cancel
Showing results for 
Search instead for 
Did you mean: 

3D Secure 2.0 changes

isentiabov
Adobe Team

Cut down on fraud and increase payments security with 3D Secure. Learn more about PSD2 and SCA going into effect on September 14, 2019. We provide information, history, and recommendations.

 

The European Union revised a regulation called Payment Services Directive (PSD) with an updated version PSD2. This regulation goes into effect on September 14, 2019, and has a significant impact on most payment processing involving credit cards or bank transfers.

 

With the timelines for PSD2, understanding 3D Secure (3DS) and the changes from v1.0 to 2.0 is vital for all Magento merchants. This DevBlog provides detailed information on both versions and how it affects Magento 2 merchants and payment gateways. We provide recommendations and updates at the end for payment provider extensions.

 

What is 3D Secure?

3D Secure is a protocol designed to reduce fraud and provide additional security for online credit and debit cards transactions. The 3D Secure protocol utilizes the three-domain model to provide an additional security layer for a customer purchase:

 

  • Acquirer Domain — Merchant or acquirer in which credit/debit cards details are entered
  • Issuer Domain — Bank that issued credit/debit card
  • Interoperability domain — Infrastructure that supports the 3D Secure protocol, payment transaction. In most cases, the payment gateway represents interoperability domain.

 

According to the specification, 3D Secure uses XML messages sent over an SSL connection with cardholder authentication info.

 

Different financial services provide their own implementation of 3D Secure: "Verified by Visa" from Visa, "Mastercard SecureCode" from Mastercard, "American Express SafeKey" from American Express, and "J/Secure" from JCB.

 

In general, an implementation of 3D Secure protocol adds an additional authentication step during the customer purchase flow and, in most cases, it appears as a popup with a link redirecting to a bank’s page or an iframe provided by the issuer bank. The popup/iframe/bank’s page contains a field to enter the SMS code, password or one-time token.Screen Shot 2019-07-11 at 11.28.56 AM.png

 

As a popup/iframe provided by cardholder's issuer bank, this flow can guarantee that the cardholder’s identity is verified. 3D Secure verification is not an obligatory step for all online merchants and can be skipped even if the cardholder enabled 3D Secure verification for their account.

 

Version 1.0 vs. version 2.0

3D Secure 1.0 was introduced in 2001 by Visa. In 2019, payment providers started the migration process to 3D Secure 2.0.

 

Before comparing v1.0 and v2.0, let's consider what 3D Secure v1.0 verification looks like:

 

3D Secure 1.0.png

 

  1. A customer enters credit card details during the purchase flow. The merchant's website requests 3DS verification context from the payment gateway.

  2. The payment gateway sends a request to the issuer bank, which returns a verification context (link to an iframe, a popup, or a link to the bank’s 3DS verification page).

  3. The payment gateway then proxies a response from the issuer bank to the merchant website, which shows the popup, iframe, or redirects the customer to the issuer bank website.

  4. The customer verifies their identity by SMS, email, password, or one-time token. The issuer bank sends an acknowledgment to the payment gateway, which proxies it to the merchant's website.

  5. Based on the issuer bank’s acknowledgment, the merchant's website creates order and makes a payment transaction or rejects it.

 

Pros and Cons of 3D Secure

3D Secure provides advantages to securing online payment transactions, but has drawbacks:

 

  • In most cases, 3DS verification is represented as a popup or iframe. It can be difficult for customers to differentiate between the issuer's bank popup/iframe and a fraudulent website.

  • Additional steps for customer authentication have a negative impact on customer experience and reduces the merchant's conversion.

  • Mobile devices do not always correctly display 3DS popups.

 

To address these issues and improve 3D Secure verification mechanism, EMVCo (a company owned by Visa, Mastercard, American Express, Discover, JCB, and Union Pay) developed a specification for 3D Secure 2.0 with the following benefits:

 

  • Frictionless Checkout Flow
  • Non-Payment authentication
  • Native Mobile Integration (support of in-app, mobile, digital wallet)
  • Better performance for end-to-end message processing
  • Prevention of unauthenticated payments, even if a cardholder's card number is stolen or cloned

 

Contextual data

The main feature of 3DS 2.0 is analyzing the merchant's contextual data and prompting customers to verify their identity for high-risk transactions, which only constitute <5% of all payment transactions. Contextual data may contain customer first and last names, billing addresses, emails, and other related data, which can be shared across payment providers to improve the analysis mechanism and transaction risks. The list of authentication mechanisms was extended, and now it includes face and voice recognition and fingerprints.

 

Version 2.0

Let’s consider how 3DS 2.0 verification flow will look:

3D Secure 2.0.png

 

In general, the verification flow is similar to the 3DS 1.0 flow, but in most cases it does not require customer identity verification as the issuer bank can make a verification decision based on contextual data (which the merchant's website sends during the request for 3DS verification—95% of payment transactions are low-risk).

 

All 3D Secure 2.0 services should be compatible with the 1.0 protocol, and when 3DS 2.0 is not supported, the verification flow should work via v1.0 as well.

 

3D Secure and PSD2

As part of the PSD2 directive, new authentication requirements known as Strong Customer Authentication (SCA) were introduced. SCA was created to reduce fraud and make payments more secure. It requires payments to use at least two of the following factors to authenticate the payer:

 

  • Something the customer knows: password or PIN they set
  • Something the customers has: phone or hardware token for authentication
  • Something the customer is: fingerprint, face recognition

 

Starting September 14, 2019, European banks will decline payments that require SCA but do not meet the above criteria. Low risk and low-value transactions may still be accepted, as well as subsequent payments in a recurring subscription.

 

There are some uncertainties regarding this regulation, especially the application to non-EU customers or EU customers purchasing outside the US. For this reason, we recommend all merchants should update their payment integrations to support SCA regardless of their location.

 

You can find more information on these topics from CardinalCommerce:

 

Affects for Magento

What does this all mean for Magento merchants?

 

According to PSD2 (Payment Service Directive 2), all payment providers should apply Strong Customer Authentication (SCA) in the EU (including the UK):

 

  • April 2019 — Issuing banks are encouraged by schemes to get 3DS 2.0 ready.
  • September 14, 2019 — SCA goes into effect for all European e-commerce transactions under PDS2.
  • October 11, 2019 — The 3DS 2.0 Scheme mandate for Europe goes into effect.
  • 2020 and onward — 3DS 2.0 launches worldwide.

 

Magento Payment Provider Recommendations

Due to this significant change, and to make sure customers payments will not be declined, we are introducing the following changes and recommendations for the Magento native payment integrations.

 

Payment Provider

Magento Commerce 2.X Recommendation

Magento Commerce 1.X Recommendation

PayPal

Continue using the current Magento built-in integration, as the 3D Secure 2.0 payment flow changes are all handled by PayPal.

3DS 1.0 is supported. When and/or where use of 3DS 2.0 is required, Merchants will either need to replace PayPal with Braintree or upgrade to Magento 2.3.x.

Braintree

Use the official extension (recommended) that will offer 3D Secure 2.0 prior to the deadline or use the Magento integration in upcoming version 2.3.3+ or 2.2.10+

 

Braintree integration supports 3D Secure verification out-of-the-box.

Starting from Magento 2.3.3 release, Braintree integration will support 3D Secure 2.0.

Use the official extension.

Authorize.net

Use the official extension (recommended) or the Magento integration in upcoming version 2.3.3+ or 2.2.10+ with a 3D Secure provider like CardinalCommerce.

 

Authorize.net provides the ability, via the chardholderAuthentication request field, to make 3D Secure verification via 3rd party services like CardinalCommerce. Starting from Magento 2.3.3 release, Authorize.net AcceptJs integration will support 3DS 2.0 via CardinalCommerce.

 

Please check back here for updates on Authorize.net extensions for M1 as they become available.

CyberSource

Use the official extension.

 

Cybersource introduced Payer Authentication API with 3D Secure 2.0 support for Secure Acceptance Hosted Checkout and Simple Order API. Also, the integration with CardinalCommerce can be used for 3DS verification.

Use the official extension.

eWay

Use the official extension.

Use the official extension.

 

 

For all other payment integrations, check Magento Marketplace Payment Integration extensions and check with your payment provider for what their recommendations are for supporting the PSD2 SCA requirements.

 

In addition, and to avoid duplicating efforts, Magento future versions will deprecate and remove the following core integrations in favor of official payment integrations available on the marketplace: CyberSource, Authorize.net, eWay, Worldpay. The official integrators work closely with vendors around the world to provide the most up-to-date features with free official payment extensions to download and use.

12 Comments
nbennett25
Senior Member

We have several clients using v2.2.x and Auth.net - CardinalCommerce does not provide a Magento 2 module, so any integration with their platform will need to be custom built.

 

Is there a timeline for the release of v2.3.3 that will provide the functionality? If 2.3.3 is not available before 9/14/19, will there be a patch available for the v2.2.x version of the Auth.net module?

LPiccini
Senior Member

About PayPal for Magento 1, i need to get more information about the SCA Regulation:

1. in the document here above it seems that there is no intervention needed

2. in the email that the enterprise customer recieved, it seems necessary to use Braintree official plugin or to upgrade Magento to 2.3.X version.

 

Which one is the right choice for Magento 1?

 

isentiabov
Adobe Team

@nbennett25, It depends on the type of Authorize.net integration which does you use. The CardinalCommerce support will be provided for Authorize.net AcceptJs integration in the next upcoming releases 2.3.3 and 2.2.10, Authorize.net Direct Post won't have any additional 3-D Secure integration as it deprecated.

 

Unfortunately, I can't provide any ETA about the releases date. But 2.3-develop branch already contains the integration with CardinalCommerce.

isentiabov
Adobe Team

@LPiccini3DS 1.0 is supported by PayPal https://www.paypal.com/uk/webapps/mpp/3dsecure-faqs. When and/or where the use of 3DS 2.0 is required, Merchants will either need to replace PayPal with Braintree or upgrade to Magento 2.3.x.

Juli4ka
Occasional Visitor

What about PayPal Plus Module ? It is extra installed in Magento 2 Shop. And what should we do with Amazon Payments module?

jwittorf
Occasional Contributor

@isentiabov so in Magento 1 the default PayPal integrations for standard and express checkout will work without updating or changing anything within the Magento software/files or backend/configuration?

 

"Yes", "no" or "yes but maybe in the future when (...)" ?

 

Edit: I've gotten this response from PayPal so I would answer my own question with a plain "Yes":

 

For PayPal transactions – standard and express, no changes are needed. For both these products, the user is already redirected to a PayPal property which is where PayPal is able to perform strong customer authentication (SCA) of the user. Some of your questions may be due to Debit/Credit Card Payments, which also require SCA but when these payments are hosted by the merchant 3DS needs to invoked so the Cardholder can be redirected to the Card Issuer’s property where SCA can be performed. It is true that many merchants or their partners are having to build/support 3DS for card payments and this due to 3DS being the mechanism for a Card Issuer to complete SCA of their cardholder but this is not the case for PayPal.

 

PayPal Plus does give you the ability to accept cards as well. For this product, the user is also redirected to PayPal where we can redirect the Cardholder to their Issuer’s 3DS experience when required.

 

As PayPal manage/host these payment experiences we are able to complete any SCA requirements.

james_lazos
Occasional Visitor

Heres an idea, make that chart understandable to all? The arrow that turns back onto the same property, what does that even mean? Who makes these charts? And explanations? 

isentiabov
Adobe Team

@Juli4ka PayPal Plus and Amazon Payments are 3rd party extensions and you need to contact with their support to clarify any possible effects according to upcoming 3-D Secure changes.

isentiabov
Adobe Team

@james_lazos these charts are UML sequence diagrams and the turn-back arrow shows that an action is performed by the same entity (actor). Could you clarify what exactly is not clear for you on these diagrams?

dc_brian
Occasional Contributor

I still don't see any update for magento 1 users who use authorize.net....

 

What do we do?

revisionmil
Senior Member

What should we do if we are on Magento 2.1.12 and use Authorize.net?  It looks like the Auth.net solution is for customers on 2.3.  Thanks!

Flipmedia
Occasional Contributor

The new rules from the EU will not be implemented by September 14th, no one is ready : https://www.fca.org.uk/news/press-releases/fca-agrees-plan-phased-implementation-strong-customer-aut...

"The FCA has today agreed an 18-month plan to implement SCA with the e-commerce industry of card issuers, payments firm and online retailers. The plan reflects the recent opinion of the European Banking Authority (EBA) which set out that more time was needed to implement SCA given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.”

Having checked Braintree is ready and supports 3DS V2 and 3DS V1 with the latter used if the form is not supported with the card provider. This is in place now and is ready for the 14th.