Cut down on fraud and increase payments security with 3D Secure. Learn more about PSD2 and SCA going into effect on September 14, 2019. We provide information, history, and recommendations.
The European Union revised a regulation called Payment Services Directive (PSD) with an updated version PSD2. This regulation goes into effect on September 14, 2019, and has a significant impact on most payment processing involving credit cards or bank transfers.
With the timelines for PSD2, understanding 3D Secure (3DS) and the changes from v1.0 to 2.0 is vital for all Magento merchants. This DevBlog provides detailed information on both versions and how it affects Magento 2 merchants and payment gateways. We provide recommendations and updates at the end for payment provider extensions.
What is 3D Secure?
3D Secure is a protocol designed to reduce fraud and provide additional security for online credit and debit cards transactions. The 3D Secure protocol utilizes the three-domain model to provide an additional security layer for a customer purchase:
- Acquirer Domain — Merchant or acquirer in which credit/debit cards details are entered
- Issuer Domain — Bank that issued credit/debit card
- Interoperability domain — Infrastructure that supports the 3D Secure protocol, payment transaction. In most cases, the payment gateway represents interoperability domain.
According to the specification, 3D Secure uses XML messages sent over an SSL connection with cardholder authentication info.
Different financial services provide their own implementation of 3D Secure: "Verified by Visa" from Visa, "Mastercard SecureCode" from Mastercard, "American Express SafeKey" from American Express, and "J/Secure" from JCB.
In general, an implementation of 3D Secure protocol adds an additional authentication step during the customer purchase flow and, in most cases, it appears as a popup with a link redirecting to a bank’s page or an iframe provided by the issuer bank. The popup/iframe/bank’s page contains a field to enter the SMS code, password or one-time token.
As a popup/iframe provided by cardholder's issuer bank, this flow can guarantee that the cardholder’s identity is verified. 3D Secure verification is not an obligatory step for all online merchants and can be skipped even if the cardholder enabled 3D Secure verification for their account.
Version 1.0 vs. version 2.0
3D Secure 1.0 was introduced in 2001 by Visa. In 2019, payment providers started the migration process to 3D Secure 2.0.
Before comparing v1.0 and v2.0, let's consider what 3D Secure v1.0 verification looks like:
- A customer enters credit card details during the purchase flow. The merchant's website requests 3DS verification context from the payment gateway.
- The payment gateway sends a request to the issuer bank, which returns a verification context (link to an iframe, a popup, or a link to the bank’s 3DS verification page).
- The payment gateway then proxies a response from the issuer bank to the merchant website, which shows the popup, iframe, or redirects the customer to the issuer bank website.
- The customer verifies their identity by SMS, email, password, or one-time token. The issuer bank sends an acknowledgment to the payment gateway, which proxies it to the merchant's website.
- Based on the issuer bank’s acknowledgment, the merchant's website creates order and makes a payment transaction or rejects it.
Pros and Cons of 3D Secure
3D Secure provides advantages to securing online payment transactions, but has drawbacks:
- In most cases, 3DS verification is represented as a popup or iframe. It can be difficult for customers to differentiate between the issuer's bank popup/iframe and a fraudulent website.
- Additional steps for customer authentication have a negative impact on customer experience and reduces the merchant's conversion.
- Mobile devices do not always correctly display 3DS popups.
To address these issues and improve 3D Secure verification mechanism, EMVCo (a company owned by Visa, Mastercard, American Express, Discover, JCB, and Union Pay) developed a specification for 3D Secure 2.0 with the following benefits:
- Frictionless Checkout Flow
- Non-Payment authentication
- Native Mobile Integration (support of in-app, mobile, digital wallet)
- Better performance for end-to-end message processing
- Prevention of unauthenticated payments, even if a cardholder's card number is stolen or cloned
Contextual data
The main feature of 3DS 2.0 is analyzing the merchant's contextual data and prompting customers to verify their identity for high-risk transactions, which only constitute <5% of all payment transactions. Contextual data may contain customer first and last names, billing addresses, emails, and other related data, which can be shared across payment providers to improve the analysis mechanism and transaction risks. The list of authentication mechanisms was extended, and now it includes face and voice recognition and fingerprints.
Version 2.0
Let’s consider how 3DS 2.0 verification flow will look:
In general, the verification flow is similar to the 3DS 1.0 flow, but in most cases it does not require customer identity verification as the issuer bank can make a verification decision based on contextual data (which the merchant's website sends during the request for 3DS verification—95% of payment transactions are low-risk).
All 3D Secure 2.0 services should be compatible with the 1.0 protocol, and when 3DS 2.0 is not supported, the verification flow should work via v1.0 as well.
3D Secure and PSD2
As part of the PSD2 directive, new authentication requirements known as Strong Customer Authentication (SCA) were introduced. SCA was created to reduce fraud and make payments more secure. It requires payments to use at least two of the following factors to authenticate the payer:
- Something the customer knows: password or PIN they set
- Something the customers has: phone or hardware token for authentication
- Something the customer is: fingerprint, face recognition
Starting September 14, 2019, European banks will decline payments that require SCA but do not meet the above criteria. Low risk and low-value transactions may still be accepted, as well as subsequent payments in a recurring subscription.
There are some uncertainties regarding this regulation, especially the application to non-EU customers or EU customers purchasing outside the US. For this reason, we recommend all merchants should update their payment integrations to support SCA regardless of their location.
You can find more information on these topics from CardinalCommerce:
Affects for Magento
What does this all mean for Magento merchants?
According to PSD2 (Payment Service Directive 2), all payment providers should apply Strong Customer Authentication (SCA) in the EU (including the UK):
- April 2019 — Issuing banks are encouraged by schemes to get 3DS 2.0 ready.
- September 14, 2019 — SCA goes into effect for all European e-commerce transactions under PDS2.
- October 11, 2019 — The 3DS 2.0 Scheme mandate for Europe goes into effect.
- 2020 and onward — 3DS 2.0 launches worldwide.
Magento Payment Provider Recommendations
Due to this significant change, and to make sure customers payments will not be declined, we are introducing the following changes and recommendations for the Magento native payment integrations.
|
Payment Provider |
Magento Commerce 2.X Recommendation |
Magento Commerce 1.X Recommendation |
|
PayPal |
Continue using the current Magento built-in integration, as the 3D Secure 2.0 payment flow changes are all handled by PayPal. |
3DS 1.0 is supported. When and/or where use of 3DS 2.0 is required, Merchants will either need to replace PayPal with Braintree or upgrade to Magento 2.3.x. |
|
Braintree |
Use the official extension (recommended) that will offer 3D Secure 2.0 prior to the deadline or use the Magento integration in upcoming version 2.3.3+ or 2.2.10+
Braintree integration supports 3D Secure verification out-of-the-box. Starting from Magento 2.3.3 release, Braintree integration will support 3D Secure 2.0. |
Use the official extension. |
|
Authorize.net |
Use the official extension (recommended) or the Magento integration in upcoming version 2.3.3+ or 2.2.10+ with a 3D Secure provider like CardinalCommerce.
Authorize.net provides the ability, via the chardholderAuthentication request field, to make 3D Secure verification via 3rd party services like CardinalCommerce. Starting from Magento 2.3.3 release, Authorize.net AcceptJs integration will support 3DS 2.0 via CardinalCommerce.
|
Please check back here for updates on Authorize.net extensions for M1 as they become available. |
|
CyberSource |
Use the official extension.
Cybersource introduced Payer Authentication API with 3D Secure 2.0 support for Secure Acceptance Hosted Checkout and Simple Order API. Also, the integration with CardinalCommerce can be used for 3DS verification. |
Use the official extension. |
|
eWay |
Use the official extension. |
Use the official extension. |
For all other payment integrations, check Magento Marketplace Payment Integration extensions and check with your payment provider for what their recommendations are for supporting the PSD2 SCA requirements.
In addition, and to avoid duplicating efforts, Magento future versions will deprecate and remove the following core integrations in favor of official payment integrations available on the marketplace: CyberSource, Authorize.net, eWay, Worldpay. The official integrators work closely with vendors around the world to provide the most up-to-date features with free official payment extensions to download and use.
17 Comments