Pay securely online
Everything you need to know about
PCI DSS, 3-D Secure 2.0 and strong authentication
Pay securely online
Offer your customers the maximum possible level of security. Because security establishes trust and your customers should have a good feeling about their online payments. Together with the credit card organizations, we set the highest standards, such as PCI DSS, 3-D Secure 2.0 and strong customer authentication, which allow you to sell securely online or by mail order. At the same time, we offer you the necessary protection against payment defaults.
PCI DSS (Payment Card Industry Data Security Standard) is the global security standard for international credit card organisations. With our payment solution Saferpay, you can process all e-commerce credit card data securely in compliance with PCI DSS. The card data is captured within the Saferpay Payment Page or the Hosted Forms and is not processed, transmitted or stored in your systems. Thus you can benefit from maximum security and minimal effort to confirm your compliance with PCI DSS. Saferpay is subject to the PCI DSS guidelines and has been awarded with PCI security certification.
Security for cashless payments
Security at SIX Payment Services is not just a promise. Whether it’s in retail, e-commerce or m-commerce - all the payment solutions from SIX Payment Services are subject to the international rules of the Payment Card Industry Security Standards Council (PCI SSC) and the EMV security standard and are 3-D Secure.
Online merchants, acquirers, card issuers and customers are facing a new challenge in e-commerce: The Regulatory Technical Standards (RTS) within the framework of the Second EU Payment Services Directive (PSD2) came into effect on 14 September 2019. These standards require strong customer authentication (also known as two-factor authentication) for online payments.
In order to give online retail businesses more time for the implementation process, the European Banking Authority (EBA) has now granted local regulators the option of setting a transition period for implementing strong customer authentication. This transition period has already come into effect in countries such as Belgium, Germany, Great Britain, Italy, Luxembourg, the Netherlands and Austria. The duration of the transition period will be announced by the local supervisory authorities in the course of the fourth quarter of 2019.
3-D Secure 2.0
To comply with the PSD2 requirement concerning strong customer authentication, the card organisations Visa and Mastercard - together with the technical body EMVCo - have further developed the 3-D Secure security process: 3-D Secure 2.0 is PSD2-compliant and is valid in EU countries as well as Switzerland. All online merchants must support the new standard.
With the 3-D Secure procedure, cardholders identify themselves in an additional step during online transactions. The new 3-D Secure 2.0 security standard makes card payments in e-commerce much easier for you and your customers through a broad data spectrum, biometric authentication and an improved standardised online experience.
Customers no longer have to remember passwords and can easily confirm payments from a mobile app. Customer authentication is fully integrated into the 3-D Secure 2.0 sales process. Liability for fraudulent transactions is entirely passed on to the card issuer.
3-D Secure 2.0 relies on a risk-based authentication process and uses additional transaction data to check with merchants and card issuers whether the payment has been initiated by the cardholder and if the payment process should be allowed or aborted. Other factors of strong customer authentication, such as payment habits or fingerprints, are also included in the verification process. Low-risk transactions are identified in what is known as frictionless flow. If genuine customer authentication is not required, the cardholder’s checkout process is seamless.
Your 3-D Secure 2.0 benefits
- Smooth payment process (frictionless flow)
- Increase your conversion rate
- Fewer payment disruptions thanks to risk-based authentication
- Full integration into web shops and apps
- Intelligent fraud detection mechanisms to reduce credit card fraud
Strong customer authentication
With strong customer authentication, all payment transactions, apart from specific exceptions, are “strongly” secured. To do so, at least two out of the three factors must be used: knowledge, possession or inherence.
A customer wants to buy a pair of shoes in an online shop. He has already entered his card data in the corresponding fields. A short time later, he gets a push notification on his smartphone: The customer must enter the two-factor authentication code (or one-time password) sent by SMS or confirm the purchase in an extra app with a fingerprint.
Safer online payments made simple
A short introduction to Europe's new requirements for Strong Customer Authentication
On 14 September 2019, the face of e-commerce in Europe is set to change forever. Even if a transition period has been granted by most of the European local regulators, this period is only temporary and merchants, banks and payment service providers must be quickly compliant with the strong customer authentication requirements.
This position paper gives a brief introduction about the Regulatory Technical Standards on Strong Customer Authentication and the impacts to the merchants ecosystem. It also explains what will merchants need to do to take all the advantages of this regulation.
Not all transactions have to be “strongly” secured by cardholders:
Recurring payments||Whitelisting||Low risk|
|Payments up to EUR 30 - up to the limit of EUR 100 in total or five consecutive payments.||From the second transaction on-going to the same recipient and the same amount||The cardholder creates a whitelist for trusted merchants.||Risk assessment of a transaction with amounts within defined thresholds.|
The following are not affected by strong authentication:
- Anonymous prepaid cards
- Mail order and telephone orders (MOTO transactions)
- Interregional / “one leg” transactions
- Transactions initiated by the payee