a frictionless user experience while also keeping fraud rates low and meeting the PSD2 mandate. We have updated our systems to ensure that correct transaction types and exemption scenarios are flagged to help issuers recognize when SCA is not required and authorize accordingly.
What is the difference between authentication and authorization, and what are the implications of requesting an exemption in either of the two workflows?
- Authentication ensures that the cardholder is the legitimate owner of the card. Where required, authentication must take place before the authorization under 3DS.
- Authorization is a separate process whereby the issuer may approve or decline a payment transaction submitted by a merchant.
- Exemptions are scenarios that EU regulators have agreed to exclude from the SCA mandate.
Either workflow can be used to indicate the nature of the transaction – whether it is out-of-scope, requires SCA, or is being processed under one of the exemptions. Transactions that are out-of-scope are most likely to be sent directly to authorization without authentication being requested.
A merchant can exercise an exemption via the authentication workflow before sending an authorization request. The advantage of this approach is that if the exemption is rejected by the issuer, the cardholder is still present to complete any required fields, even if this delays authorization.
Where PSD2 applies, we recommend sending transactions for authentication first and apply for as many exemptions as possible. This will ensure higher conversion rates and more successful authentication requests in the future.
A merchant can also submit an authorization and request an exemption directly. The advantage of this approach is that the authentication workflow can be skipped altogether if the issuer accepts the exemption. However, if the issuer declines the exemption and requests authentication, the payment completion may be delayed or the cardholder may no longer be present to perform the authentication.
Checkout.com will apply the exemption flags in the authorization workflow and merchants should be aware that the issuer has the right to request resubmission via 3DS if they determine that authentication is required.
If no exemption flags are used in either workflow, the decision will be determined by the issuer.
So what is considered in-scope or out-of-scope?
- One-time cardholder-initiated transactions (CITs) are considered in-scope under SCA. However, some exemptions do exist such as ‘low-value amount’ (under 30 Euro) transactions.
- Adding a credential-on-file (COF), or provisioning of a token are in-scope under SCA, unless the merchant obtains the updated information via the Scheme Account Updater or token services.
- Merchant-initiated transactions (MITs) are out-of-scope under SCA since they are based on prior cardholder agreements. SCA is required for the initial transaction when the cardholder agrees to the terms under which future MITs are processed.
- Mail order telephone order (MOTO) transactions are out-of-scope under SCA, but future versions of 3DS 2.0 will optionally support these to help better manage the merchant risk.
- If the issuer or the merchant is located outside the EEA, those transactions are considered out-of-scope under SCA. SCA should be applied to these transactions on a ‘best effort’ basis.
- Transactions made with anonymous prepaid cards are not subject to the SCA mandate.
- If you check the validity of card numbers and expiry dates using an authorization account verification, then the transaction is not subject to the SCA mandate.
To use the trusted beneficiary service, a merchant will need to send an enrollment request to the issuer to be added to a cardholder’s trusted beneficiaries list. SCA is required for enrollment.
What else should I be aware of?
- The issuer has the final decision on whether to accept or apply an exemption; they can apply SCA or decline the transaction.
- For low-value-accumulated-amount transactions, while the regulation allows the merchant and acquirer to apply for an exemption, this is not practical since the merchant nor the acquirer have visibility of the velocity limits that apply to the exemption.
- Recurring transactions should be treated as out-of-scope MITs instead of applying for a recurring transactions exemption.
- The Card Schemes will require minimum performance levels for authorization approvals, fraud, and abandonment rates to be met by issuers. European issuers will also be required to offer their cardholders biometric authentication solutions via smartphones, which have the lowest abandonment and fraud rates, therefore resulting in the highest sales conversion rates.
For more information, contact our payment specialists at firstname.lastname@example.org or learn more by visiting our 3D Secure docs. For current Checkout.com customers, contact your Customer Success Manager for more information.
Written on by