Strong Customer Authentication (SCA) and the EMV 3DS Protocol
What will Happen to Your European Online Traffic by the End of 2020By now you should be pretty familiar with acronyms such as PSD2, SCA, and EMV 3DS (also known as 3DS 2.x). If you are not, then you have a lot to learn if you want to do business with European consumers beyond the end of 2020. Just so we are all on the same page, let's say that PSD2 is the Revised Payment Services Directive, which mandates SCA, Strong Customer Authentication, which can be achieved using EMV 3DS, the newer version of the Three-Domain Secure protocol.
PSD2 was issued back in 2015 by the European Commission to drive safety and innovation in the payments industry in Europe, following the steps already made with the original PSD. It went into effect in September 2019; however, the EBA allowed for an extension of the SCA requirement until December 2020, as most players were not ready with its implementation.
The tragedy is that many players still are not ready today, just less than six months from the end date. Furthermore, the recent pandemic has contributed to making things even worse for everyone, as most payments companies and related providers have had to deal with more pressing issues than focusing on finally achieving full implementation of SCA. Despite several pleas made to the EBA to reconsider the deadline, the ultimate date for enforcement of the SCA requirement remains the 31st of December 2020. Having said this, France is planning to grant an extra three months grace period on a case by case basis, due to the COVID-19 crisis, and possibly move the date of compliance to the 1st of July 2021 altogether; while the UK, today independent from the EBA, has extended the deadline to the 14th of September 2021.
One fundamental dynamic to note is the following: even if you are PSD2 and SCA ready today, it does not guarantee that you will be successfully accepting all payments in Europe by the end of 2020. There are too many players involved in the payment chain, and if just one of them is non-compliant, the payment will not be authenticated. To make things worse, if you are a merchant, the consumer would most likely blame you for the poor experience, even though you are compliant.
This inherent weakness is why it is essential first to be ready and second, to perform as much testing as possible. Testing will enable you to identify the existing gaps and the weakest links in the payment chain. Hopefully, you should be able to address them on time before the development freeze in October. In any case, as a merchant, the best practice is to process the authorization and order still, when a transaction returns unauthenticated (due to errors, declines, or system failures). Nevertheless, please be mindful that eventually, the issuers will start declining transactions that are not correctly authenticated.
For the sake of clarity, let me try to explain everything mentioned above differently. Let's go back one generation to 1995, in a time when eCommerce was still a dream, and assume you want to sell your goods and services across all of Europe. To do so you plan to open one physical shop (remember those?) in each European country, and you want to have the big opening by the end of October, to catch all the extra revenues linked with the upcoming festive season.
Unfortunately for you, all countries have adopted a law that forces you to take some steps before you can sell to their citizens. You must question your European customer about their identity and obtain sufficient information that confirms who they are. This information needs to be authenticated, but you cannot do it yourself, and you cannot even choose who will do it. Your customer makes this choice. You must phone the unknown authenticator, while your customer is waiting at the counter with the goods in the bag.
And here is where the problems outside of your control begin. Because you have gone through the troubles of asking and obtaining all the relevant information, as well as setting up the phone with a working line, you need to instruct all your employees to be as diligent as possible with your customer to ensure you were ready. Still, it would all be in vain, if at the other end the authenticator is not able to recognize the information you are passing through or is not picking up the phone. Yet worse, in some countries, the authenticator might not even have a phone before the end of the year.
In this scenario, your customer will leave your shop empty-handed, and you will remain with empty pockets for no apparent fault on your part. In fairness, it is partially your fault, as you should have checked before opening the shop, if that specific authenticator, randomly chosen by your customer, was ready to receive the information you were trying to send through. Rest assured that the customer will believe you were not able to provide them with what they needed.
It is easy to bring this to 2020: the shop is your website, the goods in the bag are the goods in the basket, the counter is the checkout page, the information collection process is the EMV 3DS protocol, the phone is the API to your PSP/acquirer, the phone line is the data channel, and the authenticator is the issuer. All the different components must work together for you to be able to satisfy your customer. Moreover, the whole process today should take milliseconds instead of minutes and should be seamless, as ideally the consumer does not even notice this happens.
This example highlights the complexity of ensuring that all links of the payment chain are correctly set up and work well together in a continuous sequence. As today most of these links are outside your control, it is crucial to perform as much testing as possible. Testing should be done involving all players because it is the only way to see if SCA works and delivers on the promise of safer and friendlier payment experiences.
The recommendation is, therefore, to not just tick the boxes for your end of the process, thinking "I have done what I was supposed to do," as you will still be the one paying the price for the other players not doing what they were supposed to do. If you want your customers to be happy with your services, reach out to as many players as possible and cooperate with them in an extensive testing plan. You will help them help you help your customers.
There are no related Events
Hear from the FIDO Alliance and its stakeholders to get a deep-dive into the topic of passwordless authentication. Hear how major merchants and online service providers are actively collaborating on making web logins more secure and usable for all consumers. We will discuss challenges with legacy approaches; the move away from passwords; and new technologies that are emerging to support this. We will look at this in the context of consumer preferences and regulations.
This session will delve into the real impact of identity-based attacks, drawing from ITRC's work providing assistance to victims of identity compromise, and ITRC’s published research reports. It will cover insights on the latest data breaches that fuel identity fraud, and attack trends across ecommerce, social media, online dating, etc. The session will explore how bad actors circumvent multi-factor authentication to gain access to accounts and conduct malicious scams.
Hear from authentication experts on theimpact of strong Customer Authentication mandates on key merchant KPIs, such as fraud rates and authorization rates. Expert advice on lowering challenge rates while remaining compliant and understanding good user behavior.
There are no related Surveys
With the upcoming 3DS1 decommission planned in Oct’22, it’s important for merchants to plan their authentication strategy to not just process EMV 3DS transactions but optimize the entire payment experience.
To find out, join Gautam Pande – Director, Product Management, Identity Solutions at Mastercard to provide key considerations ahead of the 3DS1 Decommission & share updates of the Identity Check platform to enable seamless digital commerce
- Find out what to expect after the decommission date
- Be able to understand key changes in EMV 3DS 2.2
- Understand Mastercard’s Smart Authentication Platform
- Preview the Identity Check Express and the customer journey
Better fraud prevention, all around.
Many organizations rely on two-factor authentication (2FA) using one‑time passcodes (OTPs) sent by Short Message Service (SMS) to authenticate banking and ecommerce transactions. 2FA performed this way can be fast and easy, but SMS wasn’t designed to be a security tool.
Learn how your organization can leverage voice biometrics to protect customers and your brand by building the highest levels of protection, trust and loyalty.
In Nethone's Frictionless white paper, you will learn:
- How to reduce checkout friction to maximise your revenue?
- How to manage UX friction associated with PSD2/SCA?
- How to prepare for Transaction Risk Analysis (TRA)
- How to keep your customers happy
- How to achieve all this while effectively combating payment fraud
At SEON Technologies we have released new information on the collection countries that are most and least at risk of cyberattacks. We have also taken a close look at the most common types of cybercrime occurring in the US.
Dubbed the Global Cybercrime Report, the report explains how several countries are the safest in the world from fraud and other cybercrime. and why others are not. Our methodology for this research was based on how companies and public infrastructure are all being fairly well protected through both legislation and technology at their disposal.