3D Secure and Strong Customer Authentication

Dave McNamara
Dave McNamara
  • Updated

In this article, we’ll explain 3D Secure and Strong Customer Authentication (also known as SCA or two factor authentication). We’ll also cover what you need to be SCA compliant and how this fits within Payment Services Directive 2 (PSD2). You’ll also find links to other helpful resources.

This article is for organisations in the UK and Ireland.

 

What is Payment Services Directive 2?

Payment Services Directive 2 (PSD2) is a European regulation introduced to improve the security of electronic payments. PSD2 provides requirements for Strong Customer Authentication (SCA).

 

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a requirement of Payment Services Directive 2. Strong Customer Authentication is intended to increase the security of electronic payments and reduce fraud.

Strong Customer Authentication applies to the UK and European Economic Area (EEA).  It means that Cardholders may need to complete extra levels of authentication when making a payment online.

Strong Customer Authentication is performed using at least two of the following:

  • Knowledge: Something the cardholder knows (password, PIN, passphrase)
  • Possession: Something the cardholder has (mobile phone, smart watch)
  • Inherence: Something the cardholder is (facial recognition, fingerprint)

 

What do I need to be SCA compliant?

To be SCA compliant you’ll need the following:

  • 3D Secure (mandatory)
  • Digital Wallets (optional)

 

What is 3D Secure?

3D Secure (3DS) is a method of authentication which provides an additional layer of security against fraudulent transactions. 3D Secure verifies online card payments using the cardholder’s identity.

During checkout, a cardholder may be asked to verify their identity with the card issuer. This verification could include:

  • Using a fingerprint to authenticate a payment on a registered device (something the cardholder is and something they own).
  • Entering a One Time Passcode (OTP) sent to a registered device, and their home postcode (something the cardholder owns and something they know).

TIP: As part of 3D Secure, Visa requires mandatory data for 3D Secure Processing. The required information is Cardholder Name and at least one of the following: Email Address, Home/Mobile/Cell/Work telephone number.

 

3D Secure Rules

Your Merchant Bank should already ensure 3D Secure checking takes place in all circumstances. However, we do recommend that you set up your own 3D Secure rules.

Creating your own 3D Secure Rules gives you the flexibility to customise which transactions you want to apply 3D Secure checks to.

 

How to set up 3D Secure Rules in Opayo

We recommend you set up your own 3D Secure rules in Opayo.

If you use Opayo, you can choose to set up a rule which ensures that any 3D Secure authentication failures are declined by Opayo. This means you can retain control and visibility of which transactions are authorised.

TIP: Our Support Team cannot advise what rules to set, this is a decision that must be made within your organisation.

To set additional 3D Secure rules, follow these steps:

  1. Log into MyOpayo
  2. Click Settings from the top menu:

  3. Click 3D Secure from the left menu:

You’ll see an Add a new 3D secure rule screen:

Each option selected will let the transactions that meet the criteria to be sent for authorisation. If the transaction does not meet the requirements of the rules you have set, the transaction will be rejected.

Enter a Start Value and End Value (for example, transactions from £0.01 to £10.00) and then choose from the following options:

  • Perform the 3D Secure authentication: Select this option if you want 3D Secure to be checked. If unselected, 3D Secure will  not be checked for transactions within the price range you have defined.
  • Accept non-3D Secure cards to be authorised: As 3D Secure is a scheme that cardholders have to register for, some customers on your site will not have this enabled. Select this option to let all customers who do not have 3D Secure enabled on their cards to be processed for authorisation.
  • Accept authorisations when MPI errors occur: There may be occasions where 3D Secure is unavailable. Select this option to be able to process transactions without 3D Secure if it's unavailable.
  • Accept cards from non 3D Secure issuers to be authorised: Select this option to accept cards that are not part of the 3D Secure scheme, for example, Diners Club. Only Visa, Mastercard and American Express are eligible for 3D Secure.
  • Accept 3D Secure failures to continue for authorisation: Select this option to let transactions process if the cardholder has entered incorrect details and failed the 3D Secure checks.

WARNING: Choosing Accept 3D Secure failures to continue for authorisation will send all transactions for authorisation whether or not the details entered are correct. We recommend you do not use this option, as card details obtained fraudulently could be used and lead to an increase in chargebacks.

Once you have selected the appropriate option(s), click Add Rule.

TIP: You can create additional rules by repeating the steps above. The start and end values cannot overlap. You can use multiple rules over different price ranges. This lets you control the security depending on the value of your transactions:

 

3D Secure and Card Wallets/Stored Cards

If you have Card Wallets enabled, your customers can store their card details in your system. This means that when a  Customer makes a purchase, they can choose to use their stored card instead of having to enter the details manually each time.

When a customer adds a new card to their Wallet, they may be asked to complete a 3D secure challenge

As no money is taken during this process, this is called a Zero Value Authorisation (ZVA). A Zero Value Authorisation can increase the security of cards stored in their wallet in Spektrix.

In order for ZVA to work, you’ll need to configure your 3D Secure roles to not accept 3DS failures for £0/€0.

 

Digital Wallets

A digital wallet is an application (such as Apple Pay or Google Pay) on a mobile device that stores credit or debit card details. A digital wallet lets the customer use their mobile device to pay without having to use their physical card. 

When a card is added to a digital wallet, the cardholder will be asked to authenticate their details. This usually involves checking that the address in their digital wallet matches the registered address of the card.

A digital wallet is safer than using a physical credit or debit card because Apple Pay and Google Pay don’t share your real card number with the payee.

When a cardholder makes a purchase, they confirm their payment using the following:

  • The card details stored in their wallet via contactless payment (holding it near a Chip & PIN machine).
  • Making a payment online and selecting Apple Pay or Google Pay as a payment method. The payment is taken from the card stored in the customer’s Apple Pay or Google Wallet. When using Google Pay online, the cardholder will still need to enter their CV2/CVV/CVC (the three or four digit code from their card).

 

SCA Exemptions

Not all payments fall within the requirements of Strong Customer Authentication. We’ve listed the exceptions below.

 

Low Risk Transactions

Certain acquirers look at the risk involved with each transaction that falls within the scope of SCA. If an acquirer identifies a transaction as low risk, it can request an exemption to skip SCA.

This is possible if the acquirer or issuers fraud rates are under the following thresholds:

  • 0.13% to exempt transactions below £85/€100
  • 0.06% to exempt transactions below £220/€250
  • 0.01% to exempt transactions below £440/€500

Ultimately, the card issuer decides whether they’ll accept the exemption request or enforce SCA.

 

Payments below £35/€30

Payments below £35/€30 may be exempt as they’re considered low value.

Banks will still need to request authentication if five payments under £35/€30 have been made since the last authentication, or if the sum of previously exempt payments exceeds £85/€100.

The issuing bank tracks the number of low value exemptions and decides whether SCA is needed.

 

Contactless Payments

Contactless payments are exempt from SCA where they meet the following criteria:

  • Individual contactless payments totalling £100/€120 or less
  • Cumulative payments totalling less than £300/€360

Where contactless payments exceed these amounts, SCA is required. This may involve the cardholder entering their PIN to confirm the payment. Once a cardholder has entered their PIN, the criteria resets.

 

Contactless Charitable Donations

Contactless Charitable donations are seen as low risk. Donations are usually made using offline devices without the functionality to support PIN entry if a transaction is flagged for authentication.

Card Issuers are encouraged to work with charitable organisations to ensure donations aren’t disrupted due to SCA. Ultimately, the card issuer decides whether or not to enforce SCA.

 

Mail Order/Telephone Order (MOTO) Payments

Card payments made over the phone do not require authentication as they fall outside of the scope of SCA.

 

Continuous Authority/Recurring Payments

When a cardholder makes recurring payments for the same amount. Strong Customer Authentication is required for the first payment, payments thereafter may be exempt from SCA. For example, when automatically renewing a Membership.

 

This article should give you the information you need to understand Strong Customer Authentication, 3D Secure and Payment Services Directive 2. 

To learn more about Payments, visit the Manage Payments section of the Support Centre.