Only tailored advice turns products into solutions. With Worldline, you can unlock the potential of your online shop - with a secure and easy payment solution.
Here you will find everything you need to know about e-commerce as well as help for getting started with Saferpay.
These great companies trust on our reliable and efficient payment service. You can rely on us too.
Offer your customers the maximum possible level of security. Because security establishes trust and your customers should have a good feeling about their online payments. Together with the credit card organizations, we set the highest standards, such as PCI DSS, 3-D Secure 2 and strong customer authentication, which allow you to sell securely online or by mail order. At the same time, we offer you the necessary protection against payment defaults.
PCI DSS (Payment Card Industry Data Security Standard) is the global security standard for international credit card organisations. With our payment solution Saferpay, you can process all e-commerce credit card data securely in compliance with PCI DSS. The card data is captured within the Saferpay Payment Page or the Hosted Forms and is not processed, transmitted or stored in your systems. Thus you can benefit from maximum security and minimal effort to confirm your compliance with PCI DSS. Saferpay is subject to the PCI DSS guidelines and has been awarded with PCI security certification.
More about PCI DSS
Security at Worldline is not just a promise. Whether it’s in retail, e-commerce or m-commerce - all the payment solutions from Worldline are subject to the international rules of the Payment Card Industry Security Standards Council (PCI SSC) and the EMV security standard and are 3-D Secure.
Online merchants, acquirers, card issuers and customers are facing a new challenge in e-commerce: The Regulatory Technical Standards (RTS) within the framework of the Second EU Payment Services Directive (PSD2) came into effect on 14 September 2019. These standards require strong customer authentication (also known as two-factor authentication) for online payments. To give online retail business more time for implementation, the European Banking Authority (EBA) has granted local regulators across Europe a transitional period until December 31, 2020 to implement strong customer authentication.
To comply with the PSD2 requirement concerning strong customer authentication, the card organisations Visa and Mastercard - together with the technical body EMVCo - have further developed the 3-D Secure security process: 3-D Secure 2 is PSD2-compliant and is valid in EU countries as well as Switzerland. All online merchants must support the new standard.
With the 3-D Secure procedure, cardholders identify themselves in an additional step during online transactions. The new 3-D Secure 2 security standard makes card payments in e-commerce much easier for you and your customers through a broad data spectrum, biometric authentication and an improved standardised online experience.
Customers no longer have to remember passwords and can easily confirm payments from a mobile app. Customer authentication is fully integrated into the 3-D Secure 2 sales process. Liability for fraudulent transactions is entirely passed on to the card issuer.
3-D Secure 2 relies on a risk-based authentication process and uses additional transaction data to check with merchants and card issuers whether the payment has been initiated by the cardholder and if the payment process should be allowed or aborted. Other factors of strong customer authentication, such as payment habits or fingerprints, are also included in the verification process. Low-risk transactions are identified in what is known as frictionless flow. If genuine customer authentication is not required, the cardholder’s checkout process is seamless.
Please liaise with your solution providers to ensure that the 3-D Secure 2 security standard is properly implemented:
With strong customer authentication, all payment transactions, apart from specific exceptions, are “strongly” secured. To do so, at least two out of the three factors must be used: knowledge, possession or inherence.
A customer wants to buy a pair of shoes in an online shop. He has already entered his card data in the corresponding fields. A short time later, he gets a push notification on his smartphone: The customer must enter the two-factor authentication code (or one-time password) sent by SMS or confirm the purchase in an extra app with a fingerprint.
A short introduction to Europe's new requirements for Strong Customer Authentication
On 14 September 2019, the face of e-commerce in Europe is set to change forever. Nevertheless, merchants, banks and payment service providers must meet the strict requirements of strong customer authentication by December 31, 2020 at the latest. This position paper gives a brief introduction about the Regulatory Technical Standards on Strong Customer Authentication and the impacts to the merchants ecosystem. It also explains what will merchants need to do to take all the advantages of this regulation.
Not all transactions have to be “strongly” secured by cardholders:
The following are not affected by strong authentication:
The Revised Payment Services Directive (PSD2) is defined by the European Banking Authority and aims at regulating new stakeholders and improve the security of exchanges. Among these rules is the RTS-SCA (Regulatory Technical Standard - Strong Customer Authentication) rule which requires strong customer authentication as of 14 September 2019.
As the original deadline of September 14, 2019 approached, an increasing number of European countries realised that a large number of their national e-commerce companies and banks would be unable to meet this deadline, which had already been postponed once.
It was estimated that European online shops would lose an average of roughly 20% in revenue if they were unable to meet the deadline on time, and the European Banking Authority (EBA), which is responsible for technical regulatory standards, finally decided to allow a further postponement.
The new and final deadline announced in an EBA statement is December 31, 2020, and the competent national authorities (NCAs) across Europe have announced the postponement to relevant national stakeholders in their respective countries, i.e. banks, PSPs and Internet shops.
However, in order to avoid a situation where the extension of the deadline might induce some parties to take no action until the new deadline is imminent, the EBA – through the national authorities (NCAs) – has requested specific implementation plans pertaining to the SCA from the parties involved as a condition for postponement. In other words, the EBA has ensured that it will not be faced with the same situation again when the next deadline is upon us.
Finally, it is important to stress that merchants and their PSPs should be technically ready by the end of the first half of 2020 at the latest, in order to have sufficient time to test the entire process chain with their acquirers, schemes and issuers. It is probable that there will be different interpretations of the new rules and fine-tuning may take some time, a process that must be completed at the latest before the start of the Christmas shopping season.
As of January 1, 2021, Worldline will no longer process PSD2-incompliant transactions.
No, the following payments are excluded: MOTO (Mail Order Telephone Order) type distance selling transactions, payments initiated by the merchant and unrelated to the customer as well as transactions between cardholders or merchant acquirers outside the European economic area are not subject to this RTS-SCA rule.
The aim of Strong Customer Authentication through 3-D Secure 2 is to reduce remote payment fraud, at the same time strongly improving user-friendliness for the cardholder, in particular by providing the issuer (the bank of the cardholder) with more information on the context of the transaction, in order to allow the latter to decide whether it should or should not proceed with Strong Customer Authentication of the cardholder.
The major additions of 3-D Secure 2 are:
Frictionless Flow means a payment transaction without a request for additional authentication. Depending on the context and the information provided in the payment request, the card issuer performs a risk analysis and may decide not to authenticate the transaction. If the Frictionless initiative comes from the issuer then the merchant will benefit from the liability shift. Conversely, if the merchant has done their own risk analysis and requests Frictionless from the issuer, then they will not benefit from the liability shift.
The RTS stipulates 2 exemption options for over-the-counter payments:
The exemption for a contactless transaction can be invoked
➔ If the amount of the transaction does not exceed EUR 50. ➔ If, since the last transaction with Strong Customer Authentication by the cardholder, the maximum amount of contactless transactions, regardless of the merchant, or the number of contactless transactions has not exceeded a maximum (velocity criteria) defined by the RTS-SCA (max EUR 150 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).
An exemption from Strong Customer Authentication is applied for a series of remote transactions for the same amount to a single beneficiary. However, Strong Customer Authentication is required for the first transaction (the contract) or for each modification of the series conditions.
An exemption from Strong Customer Authentication for a low value remote payment can be invoked:
➔ If the amount of the transaction does not exceed EUR 30. ➔ If, since the last transaction with Strong Customer Authentication of the holder, the maximum amount of low value remote transactions, regardless of the merchant, or the number of low value remote transactions does not exceed a ceiling (velocity criteria) defined by the RTS-SCA (max EUR 100 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).
The exemption from Strong Customer Authentication for a remote transaction referred to as ‘risk analysis’ can be invoked by the acquirer (on behalf of the merchant) and by the issuer if the following two conditions are met:
➔ That the transaction is declared safe (for example, no infection of the user’s workstation by a malware, no abnormal disbursements by the payer, location of the payer, transactions history, etc.). ➔ That the fraud rate (for remote transactions) for the payment establishment (for Bank acquirer and for Bank issuer but and not for the merchant or his PSP) is below preset ceilings:
➩ 0,13% if the amount of the transaction is less than EUR 100. ➩ 0,06% if the amount of the transaction is less than EUR 250. ➩ 0,01% if the amount of the transaction is less than EUR 500. ➩ Exemption not applicable for transactions of over EUR 500.
The exemptions are not routine and even if the conditions for exemption are met, the final decision rests with the issuer (the cardholder’s bank) which may or may not grant it. The Issuer will send a soft decline for the payment leading to a resubmission of the payment requesting Strong Customer Authentication from the cardholder.
The 3-D Secure 2 implementation, which requires changes throughout the electronic payment chain, will be carried out gradually depending on the various payment stakeholders (payment module, merchant banks, networks, issuer banks). We advise you to contact your PSP gateway provider as soon as possible to know if it is already able to support you in implementing 3-D Secure 2.
The end of 3-D Secure 1.0 is announced for December 2020 for Visa and Mastercard.
Worldline as acquirer will not block subsequent payments of an initial transaction that occurred before/during the grace period and will continue to accept the subsequent transactions. For recurring payments conducted after the end of the grace period, Worldline recommend to perform SCA for the first transaction and use it as a reference for subsequent transaction in order to keep the same approval rate.
Worldline will not, as the acquirer, block subsequent transactions of an initial transaction that occurred before December 31, and will continue to accept the subsequent transactions. For recurring payments conducted after December 31, Worldline recommends the use of SCA for the first transaction and for subsequent transactions as a reference, in order to keep the same approval rate.
The national regulators supervise the local acquirers and issuers activities. The most important for the merchant is however the location of his acquirer because this will determine whether a transition phase could be applied. Furthermore merchants with international business should have a look to the regulations of countries where there are doing business. Indeed some issuers in Europe will be obliged to support SCA by 14 September. That means that those issuers will probably decline card transactions processed without 3-D Secure.