14 January 2021
As part of PSD2 and standardising European payment operations, the 3D Secure 2.0 system will become mandatory for all by April 2021. This will make authentication — which was previously optional or controlled by sellers, PSPs, or banks — obligatory and controlled at an EU level. While 3DS has improved online payment security, its roll-out and impact have worried sellers. What will change with 3D Secure 2.0? How should banks and payment institutions prepare? What changes will marketplace operators face? Find all the answers here.
3D Secure 2.0 is a secure online payment protocol that aims to limit fraud risk and protect banking information by forcing online buyers to go through Strong Customer Authentication (SCA) to complete a transaction.
In September 2019, the European Banking Authority‘s Regulatory Technical Standards (RTS) decided that Strong Customer Authentication must have at least two authentication factors. These factors can be:
All new validation and authentication tools are developed by banks rather than by payment service providers. By October 2021, text messages will be replaced as an authentication factor by Digital Key.
The RTS affect all online card payments initiated by the purchaser. However, they do not apply to:
Strong Customer Authentication becomes mandatory under the RTS for:
With 3D Secure 2.0 designed to make Strong Customer Authentication mandatory for all online payments (except the transactions mentioned above not affected by the RTS), it is “smarter” than the first version as it has rules for authentication exemptions. Exemption requests are possible if:
Where a transaction happens on a marketplace, the exemption request, and therefore a 3DS-free purchase, come from Lemonway.
Following an exemption request, the Issuing Bank has the final say and decides if the transaction can go ahead without SCA. This is done using an algorithm it has developed to identify a transaction’s risk level. These are known as frictionless payments.
The Issuing Bank will decide a transaction’s risk level based on a score generated by schemes (CB, Mastercard, Visa, etc.) shared with it, plus a score it calculates itself.
To improve the score generated by schemes, the seller, and therefore Lemonway too, must provide as much information as possible when the transaction happens: payer name, ID, delivery address, info about the equipment used, etc.
N.B. The full list of information required by schemes and PSPs has not been released. When Lemonway can access these details, our APIs will be updated to ensure better scoring and maximum exemptions.
Many people have concerns about 3DS2’s gradual roll-out with regard to the user buying journey. Stricter authentication would seem to go hand in hand with an increased risk of users abandoning purchases before validation, and therefore with lower conversion rates on seller sites.
That said, this move to 3D Secure 2.0 is inevitable as it comes from a European directive. It’s important to remember that strong authentication’s main purpose is to make payments more secure. The “smarter” 3DS2 will also provide more exemption options for avoiding SCA.
Lemonway already uses Strong Customer Authentication on all transactions to prevent refusals from Issuing Banks. As soon as PSPs and banks are ready for 3DS-v2 implementation, Lemonway will automatically improve transaction success rates with its intelligent exemption management system.
To increase your rate of frictionless, non-authenticated transactions, we recommend that you provide the optional information we will ask for when updating the API for 3DS-v2 implementation.
As a payment service provider, Lemonway takes a positive view of these new rules as they are helping to improve payment security and the payment experience. Lemonway is aware of the challenges around the 3DS2 roll-out and is already working to support its partners through this transition.