A new 3D Secure 2.0 directive is coming into effect this September 2019 across the European Union. In this quick guide, we’ll explain the implications of 3DS 2.0 for businesses accepting card payments online, what it is, what it means, and how best to prepare.
What is Payment Services Directive 2 (PSD2)
PSD2 is an EU Directive which sets requirements for firms that provide payment services, and will affect banks and building societies, payment institutions, e-money institutions and their customers. As well as promoting innovation, PSD2 aims to improve consumer protection, make payments safer and more secure, and drive down the costs of payment services.
What is 3D Secure 2.0 (3DS 2.0)
3DS 2.0 is a new standard introduced by EMVCo and the major credit card payment providers (e.g. Visa, Mastercard). It brings a new and better approach to authentication ultimately leading to a much improved user experience online. According to Visa:
The new 2.0 version of the technology enables a real-time, secure, information-sharing pipeline that merchants can use to send an unprecedented number of transaction attributes that the issuer can use to authenticate customers more accurately without asking for a static password or slowing down commerce.
How are you affected
From September 14th PSD2’s SCA (strong customer authentication) requirements go live in the European Union. Any business with substantial European volume will need to have 3D Secure 2.0 implemented by this date in order to most effectively meet SCA requirements.
If you are taking card payments online, you will need to have 3D secure enabled. You will also need to make sure that your payment service provider (PSP) will be ready and Live with 3D Secure 2.0.
In order to support the new 3DS 2.0 process, your payment provider(s) will be working on adding in 3D Secure 2.0 to their solutions. From speaking to some of these recently they are already in the final stages of testing. They must ensure that their payment gateway extensions are up to date. Most will be rolling out their updated extensions during the summer months.
What you need to do next
If you take payments online then you will most likely have an individual contract with all your payment service providers. You should have an account manager or support contact. You need to contact them and ask for an update on 3DS 2.0. For example if you are using Magento, you can word something like this:
In preparation for 3DS 2.0 this September, can you please give us an update on how you are progressing with this? Will we actually need to install a newer version of the payment gateway extension on our website? If yes, when can it be downloaded and installed? Are there any major feature or option changes that we need to be aware of? If our current Admin Panel settings are no longer valid or deprecated we need to be aware of this as soon as possible. Can you provide a test plan for internal testing on our UAT/Staging environment please?
Again, from speaking and working with some of the mainstream payment gateways, it is extremely unlikely that any existing settings will change. That’s good news indeed 🙂
What Yemora will need to do next
Almost all payment gateway extensions will need to be updated. Some PSPs write their own platform extensions. Some use external third party extension providers. Yemora will source the correct updated extension, install, test and deploy it for you. This will be done by our client services team.
Note: Testing will be extremely important here. It is essential to test all elements of the payment gateway e.g. refunds. Taking payments smoothly and efficiently is the most important part of the checkout process.
Why we need to act now
Should you be in the unlikely situation where your payment service provider will not be ready for 3DS 2.0, we need to assess what to do next as soon as possible. Moving to another payment gateway can take some time to get up and running.
We hope you find this helpful. Monsoon is currently working with customers and partners to support them with 3DS 2.0 planning in advance of the 14 September 2019 European Banking Authority deadline. For further information, contact us here.
For reference online there are quite a few excellent articles provided by the payment gateways themselves. Here are some examples:
https://www.adyen.com/blog/3d-secure-20-a-new-authentication-solution
https://www.braintreepayments.com/blog/ready-for-3d-secure-2-0/
Other references:
