Strong Customer Authentication (PSD2)

New regulation is changing online payments in Europe

 

What is changing?

On September 14, 2019, a new requirement for all online payments is being introduced in the EU, stating that all online card payments should be verified by the consumer, only a few types of payments are exempt. The requirement for verification is known as Strong Customer Authentication (SCA). SCA mandate is a legal requirement and part of the EU regulation called PSD2 (Payment Services Directive 2). It aims to harmonize European payments and ensure consumers are protected.

An online transaction will be defined as having gone through SCA, if at least two of the following three factors have been provided by the consumer:

  • Knowledge: Something only the user knows, e.g. a password or a PIN code.
  • Possession: Something the user has, e.g. mobile device or a token.
  • Inherence: Something the user is, e.g. biometric markers such as facial recognition or fingerprints.

For Visa and Mastercard transactions, SCA is facilitated through 3D Secure. In the 3D Secure process, the consumer is often requested to perform an action to confirm that they are making the transaction. For American Express transactions the equivalent authentication service is known as SafeKey and for Dankort transactions it is Dankort Secured by Nets.

 

What do I need to do?

Make sure your integration towards Netaxept is PSD2 SCA compliant. The implications of not being compliant can result in transactions being declined, and a disruption to your business.

  1. Activate 3D Secure and equivalent into your business (both browser sales channels and mobile applications), if not already done. Contact Netaxept Customer Support for your country for activation.
  2. Ensure your payment flow is correctly set up and API integration supports SCA when necessary. See the most common business scenarios below.

Activate 3D Secure

3D Secure is not optional anymore so you need to activate 3D Secure (and equivalent) authentication into your online business: both browser sales channels and mobile applications. Call centre business is out of scope and no actions are required there. We generally recommend activation of 3D Secure and equivalent well in advance of PSD2 SCA activation date to ensure no issues are discovered in your payment flows when it is too late to fix them before the deadline. Testing of authentication services must be executed in production environment with production credentials – 3D Secure flow cannot be tested in Netaxept test environment.

We are in the process of integrating EMV 3DS (3DS 2) in Netaxept. More information to come in Q4/2019. EMV 3DS or 3DS 1.0 does not matter unless you have a native mobile application or similar. It will still be handled as a redirect to the Issuer's page where two-factor authentication is done (if Issuer decides to step up). Even when the new version is in place, some transactions will be routed to the old version if the new version is not supported by the Issuer. Due to this, native mobile applications may have to check how their app works to allow app switching to 3D Secure authentication, for example to Mobile Bank-ID application or Tupas authentication.

For merchants using the Nets in-app SDK, the 3D Secure authentication is handled by the SDK which allows your app to load a framed webview of the 3D Secure authentication page, as defined by each card issuing bank. The SDK can also switch to third party authentication apps like Mobile Bank-ID in Sweden. This allows to avoid a redirection to an external browser and improves the user experience. However, the authentication page can then look different from one bank to another or from one mobile platform to another (iOS or Android).

Update your API integration to support SCA

The way you need to apply SCA to your business will vary based on your current payment flow and integration you have towards Netaxept. Below you can find the instructions for the most common scenarios. If SCA is required, ensure 3D Secure and equivalent authentication methods are activated and used for that part of the payment flow.

In order to know whether the transaction is required to go through SCA or not, you need to identify if it is initiated by the cardholder (consumer) or the merchant:

  • Cardholder-initiated transaction (CIT) is a transaction where consumer plays an active role in the initiation of the transaction. CIT transactions are required to go through SCA.
  • Merchant-initiated transaction (MIT) is a transaction where consumer plays no active role. Instead, the MIT transaction is initiated by the merchant based on the agreement done between the customer and merchant and as such are exempted from SCA. When evaluating whether your transactions could be marked as MIT, please be advised that if the transaction can be seen as preceded by a specific action of the consumer, it should be considered as CIT and not MIT transaction.

If you currently process recurring payments (recurringType=R) in your business, ensure these are compliant with the new definition of recurring payments based on the European Banking Authority's (EBA) RTS (Regulatory Technical Standards). Merchant initiated subsequent payments that don't occur on a scheduled or regularly occurring transaction date, should be flagged as "Unscheduled Credential on File", instead of "Recurring". We are working on to make sure Netaxept supports the needed capabilities and shortly inform you about the changes needed.

 

NOTE! When updating your API integration, please be advised that 3D Secure and equivalent authentication services cannot be tested in Netaxept's test environment so it is highly recommended to execute a proper testing in production environment before going live.

Business model Scenario SCA required? Implications

One-time online payment

Customer enters card details in the terminal and pays the purchase. Card details are not saved.

Yes, this is CIT.

Ensure 3D Secure is activated on every transaction.

  • No API changes needed. Netaxept redirects customer automatically to authentication after card details are entered.

Easy payment

Card details saved for faster checkout (CVV/CVC entry)

1. Customer saves card details for faster checkout next time. Transaction can be account verification or actual purchase.

2. Returning customer pays with saved card and enters CVV/CVC in the terminal.

1 and 2. Yes, both are CIT.

Ensure 3D Secure is activated on every transaction.

  • 1. Initial: No API changes needed. Netaxept redirects customer automatically to authentication after card details are entered.
  • 2. Subsequent: To get SCA triggered, send serviceType=B or serviceType=M (depending on your current setup) and recurringUse3DS=true along the Register call on every subsequent transaction, and perform the Terminal call after the Register call.

Easy payment

Card details saved for faster checkout (no CVV/CVC entry, permission from acquirer required)

1. Customer saves card details for faster checkout next time. Transaction can be account verification or actual purchase.

2. Returning customer pays with saved card without being directed to the terminal.

1 and 2. Yes, both are CIT.

Ensure 3D Secure is activated on every transaction.

  • 1. Initial: No API changes needed. Netaxept redirects customer automatically to authentication after card details are entered.
  • 2. Subsequent: To get SCA triggered but CVV/CVC bypassed, send serviceType=M and recurringUse3DS=true along the Register call on every subsequent transaction, and perform the Terminal call after the successful Register call.

Recurring payments

Card details saved for subscription payments done by merchant with same frequency, for example gym memberships

1. Customer saves card details for subsequent charges. Transaction can be account verification or actual purchase.

2. Merchant charges saved card on a regular basis according to agreement made with the customer.

1. Yes, this is CIT.

2. No, this is MIT.

Ensure 3D Secure is activated on the initial transaction.

The existing (i.e. before 14th September) recurring payments do not need SCA and can continue as they are today. New recurring payment agreements set up with customers after 14th of September need an SCA when the agreement/subscription is created.

  • 1. Initial: No API changes needed. Netaxept redirects customer automatically to authentication after card details are entered.
  • 2. Subsequent: No API changes needed. 3D Secure is bypassed.

Unscheduled Credential on file

Card details saved for future payments done by merchant with non-fixed time intervals, for example auto account top-ups

1. Customer saves card details for later charges. Transaction can be account verification or actual purchase.

2. Merchant charges saved card on an irregular basis according to agreement made with the customer.

1. Yes, this is CIT.

2. No, this is MIT.

Ensure 3D Secure is activated on the initial transaction.

Instructions will be added shortly

Call centre payment

MOTO (Mail order / Telephone order)

Customer gives card details via phone and merchant representative initiates the transaction.

No. Call centre transactions are out of scope of SCA.

No API changes needed. 3D Secure is bypassed.

 

Read more about Easy and Recurring payments >

Read Nets PSD2 overview >

Contact Netaxept Customer Support for your country >