Introduction
What is 3DS 2?
3DS 2 represents an upgraded and improved iteration of the original "Three Domain Secure" (3-D Secure or 3DS) authentication method, which is implemented by card issuers and acquirers in collaboration with specific card schemes such as MasterCard (MasterCard SecureCode) and Visa (Verified by Visa).
In 3DS 1, the cardholder was directed to the issuer's website before the actual card authorization occurred. On the issuer's website, the cardholder had to perform authentication, such as providing a one-time-password (OTP) sent via SMS or confirming the payment in the bank's mobile app.
In its simplest form, 3DS 2 (also known as EMV 3-D Secure, named after the governing organization) improves upon the original standard by allowing merchants and payment service providers (PSPs) to send more data, enabling more robust authentication. Additionally, the process is made more mobile-friendly and, in some cases, completely frictionless, eliminating the need for redirection and one-time passwords (OTPs).
This evolution is also evident in the rebranding of the services provided by Visa and MasterCard, known as Visa Secure and MasterCard Identity Check, respectively.
What is PSD 2 / SCA?
The Revised Payment Services Directive (PSD 2) is a legislative measure that took effect in the European Union on 14th September 2019. One of its significant provisions is the introduction of the Strong Customer Authentication (SCA) requirement for online payments.
According to the SCA requirement, "strong authentication" must involve a combination of at least two out of three factors: "something you know" (e.g., password), "something you are" (e.g., fingerprint), and "something you own" (e.g., a mobile device). This multi-factor authentication approach enhances the security of online payments by requiring customers to provide two distinct pieces of information or credentials, ensuring a higher level of user verification and protection against unauthorized access.
Essentially, with the implementation of the SCA requirement, most card payments require 3DS (3-D Secure) authentication.
As a result of the SCA requirement, processing payments with stored cards as "one-click transactions" becomes challenging, as additional authentication steps are necessary.
Additionally, the SCA regulation also impacts recurring payments, making them unfeasible without the cardholder's presence on the merchant's website for authentication.
Fortunately, there are exemptions to the SCA requirement, which provide flexibility in certain scenarios.
Exemptions
Recurring an Merchant Initiated Transactions
For subscriptions or recurring cycles, only the initial transaction, which establishes the subscription, will require SCA. Subsequent charges made as part of the recurring cycle will be exempt from SCA.
Transactions that are for a fixed amount and follow a regular billing pattern are considered "recurring" and are eligible for exemptions.
In cases where the transaction amount varies over time, such as utility bills based on usage (e.g., electricity or telecom services), these transactions are called Merchant-Initiated Transactions (MIT) and are also exempt from SCA.
However, it's essential to note that for both recurring and MIT transactions, the merchant must obtain the cardholder's consent to charge the card. This consent ensures that the cardholder is aware of and authorizes the future charges associated with the subscription or MIT arrangement.
Low Value and Low Risk Transactions
Payment transactions below 30 EUR (or equivalent in local currency) are exempt from SCA. However, if the total amount attempted on the card without strong authentication within a 24-hour period exceeds 100 EUR or every 5 transactions, SCA will be necessary. The issuing bank is responsible for monitoring the attempts and enforcing authentication as needed.
Moreover, low-risk transactions are also exempt from SCA. The determination of a payment being considered low risk depends on the average fraud levels of the card issuer and acquirer handling the transaction. While the acquirer may identify the transaction as low risk in the authorization request to the issuer, the issuer reserves the right to demand strong authentication despite the acquirer's claim.
Soft Declines
The card issuer holds the authority to decide whether to accept the exemption for Low Value or Low Risk Transactions.
If the issuer deems strong customer authentication necessary, the authorization will be declined with a specific reason code.
In such cases, the authorization can be retried, but only if it is supplemented with the outcome of prior payer authentication through 3DS. Additional information regarding the handling of soft declines can be found in the Handling soft declines section, providing further insights on how to manage such scenarios effectively.