Why do we need EMV 3D Secure?

Why do we need a new 3D Secure?

Strong Customer Authentication and PSD2

To understand better the importance of a new version of 3D Secure we need to first understand what Strong Customer Authentication (SCA) and PSD2 regulation are.

SCA is introduce as part of PSD2 and will become effective in Europe from 14 Semptember 2019. This new European regulatory requirement aims to reduce fraud and make online payments more secure. In order to achieve this, an additional authentication step is introduced in the checkout flow and requires to use at least two of the following three elements in the process.

SCA Elements

When is SCA applicable?

The main criteria to apply SCA are divided based on the transaction type and the location of the merchant and cardholder.

Depending on the transaction type

SCA is applicable for customer initiated transaction, when the customer is present. For obvious reasons, SCA cannot be applied for merchant initiated transactions and this includes recurring subscriptions and unscheduled transactions.

Depending on the location

When both the merchant and the shopper are located in the European Economic Area (EEA), SCA is must be applied. Regardless from Brexit, it will probably be applicable in UK as well.

For those merchants that, even if not located in Europe, have a large customer base in Europe the expectation of the industry is that there will be an impact on the traffic. Most of the issuers indeed will adopt SCA even if not legally required to protect themselves from fraudulent transactions.

PSD2 Exemptions

Apart from the category mentioned in the previous sections, the PSD2 regulations clearly defines a set of possible transaction exemptions that the merchant can leverage in order to have less impact on the traffic and the acceptance rate. These exemptions are:
  • Merchant whitelist
  • Low-risk transactions
  • Low-value transactions
  • MOTO transactions
  • Corporate cards
  • Merchant initiated
PSD2 exemptions is a wide topic and to know more, please refer to our article about it.

How to strongly authenticate a payment today...

Nowadays it is already possible to have SCA for payment transactions.

For credit card transactions, issuers can implement SCA on their 3D Secure version 1 page already a this will meet the PSD2 requirements. Many issuers already did this in preparation and it is already possible to complete a 3D Secure session via OTP or other means. The expectation from the industry is that there will not be a clear cut-off between 3D Secure and EMV 3D Secure in September 2019. The two version will coexist for months until all the systems and parties involved are migrated. In the meanwhile, PSD2 will be fullfilled via 3D Secure version 1.

PSD2 applies to all online payments, not only credit cards. Alternative payment methods will take care of this directly by introducing for example, two factor authentication or other authentication method.

Mobile wallets like ApplePay and GooglePay are already PSD2 compliant because the SCA is executed before submitting the payment. Normally it is achieved via biometric authentication (something shopper is) on the mobile device (something the shopper has).

...and in the future?

But if we can already have SCA, why do we really need EMV 3D Secure?

Because the standard was defined as the best way to fulfill the requirements for PSD2. For example, the protocol itself provides a mechanism to implement the exemptions for the merchant. SCA Elements

Conclusion

In short, EMV 3D Secure:
  • offers a better user experience minimizing the impact on conversion rates
  • offers a built-in mechanism for the PSD2 exemptions
  • ensures the liability shift for the merchant even for frictionless workflow
  • embeds native mobile integrations into the standard
If you want to know more about jow EMV 3D Secure is implemented via the Open Payment Platform, check our article.