3D Secure 2.0 – what it really means

The future of secure payments / Q&As

Surely you have heard about the requirements associated with the Revised Payment Services Directive (PSD2). One element of PSD2, strong customer authentication (SCA), will also affect every participant of a payment within an e-commerce environment. Something serious and relevant?

Yes, but adherence to PSD2 and 3D Secure 2.0 is not a drama from the perspective of e-commerce, it is just the evolution of a security-feature/standard to protect the payment environment. We’ve collected the most critical questions about 3D Secure 2.0 to give you advice on how to handle this topic as efficiently as possible.

What does this new standard now mean for an e-commerce merchant?

With the introduction of the new protocol, it is ensured that the implementation of the PSD2 rules for card payments and all strong customer authentication (SCA) requirements are met. At a glance, the step to the next level of security means:

PSD2-compliant processing

Dynamic and accurate end-user authentication

Increased transaction security

Improved revenue assurance

The story of 3D Secure

3D Secure has been introduced to give card issuers the ability to authenticate cardholders in an e-commerce environment, reducing the likelihood of fraudulent activity and protecting all participants in the payment ecosystem. For 3D Secure version 1.0 authentication, an additional value was introduced that may only be known to the real cardholder, such as a password.

Unfortunately, passwords have certain weaknesses. For this reason, PSD2 demands a strong customer authentication method, which should also be applied to such authentication procedures. As a result, 3D Secure 2.0 must provide more customer authentication details to increase the likelihood that the real cardholder initiates the transaction.

What does every merchant need to do?

In simple terms, it means providing some additional data fields under the new 3D Secure 2.0 standard. These data fields will help the issuer to authenticate the cardholder properly and in more detail so that the security level with such enhanced procedures will undoubtedly increase. Finally, all those involved in the payment transaction will benefit from this additional security, resulting in a lower fraud rate.

What are the additional main fields for 3D Secure 2.0?

Besides the already existing customer details, the presence and accuracy of the following 3D Secure fields actively improve approval rates and reduce unnecessary cardholder challenges:

Acquirer Merchant ID

Browser Accept Headers

Browser IP Address

Browser Java Enabled

Browser JavaScript Enabled

Browser Language

Browser Screen Color

Browser Screen Height

Browser Screen Width

Browser Time Zone

Browser User-Agent

Transaction Type

Cardholder Account Information

Cardholder Shipping Address

Is 3D Secure 2.0 mandatory for all transactions?

With its intention to increase the overall security level of payments, 3D Secure 2.0 requires SCA to be mandatory for all online transactions. However, some exemptions are provided for to agree on smooth shopping experience for consumers with added security for larger, less frequented or riskier transactions.

The most relevant exemptions e-commerce merchants may take into consideration:

Low-value transactions
Exemptions will be granted for transactions under 30 EUR. However, issuers may demand SCA after five transactions or in case the aggregated amount exceeds 100 EUR.

Subscription and recurring transactions
Subscription or recurring transactions with a fixed amount are exempted from the second transaction onwards. SCA is required with the initial transaction or in case of a changing amount.

Mail Order and Telephone Orders (MOTO)
MOTO transactions are not covered within the new standard, so no SCA request will apply in any case.

When do merchants need to be prepared?

Well, first of all, the timetable for implementation is rather tight and states that the new standards are to be applied by 14 September 2019.

The payment card industry is vast and therefore such substantial changes or updates to the standards established over several years will take some time, meaning that there will be a grace period for all participants at least for the next few months. Merchants do not have to fear a hot cut-off on 14 September.

However, DIMOCO Payment Services is 3D Secure 2.0 is ready. We know what needs to be implemented, what needs to be sent, and what the impact would be for any e-commerce merchant.

What will happen if merchants are not prepared?

Within this grace period, there will be a 3D Secure acceptance as usual. Both 3D Secure 1.0 transactions and non-SCA based 3D Secure transactions will be temporarily accepted. For the coming months, merchants should not really feel the transition to 3D Secure 2.0.

The provision of these additional fields within a transaction drastically increases the chance of approval by the issuer. Conversely, this does not mean that at least for the time being success rate will drop immediately by September 14 if merchants do not provide the additional details shortly.

But the grace period will also come to an end, and the merchants should use the time carefully to make the necessary preparations and thus avoid a decline in the success rate.

How does DIMOCO Payment Services support merchants with the introduction of 3D Secure 2.0?

We can help to stay compliant from a transaction-perspective, without coming up with significant hurdles or efforts for the merchant’s business. DIMOCO Payment Services offers merchants personal and simple advice (and not just documentation) on how and which areas should be implemented. These fields are mainly about additional details of the end customer. So, the more information an e-commerce retailer already transmits to DPS today, the fewer new fields need to be implemented.

If you would like to have further insights, please contact our experts at payments@dimoco.eu