3DS v2: Increase security; increase conversion
Update: Deadline for SCA implementation
The deadline for PSD2 implementation was 31st of December 2020 for all the European Union countries members.
The only exception goes for the United Kingdom (UK) who decided to apply the SCA as from March 2022. However, this rule is only applicable for:
- Merchants processing transactions with UK acquirers (regardless of where the issuing banks are located)
- Transactions where the issuing bank is placed in the UK (regardless of where the acquirer is located)
To learn more about the legal background, read the dedicated paragraph.
Considering the amount of work that still needs to be done to be fully compliant, we strongly advise you to get started. Please check our dedicated guide on PSD2/3DSv2 to learn more about your responsibilities as a merchant for implementing this rule set.
Payments are changing. We’ve got you covered, but here’s what you need to know.
The EU’s Second Payment Services Directive (2015/2366 PSD2) entered into force in January 2018, aiming to ensure consumer protection across all payment types, promoting an even more open, competitive payments landscape. Acting as a payment service provider, Worldline prides itself on being confirmed PSD2 compliant since 29 May 2018.
Watch the video as we give more insights on the new PSD2 legislation.
One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the EU from 1st of January 2021, and in UK from the 14th of September 2021. SCA will require your customers to authenticate themselves with at least TWO out of the following three methods:
- Something they know (PIN, password, …)
- Something they possess (card reader, mobile. …)
- Something they are (voice recognition, fingerprint, …)
A simple transition to greater security
Anyone shopping online in the last decade will likely have experienced 3D Secure, which was designed to add a layer of security and move liability from merchants and on to banks. However, the redirect pages confused customers, causing them to abandon transactions.
A new version, 3D Secure v2 is now here to make authentication more convenient, helping you meet the required SCA standards by using data in a smarter way.
3DS v2 will send important data, such as the shipping address, the customer’s device ID and previous transaction history, over to the cardholder’s bank. The bank can then assess the risk level and if it trusts the transaction, the payment is made quickly and seamlessly (the customer will never even see 3D Secure v2 being applied). Alternatively, the bank can seek further input from the customer to authenticate the payment.
The graph above shows a step-by-step transaction flow and its implications depending on whether the customer’s card is enrolled for 3DSv2 or not.
More sales, better experiences
Sharing more data and only conducting additional checks when necessary, means faster checkout times, extra security, improved sales and a better customer experience – and you can meet new SCA standards effortlessly.
If you are using our own payment page, moving onto v2 will be seamless for you, we will manage it on your behalf. If the payment page is embedded into your website, our customer support will be happy to advise you on your next steps.
For more information, go here for our eCommerce page or, here for your own page.
Legal information
Article 2(1) PSD2 states that the Directive applies to payment services provided within the Union. According to Article 2(4) PSD2 Title IV, including Article 97 PSD2, applies to payment transactions in all currencies where only one of the payment service providers (PSPs) is located within the Union, in respect to those parts of the payment transactions which are carried out in the Union.
It follows that for payment transactions where more than one PSP is involved, if one of the PSPs is located within the Union, strong customer authentication (SCA) has to be applied in accordance with Article 97 PSD2 and the Commission Delegated Regulation (EU) 2018/389 to those parts of the transactions which are carried out within the Union.
In the case of card-based payments where the payee’s PSP (the acquirer) is located outside the Union (the so-called “one-leg out transactions”), the acquirer is not subject to PSD2. Where the payer wishes to make a card-based payment at the point of sale (POS) or in an online environment of a merchant whose acquirer is located outside the Union and the issuer cannot technically impose the use of SCA, the issuer shall make its own assessment whether to block the payment or be subject to the liability requirements under Article 73 PSD2 vis-à-vis the payer in the event that the payment has been unauthorised.
In the case of card-based payments where the payer's PSP (the issuer) is located outside the Union (the so-called “one-leg in transactions”), the issuer is not subject to PSD2. Where the payer wishes to make a card-based payment at a POS or in an online environment of a merchant whose acquirer is located in the Union, the acquirer is subject to PSD2 as it offers its services in the Union. As such, it is required to be in a position to accept SCA and thus has to put in place mechanisms that allow for SCA.