axis payroll Year End Updates are now available »

Strong Customer Authentication for Online Card Payments

Last Updated: 1st February 2022

In 2018, the UK Government passed into legislation the EU Directive known as PSD2 (Payment Service Directive 2). This directive aims to provide better protection for consumers paying online whilst also paving the way for new developments in making online and mobile payments.

The elements covering better consumer protection for online payments are covered by the introduction of Strong Customer Authentication and were to become mandatory on 14th September 2019. In August 2019, the Financial Conduct Authority announced an 18 month delay before compliance was to become mandatory. A further 6 month delay, due to the exceptional circumstances around the Covid-19 crisis, was announced by the FCA in April 2020. A further delay was announced in May 2021 which means that, at the time of writing (01/02/2022), the following timescales apply:

  • In the UK, the deadline for eCommerce compliance is now 14th March 2022.
  • In the European Economic Area (EEA), the deadline for eCommerce compliance remains 31st December 2020.

What is Strong Customer Authentication?

Strong Customer Authentication for PSD2 is provided by a development of 3D Secure known as 3D Secure 2.0.

What is 3D Secure?

Many people will be familiar with the current version of 3D Secure through the implementations provided by the two main card issuers, Visa and MasterCard. Visa refer to their 3D Secure implementation as "Verified by Visa" whilst MasterCard call their 3D Secure system as "MasterCard SecureCode".

When 3D Secure is enabled via your website checkout, the customer is redirected to their own bank's website to enter a password (or typically, 3 random characters from their password) as an additional verification that they are who they claim to be.

Typically, this looks something like this (in the case of using a Visa card - Mastercard's equivalent is similar):

Enabling 3D Secure through your website's checkout has, to date, been optional. There are good reasons for using it, not least of which is that, in general, when using 3D Secure, liability for fraudulent transactions moves to the bank if the transaction went through the 3D Secure verification process.

What is 3D Secure 2.0?

3D Secure 2.0 extends the verification process to use 2-Factor Authentication (also known as 2FA). Two-factor authentication requires the customer to confirm their identity using two of the following three classes of verification:

  • Something They Know (for example, a password or a PIN number)
  • Something They Have (for example, a card reader or SmartPhone)
  • Something They Are (for example, fingerprint, voice or facial recognition)

Exactly how a particular bank chooses to verify its customers is down to their own preferences - for example, one bank may offer voice recognition whilst another may not.

Are There Exceptions?

Whereas the use of 3D Secure has been optional in the past, the use of 3D Secure 2.0 will become mandatory. There are, however, exceptions:

  • Transactions below €30 (unless the customer has initiated more than five consecutive low value transactions)
  • Recurring payments (such as subscriptions)
  • Whitelisting (where the customer has added their regular suppliers to a "trusted merchants" list)
  • Low Risk Transactions (where the bank has determined that the particular transaction is low risk based on a real-time risk assessment)
  • Transactions where the merchant or customer are outside the UK and the European Economic Area

In essence, it is down to the issuing bank to decide whether the particular transaction needs to be verified so the website's checkout and Payment Service Provider will always need to assume that the transaction needs to be verified - it is simply that, in some cases, the bank will return an approval without asking the customer to verify their identity.

In order for the bank to make a risk assessment, the Payment Service Provider (for example, Opayo) may need to provide more information on the transaction - such as delivery address, nature of the goods etc. and so this may require them to make changes to their APIs.

What Happens Next?

Payment Service Providers have published information on the implications of Strong Customer Authentication for their individual services and we continue to monitor this information for updates that may affect our clients.

In the meantime, if you are not already using 3D Secure in your checkout process, we strongly recommend that you do so now - as well as minimising any disruption when SCA becomes mandatory, it does bring the added benefit of shifting liability for fraudulent transactions to the issuing bank. Enabling 3D Secure is usually done via your Payment Service Provider's online portal.

The aim of Strong Customer Authentication for Online Card Payments is to reduce instances of online fraud and so these changes should benefit both merchants and customers alike. We can expect, however, in the short term, that there will be some disruption as online shoppers adjust to new checkout processes and set themselves up with the means to verify their identity on every transaction.

Specific Information for Websites using Opayo

All axis vMerchant / Opayo (SagePay) integrations use a method called "VSP Server", or "Server" for short. Opayo have confirmed (see link to their Frequently Asked Questions article below) that Server integrations require no change and fully support both 3DSv1 and 3DSv2.

Opayo have previously sent emails to their clients suggesting that some alterations will be required to the custom templates used by Server integrations. We have confirmed that the latest versions of the custom templates work correctly using 3DSv2 and we are helping all of our axis vMerchant clients to ensure, where necessary, that their custom templates are up to date.

Since 3D Secure only applies to online transactions, the introduction of Strong Customer Authentication does not affect axis diplomat's integration with Opayo - without modification, it will, for example, still be able to authorise payment against a web transaction placed using Authenticate & Authorise regardless of whether it was placed using 3DSv2 or not.

If you have not currently enabled 3D Secure on your account, you should do so now. If you do not, your website may encounter problems processing payments from cards issued within the EEA.

Further Information

Information on the UK's Current Deadline for Implementing Strong Customer Authentication can be found on the Financial Conduct Authority's website here:

Opayo have published a general information page on Strong Customer Authentication, a Frequently Asked Questions article and a Support Note on enabling 3D Secure.

 

Strong Customer Authentication for Online Card Payments

Headlines

  • Makes 3D Secure mandatory for most transactions
  • Extends 3D Secure to use 2-Factor Authentication
  • Becomes mandatory 14th March 2022

An Example Checkout Process Using Strong Customer Authentication

Customer goes to Checkout on Website

Checkout loads Payment Service Provider's Card Details Form

Customer enters card details

Payment Service Provider loads verification form from customer's bank

Customer enters their password

Customer's SmartPhone online banking App prompts for confirmation

Bank returns approval to Payment Service Provider

Payment Service Provider returns approval to website

Call Back