As part of the European Payment Services Directive (PSD2), strong buyer authentication has been mandatory since the beginning of this year and applies to all online transactions, regardless of their amount, since April. The required strong authentication protocol is 3DSv2, the new version of 3D Secure which offers more flexibility. To maximize your chances of offering a frictionless shopping experience to your customers, you'll need to master the 3DSv2 vocabulary at your fingertips! Discover our glossary of key terms to know.
The 3DSv2 lexicon
PSD2
The European Payment Services Directive version 2 aims to strengthen consumer protection, promote innovation and improve the security of payment services across the European Union, through harmonization and enhanced security of online payments. Entering into force at the beginning of 2018, it has, among other things, reduced the deductible in case of fraud, with shorter payment times and the elimination of fees when paying by bank card.
Regulatory Technical Standards
Regulatory Technical Standards (RTS) are the regulatory technical standards that define strong customer authentication to meet the objectives of PSD2. They must be applied to all buyer-initiated online payments made by credit card.
Strong Customer Authentication (SCA)
To strengthen the security of online transactions, PSD2 has made it mandatory for the buyer to be authenticated using at least two independent authentication factors, i.e. the invalidity of one does not necessarily lead to the invalidity of the other (e.g. a password and a fingerprint), out of 3 possible ones: possession, knowledge or inherence.
Authentication factors
An authentication factor is a means of ensuring that the person making the online purchase is the actual holder of the payment card being used. It can be for example a code, a password, or a fingerprint. There are 3 types of authentication factors:
- Knowledge authentication factor: This is a piece of information that only the buyer and the payment card issuer know. It can be a code, a password, or a secret question.
- Possession authentication factor: It is data that can only be obtained from a device (smartphone) or a medium (smart card) that belongs to the buyer, like the issuance of a single-use code. It should be noted that SMS validation is not recognized as a strong authentication method by the EBA (European Banking Authority).
- Inherence authentication factor: It is data that belongs only to the buyer, like his biometric data (fingerprint, facial recognition, etc.)
Soft Decline
The soft decline is a mechanism that allows a payment card issuer (the Issuing Bank) to reject a transaction that is not PSD2 compliant (i.e., not strongly authenticated) while still allowing the merchant to resubmit the transaction, but this time with strong authentication.
Challenge & Frictionless
The merchant has the option to request a 3DS exemption. Two scenarios can then occur:
- Challenge: the 3DSv2 protocol will be triggered and the transaction will have to be strongly authenticated to succeed
- Frictionless: the transaction is fluid for the buyer, in other words without strong authentication.
In the case of a frictionless transaction following an exemption request, the merchant is responsible for any fraud.
No preference
The merchant can leave it up to the bank to decide whether or not the transaction requires strong authentication. The bank calculates the risk and issues the payment or requests strong authentication. In this case, the bank is responsible for any fraud. This new regulation to improve the security of online payments is an opportunity for payment service providers like Lemonway to innovate and support their customers towards smoother and more secure online transactions. Want to know more? Please contact us!
Share the article
Looking for
fresh ideas?
Get monthly tips, best practices, and the hottest marketplace payment trends—right in your inbox.