This September, Europe will see the introduction of new requirements for authenticating online payments, as part of the second Payment Services Directive (PSD2). These requirements, also known as ‘Strong Customer Authentication’, are going to significantly change how online retailers process payments within Europe. Here at Calcey, we do a lot of work with European clients, who have had to migrate to 3D Secure-compliant processes. Here are a few things which we have learned along the way.

What is Strong Customer Authentication (SCA)?

The European regulators introduced SCA as a method to reduce fraud and make online transactions more secure. Once SCA becomes legally binding from September 2019 onwards, merchants (especially those who conduct transactions online) will have to build an additional authentication component into their checkout flow. For SCA to work properly, every authentication request has to have any two of the following:

  1. Something the customer knows (e.g. PIN number or a password)
  2. Something the customer has (e.g. a hardware token, or a phone)
  3. Something the customer is (e.g. a fingerprint or face recognition)


From September 14 onwards, banks will be able to decline transactions which don’t meet the SCA criteria.

How SCA Works / Credit: WP Simple Pay

How Authentication Works

Currently, the most popular way of authenticating a card payment is via 3D Secure 1— a protocol supported by a vast majority of cards globally. You know that 3D Secure is in place when you try to checkout, and end up being prompted to enter an OTP code or password. This extra authentication layer also enabled merchants to transfer liability for fraudulent transactions to the card issuer. 

3D Secure 1 was first rolled out in 2001, and though it has gained popularity as an effective tool to help reduce card fraud, it did have its own problems. Chief among the list of grievances against 3D Secure 1 is that the additional step required to complete the transaction didn’t mesh well with the payment flow, thus leading to a high cart abandonment rate. Secondly, lots of banks forced their customers to remember static passwords to complete 3D Secure authentication, and naturally, this didn’t work out too well.

Enter 3D Secure 2: Frictionless And Better Looking

3D Secure 2 aims to address these drawbacks while simultaneously strengthening security. One of the main features of 3D Secure 2 is the introduction of Risk Based Authentication (RBA) for transactions, thanks to its ability to support the sending of multiple data elements. The said data elements include payment-specific data such as shipping addresses, as well as contextual data, such as the customer’s device ID or previous transaction history.

The cardholder’s bank can then use this information to assess the risk level of the transaction and decide on an appropriate response to go along with it:

  • If the data is adequate for the bank to trust that the real cardholder is carrying out the purchase, the transaction goes through the “frictionless” flow and the authentication is completed without any additional input from the cardholder.
  • If the bank decides that it needs further proof, the transaction is sent through the “challenge” flow and the customer is asked to provide additional input to authenticate the payment.

Second, 3D Secure 1 was developed well before the rise of the smartphone. Today, we live our lives on our smartphones. As a result of the time it was built in, 3D Secure was very unpleasant to interact with unless you were in front of a PC. 3D Secure 1 would force a full page redirect, which was cumbersome and left customers potentially vulnerable to ‘Man-in-the-Middle’ attacks.

This has been rectified with 3D Secure 2, and banks can now offer a more seamless and less disruptive authentication experience. Instead of entering a password or waiting for a OTP-bearing text message to arrive, banks can now allow customers to authenticate the payment via fingerprint, face scanning, or even through the mobile banking app installed on their phone. 

3D Secure 2 has also been designed so that it is possible to embed the challenge flow directly within web and mobile checkout flows—without requiring full page redirects. This is a boon for any developer concerned with the user experience, like we are at Calcey. If a customer initiates an authentication on your site or webpage, the 3D Secure prompt now by default appears in a modal on the checkout page (browser flow).

3D Secure 1 left the user open to ‘Man-in-the-middle’ attacks / Credits: Unsplash

Issuers such as Visa and MasterCard have now made available mobile SDKs which make it easier to build ‘in-app’ authentication flows. Both processors have also made available UI guidelines for developers to help sidestep the problem of cart abandonment due to poor UI, which banks can be notorious for.

New age payment systems such as Apple Pay and Google Pay already support 3D Secure 2, and enabling these as payment options on your ecommerce site will allow you to quickly offer a seamless checkout and authentication experience.

While traditional banks may take some time to fully comply with SCA, payments processors such as Stripe and Braintree are already fully compliant. For instance, if you’re using Stripe to process payments, a quick upgrade of the Checkout integration is all you need to be fully compliant with 3D Secure 2.

Payment providers such as Stripe, Braintree, Square etc. are already SCA compliant / Credits: Unsplash

I run a small e-commerce startup? Should I worry about 3D Secure 2?

Not every online retailer needs to consider migrating to 3D Secure 2 immediately. If you are a small e-commerce site, you can temporarily postpone worrying about 3D Secure 2, since both 3D Secure 1 and 3D Secure 2 are expected to co-exist for some time. However, if your web analytics tools are telling you that you’re losing a lot of customers at the checkout stage due to 3D Secure 1, you may be better off considering an immediate shift to 3D Secure 2. While you’re at it, we would also recommend overhauling your backend infrastructure so that it is upgrade friendly, perhaps by integrating with Stripe and Shopify or something similar. This will free you from the headache of worrying about keeping your site’s code up-to-date, since these third party platforms will take care of everything for you. And if you need help, feel free to contact us.

References

https://developers.braintreepayments.com/guides/3d-secure/overview

https://stripe.com/docs/payments/3d-secure

https://stripe.com/guides/3d-secure-2

https://www.adyen.com/blog/3d-secure-20-a-new-authentication-solution

https://developer.visa.com/pages/visa-3d-secure