Resource center
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Topic
Region
Perspectives

Optimize your Checkout.com payment flow for 3D Secure

Link to the author's page
Tom Martindell
September 19, 2022
Link to the author's page
Optimize your Checkout.com payment flow for 3D Secure

Strong Customer Authentication (SCA) is now in place in the UK and across the European Economic Area (EEA). Whether you operate in the SCA regions or not, you can use our 3D Secure solution to optimize your authentication strategy.

In this article, we share our essential tips to optimize your Checkout.com integration, maximize your 3D Secure success rate, and authorize more transactions in SCA countries.

To authenticate or not?

You can use the 3ds.enabled field to choose whether 3D Secure authentication is performed when sending payment requests to our API. Setting this to true means your transactions will benefit from liability shift, however, this also means customers must go through 3D Secure and experience more friction when they pay.

By setting a risk strategy based on the transaction value, you can choose the authentication strategy that’s right for you. For example, you could choose to set this value to false for low value transactions within your risk appetite. Big ticket items carry higher risk, so you may wish to set this to true and benefit from liability shift in the event of fraud.

You can read guidance on how to set your preference in our documentation, and read more on when liability shift occurs during a transaction here.

The SCA mandate

If both your business and your customer’s bank are based in the EEA or UK, you’ll fall under SCA regulations. This means that unless you intend to apply an exemption, you must request 3D Secure authentication and send the field in your payment requests along with the 3ds.enabled field to indicate your preference for whether a 3DS challenge should be performed.

For guidance on when to apply 3D Secure in SCA markets, please see our SCA Business Scenarios documentation. We’ve also included guidance on the fields you’ll need to include when you submit recurring and subscription transactions (also known as Merchant Initiated Transactions or MITs) in SCA countries.

Using SCA exemptions

SCA exemptions let you request exemptions from Strong Customer Authentication in the UK and EEA if the transactions meet certain criteria. The customer's bank has the final say on whether to apply the requested exemption, using their assessment of the payment risk.

As with countries outside of the SCA regions, you should consider your business risk appetite, and apply exemptions only if you’re willing to accept the risk of liability in case of fraud. You can read more about the available exemptions here.

Checkout.com recently enabled exemption during the authentication flow. You can now set "3ds.enabled": true, when sending an exemption request, and we’ll automatically upgrade the transaction to 3D Secure if the bank rejects the exemption.
If you’re requesting the exemption with "3ds.enabled": false, we recommend amending this to true, as you’ll no longer receive a 20154 response code if the bank rejects the exemption.

Recognizing and responding to a soft-decline

Soft declines are a key component of SCA regulations, where issuers may decline transactions sent without 3D Secure (3DS) authentication. As mentioned above, our API will return these transactions with a 20154 response.

If you’ve not done so already, we strongly recommend speaking with your Customer Success Manager to discuss options to retry soft declined transactions with 3D Secure after you receive a 20154.

This is especially important for Mastercard transactions, as the card scheme will require UK and EEA merchants to re-attempt transactions using 3D Secure within 15 minutes of receiving a soft decline and will apply assessments (fines) to acquirers where the soft-decline retry rate is below a certain threshold.

Storing cardholder data

Some UK and EEA banks have begun to require strong authentication if merchants store cardholder details for future use. If you’re a business that doesn’t store cardholder data and only accepts one-off payments, this could mean more payments are challenged unnecessarily.

You can use the store_for_future_use field in the source object of your payment request to specify whether you're using a token or card for a one-off payment or storing card details when processing an initial payment request:

  • Set store_for_future_use: true when you intend to store card details e.g. to perform a card verification for subsequent payments, or offer a smoother checkout experience when your customer next visits your website
  • Set store_for_future_use: false if you don’t intend to store transaction details for future use. Note that in this scenario, we won’t return a payment instrument with the response

The Business Scenarios section of our SCA compliance guide outlines when to use this field, along with the other recommended fields to submit.

Flagging out of scope transactions

Merchant Initiated Transactions e.g subsequent recurring / installments, after the initial payment cannot go through 3D Secure as the cardholder isn’t present during the transaction.

If you’re processing these transaction types in SCA markets, it’s important that you send these transactions to our platform with the correct parameters. We’ll then send these on to the card issuer, who should recognize that the transaction is out of scope for SCA and not attempt a challenge.

Read our documentation for guidance on flagging these transaction types.

What comes next

In October, the card schemes will sunset 3D Secure Version 1. Checkout.com is in the process of automatically enabling 3D Secure Version 2 (3DS2) if you’re currently configured with 3D Secure version 1 to meet the October deadline set by the schemes.

In addition, Visa has recently released guidance for acquirers on inclusion of priority data elements within authentication requests. We’re looking into how to best leverage all the available data elements within the 3D Secure request to improve approval rates and maximize issuer confidence - resulting in more frictionless experience outcomes. We’ll be in touch with you to share more news in due course.

Download PDF

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button

Most recent articles

What is card testing fraud and how to protect your business
Blog
Apr 25, 2024

What is card testing fraud and how to protect your business

Read article
What is a BIN attack?
Blog
Apr 25, 2024

What is a BIN attack?

Read article
A guide to payment processing for B2B companies
Blog
Apr 23, 2024

A guide to payment processing for B2B companies

Read article
Card authorization explained
Blog
Apr 17, 2024

Card authorization explained

Read article
The trends and challenges for cross-border payments in 2024
Blog
Apr 17, 2024

The trends and challenges for cross-border payments in 2024

Read article
How alternative payment methods can reduce chargebacks
Blog
Apr 11, 2024

How alternative payment methods can reduce chargebacks

Read article
WeChat Pay: A guide for merchants
Blog
Apr 8, 2024

WeChat Pay: A guide for merchants

Read article
Online marketplace spending skyrockets by 143% during Ramadan in the UAE
Blog
Apr 4, 2024

Online marketplace spending skyrockets by 143% during Ramadan in the UAE

Read article
Ramadan online spend expected to raise across key sectors
Blog
Apr 4, 2024

Ramadan online spend expected to raise across key sectors

Read article
Why your business needs a Chief Payments Officer
Blog
Apr 2, 2024

Why your business needs a Chief Payments Officer

Read article
Why PCI DSS 4.0 is fundamental to a thriving digital economy
Blog
Apr 2, 2024

Why PCI DSS 4.0 is fundamental to a thriving digital economy

Read article
What is account takeover fraud?
Blog
Apr 2, 2024

What is account takeover fraud?

Read article
Return to home
September 19, 2022 4:58
October 24, 2022 10:05