Pay securely online

Customers no longer have to remember passwords and can easily confirm payments from a mobile app. Customer authentication is fully integrated into the 3-D Secure 2 sales process. Liability for fraudulent transactions is entirely passed on to the card issuer.

3-D Secure 2 relies on a risk-based authentication process and uses additional transaction data to check with merchants and card issuers whether the payment has been initiated by the cardholder and if the payment process should be allowed or aborted. Other factors of strong customer authentication, such as payment habits or fingerprints, are also included in the verification process. Low-risk transactions are identified in what is known as frictionless flow. If genuine customer authentication is not required, the cardholder’s checkout process is seamless.

• Smooth payment process (frictionless flow)
• Increase your conversion rate
• Fewer payment disruptions thanks to risk-based authentication
• Full integration into web shops and apps
• Intelligent fraud detection mechanisms to reduce credit card fraud

Please liaise with your solution providers to ensure that the 3-D Secure 2 security standard is properly implemented:

• Please contact your payment service provider with respect to the technical integration of the new security standard.
• Please ensure that your web shop provider supports integration through the payment service provider (the interface between your payment service provider and your web shop may have to be updated or otherwise adjusted).
• For customer-friendly, risk-based authentication, 3-D Secure 2 uses 10 times more cardholder or web shop data - thus enabling more checkpoints and lower fraud rates. This data also includes personal data such as the name of the cardholder, phone number, e-mail address, IP address, invoice address and delivery address. We therefore recommend that you expand your data protection declaration in accordance with the General Data Protection Regulation (GDPR).
• Please also replace Mastercard SecureCode logos and names stored in your web shop with Mastercard Identity Check and those referring to Verified by Visa with Visa Secure.
• Are you a Worldline customer and do you use Saferpay in your web shop? Find out from our FAQs page whether you have to do anything.

• Aren’t you using 3-D Secure? Then you are not PSD2-compliant. Please contact our specialists and let them advise you on the necessary steps for implementing 3-D Secure 2.

The Revised Payment Services Directive (PSD2) is defined by the European Banking Authority and aims at regulating new stakeholders and improve the security of exchanges. Among these rules is the RTS-SCA (Regulatory Technical Standard - Strong Customer Authentication) rule which requires strong customer authentication as of 14 September 2019.

As the original deadline of September 14, 2019 approached, an increasing number of European countries realised that a large number of their national e-commerce companies and banks would be unable to meet this deadline, which had already been postponed once.

It was estimated that European online shops would lose an average of roughly 20% in revenue if they were unable to meet the deadline on time, and the European Banking Authority (EBA), which is responsible for technical regulatory standards, finally decided to allow a further postponement.

The new and final deadline announced in an EBA statement is December 31, 2020, and the competent national authorities (NCAs) across Europe have announced the postponement to relevant national stakeholders in their respective countries, i.e. banks, PSPs and Internet shops.

However, in order to avoid a situation where the extension of the deadline might induce some parties to take no action until the new deadline is imminent, the EBA – through the national authorities (NCAs) – has requested specific implementation plans pertaining to the SCA from the parties involved as a condition for postponement. In other words, the EBA has ensured that it will not be faced with the same situation again when the next deadline is upon us.

Finally, it is important to stress that merchants and their PSPs should be technically ready by the end of the first half of 2020 at the latest, in order to have sufficient time to test the entire process chain with their acquirers, schemes and issuers. It is probable that there will be different interpretations of the new rules and fine-tuning may take some time, a process that must be completed at the latest before the start of the Christmas shopping season.

As of January 1, 2021, Worldline will no longer process PSD2-incompliant transactions.

No, the following payments are excluded: MOTO (Mail Order Telephone Order) type distance selling transactions, payments initiated by the merchant and unrelated to the customer as well as transactions between cardholders or merchant acquirers outside the European economic area are not subject to this RTS-SCA rule.

The aim of Strong Customer Authentication through 3-D Secure 2 is to reduce remote payment fraud, at the same time strongly improving user-friendliness for the cardholder, in particular by providing the issuer (the bank of the cardholder) with more information on the context of the transaction, in order to allow the latter to decide whether it should or should not proceed with Strong Customer Authentication of the cardholder.

The major additions of 3-D Secure 2 are:

• Smoother and more integrated customer experience, especially for mobile applications.
• New authentication methods of the cardholder bank side.
• Management of exemptions and Frictionless.

1. If you are already using 3-D Secure 1.0 for all your transactions, moving to 3-D Secure 2 will allow some of your transactions to go frictionless. This will increase your conversion rate while keeping you safe about fraud.
2. If you are not using 3-D Secure 1.0 at all (“SSL” transactions only) or you are using it partially (dynamic 3-D Secure), implementing 3-D Secure 1.0 or 3-D Secure 2 is anyway mandatory to comply with the principle of SCA. Else, you can expect a lot of non-3-D Secure transactions declined by the issuers. 3-D Secure 2 will provide you with a better conversion rate than 3-D Secure 1.0.

Frictionless Flow means a payment transaction without a request for additional authentication. Depending on the context and the information provided in the payment request, the card issuer performs a risk analysis and may decide not to authenticate the transaction. If the Frictionless initiative comes from the issuer then the merchant will benefit from the liability shift. Conversely, if the merchant has done their own risk analysis and requests Frictionless from the issuer, then they will not benefit from the liability shift.

The RTS stipulates 2 exemption options for over-the-counter payments:

• Low value contactless transactions

The exemption for a contactless transaction can be invoked

➔ If the amount of the transaction does not exceed EUR 50.
➔ If, since the last transaction with Strong Customer Authentication by the cardholder, the maximum amount of contactless transactions, regardless of the merchant, or the number of contactless transactions has not exceeded a maximum (velocity criteria) defined by the RTS-SCA (max EUR 150 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).

• Transactions on unattended terminal for parking or transport

• Recurring transactions

An exemption from Strong Customer Authentication is applied for a series of remote transactions for the same amount to a single beneficiary. However, Strong Customer Authentication is required for the first transaction (the contract) or for each modification of the series conditions.

• Low value transactions

An exemption from Strong Customer Authentication for a low value remote payment can be invoked:

➔ If the amount of the transaction does not exceed EUR 30.
➔ If, since the last transaction with Strong Customer Authentication of the holder, the maximum amount of low value remote transactions, regardless of the merchant, or the number of low value remote transactions does not exceed a ceiling (velocity criteria) defined by the RTS-SCA (max EUR 100 or 5 transactions, at the issuer’s discretion, which can also lower these ceilings).

• Transactional Risk Analysis

The exemption from Strong Customer Authentication for a remote transaction referred to as ‘risk analysis’ can be invoked by the acquirer (on behalf of the merchant) and by the issuer if the following two conditions are met:

➔ That the transaction is declared safe (for example, no infection of the user’s workstation by a malware, no abnormal disbursements by the payer, location of the payer, transactions history, etc.).
➔ That the fraud rate (for remote transactions) for the payment establishment (for Bank acquirer and for Bank issuer but and not for the merchant or his PSP) is below preset ceilings:

➩ 0,13% if the amount of the transaction is less than EUR 100.
➩ 0,06% if the amount of the transaction is less than EUR 250.
➩ 0,01% if the amount of the transaction is less than EUR 500.
➩ Exemption not applicable for transactions of over EUR 500.

The exemptions are not routine and even if the conditions for exemption are met, the final decision rests with the issuer (the cardholder’s bank) which may or may not grant it. The Issuer will send a soft decline for the payment leading to a resubmission of the payment requesting Strong Customer Authentication from the cardholder.

The 3-D Secure 2 implementation, which requires changes throughout the electronic payment chain, will be carried out gradually depending on the various payment stakeholders (payment module, merchant banks, networks, issuer banks). We advise you to contact your PSP gateway provider as soon as possible to know if it is already able to support you in implementing 3-D Secure 2.

The end of 3-D Secure 1.0 is announced for December 2020 for Visa and Mastercard.

Worldline as acquirer will not block subsequent payments of an initial transaction that occurred before/during the grace period and will continue to accept the subsequent transactions. For recurring payments conducted after the end of the grace period, Worldline recommend to perform SCA for the first transaction and use it as a reference for subsequent transaction in order to keep the same approval rate.

Worldline will not, as the acquirer, block subsequent transactions of an initial transaction that occurred before December 31, and will continue to accept the subsequent transactions. For recurring payments conducted after December 31, Worldline recommends the use of SCA for the first transaction and for subsequent transactions as a reference, in order to keep the same approval rate.

The national regulators supervise the local acquirers and issuers activities. The most important for the merchant is however the location of his acquirer because this will determine whether a transition phase could be applied. Furthermore merchants with international business should have a look to the regulations of countries where there are doing business. Indeed some issuers in Europe will be obliged to support SCA by 14 September. That means that those issuers will probably decline card transactions processed without 3-D Secure.