Card-not-present fraud is still a big threat for merchants as it accounts for 60 to 70% of the total card fraud. Merchants have to efficiently protect their activity from fraud but also need to offer a streamlined user experience with less friction and less steps to follow, in order to increase their conversion rates.
The challenge for merchants is to find the right balance between fraud detection and user experience optimization.
- What is 3D Secure?
- Strong Customer Authentication with 3D Secure 2.0
- Impact of SCA on businesses
- Key milestones of the shift to SCA & 3D Secure 2.0
- Out of scope transactions
- Exemptions to SCA
- Liability shift in case of Fraud
- SCA compliance
What is 3D Secure?
3D Secure provides a strong authentication of the cardholder, in order to protect your activity from fraudulent attempts, and also to secure your customers’ payment data. With 3D Secure you add a layer of authentication to minimize the risks of chargeback.
Strong Customer Authentication with 3D Secure 2.0
In order to enhance the security of customers during online payments, the PSD 2 is enforcing a Strong Customer Authentication (SCA), also called 2 factor authentication, in Europe.
A strong authentication of the payer requires at least two of these three factors :
|Something the customer is (e.g. fingerprint, face recognition)||Something the customer knows (e.g. PIN, password)||Something the customer has (e.g. card, mobile, token)|
PSD 2 adds that in some cases, there will be exemptions to this SCA.
This method, when adopted by the consumers, will contribute to lowering fraud rates for the e-commerce payments.
Impact of SCA on businesses
PSD 2 will apply to banks, this means that issuing banks which are not compliant will be exposed to sanctions.
Today, 3D Secure 1.0 is implemented to authenticate an online card payment. 3D Secure 2, will be the updated method for authenticating card payments starting in 2021 for most banks in Europe. This new version will have a better UX, will adapt to the risk of each transaction, and will reduce the friction in the checkout flows.
As long as new forms of authentication like biometrics are not yet available there will a fallback to a regular 3D Secure with SMS authentication. However these new forms should be available starting on January 2021.
Key milestones of the shift to SCA & 3D Secure 2.0
The French Central Bank and the European Bank Authority have approved a ramp-up plan of a new infrastructure in order to meet the Strong Customer Authentication (SCA) regulation — in agreement with all payment ecosystem members (banks, payment networks, merchants, PSPs). Once fully deployed, for each transaction, the infrastructure will:
Perform an SCA eligibility check (one leg/two leg, MIT, etc.)
Record precisely the nature of the transaction and the merchant requirements (transaction risk level, recurring transaction, etc.)
Manage exemption, according to the RTS (Regulatory Technical Standards) and track liability shift in case of fraud
Key milestones of SCA implementation:
According to the SCA implementation plan, from April 1, 2020, the following will occur:
A fallback to 3D Secure 1 for all transactions that will be subject to SCA
- A progressive ramp-up of the volume of transactions subject to SCA : in order to gently test the new infrastructure and reduce failure risks, banks will progressively increase the volume of transactions that they will challenge with SCA.
Out of scope transactions
To be in the the scope of SCA's RTS (Regulatory Technical Standards), a payment transaction must meet 2 requirements:
- Be an electronic payment
- Be initiated by the payer (natural person or moral)
The European Banking Authority (EBA) expressly designated three types of card-not-present payments that are outside the scope RTS SCA:
Merchant initiated transactions (including variable subscriptions)
Payments for which the amount is not initially known. These payments are made when the card holder is not present, using a saved card.
To benefit from this exemption, the merchant must authenticate the card when registering or when making the first payment. The merchant must also obtain the client's agreement (mandate) to be authorized to debit his card later.
One leg payments
When the customer's bank or the merchant's bank are outside the EU, no authentication will be carried on.
MO/TO payments (Mail orders, Telephone orders)
Mail & Telephone orders and are not considerer electronic payments.
Exemptions to SCA
Under the PSD 2, some payments be exempted from Strong Customer Authentication. SlimPay, as a payment provider, is able to request these exemptions when processing the payment. The cardholder’s bank will receive the request, assess the risk level of the transaction, then decide if it's subject to an exemption. Authentication in the merchants checkouts will introduce an extra step that adds friction and may increase customer drop-off. Leveraging exemptions will reduce the need to authenticate your shopper, and will reduce friction.
Low value payments
All payments below € 30 will be subject to this exemption. We estimate that around 50% of all online transactions will fall under this exemption.
However, this exemptions will not be valid if the total amount attempted on the card since the last authentication is higher than € 100 or more than five transactions have been attempted on the card since the last authentication.
Fixed amount subscriptions
The customer makes to the same merchant, a series of recurring payments having the same amount.
Strong authentication will be required for the customer's first payment only. The following payments may be exempted.
A customer can choose to whitelist a merchant they trust in order to avoid authentication for future payments
Low risk / Transaction Risk Analysis
TRA exemption from the issuing bank: The card issuer can apply a TRA exemption even if you did not request for it. We advice you to send additional information in your payment request enhances the likelihood of getting this exemption.
TRA exemption request from the PSP: Payment providers can have the option to choose whether to apply SCA to a transaction or not. However payment providers must ensure their fraud rates do not exceed certain thresholds
Liability shift in case of Fraud
When SlimPay handles the PSD2 compliance for you, we will automatically ask for exemptions on your behalf whenever it is possible and challenge the shopper with a strong authentication whenever the bank requires it.
According to the European Payments Council : “the payer can claim full reimbursement from their PSP in case of an [unauthorized] payment if there was no SCA measure in place and if the payer did not act fraudulently”. This means that in the event of fraud on transactions which are entitled to an exemption, you will be responsible for the chargebacks. There is no liability shift to the issuer.
SlimPay will ensure you get the most from Strong Customer authentication : reducing fraud on risky transactions while avoiding customers abandonments specially for low risk transactions. We will make sure you benefit from exemptions whenever those are possible.
SlimPay's API and Checkout will be ready for SCA roll-out by July 1, 2020.
If you are already running in production, we laid a plan that explains how to Start using 3D Secure. Depending on your business payment scenario, you may be required to update your API integration.
Important dates to remember :
- April 2020: SCA becomes mandatory in EU for transactions above 500 euros.
- September 2020: SlimPay will enable 3D Secure 2 for all merchants. It is now the issuing banks that will decide whether to authenticate a transaction or not.
- November 2020: SCA becomes mandatory in EU for transactions under 500 euros.
- 2021: Banks will progressively switch to more modern forms of authentication (fingerprint, push notification ...) .