A Basic Understanding About 3DS2, PSD2, and SCA
If you’re not in the European finance and financial technology world, you may only know 3DS2, PSD2, and SCA as terms that kept appearing in everyone’s email inbox last year. But if you have any kinds of dealings with European businesses or customers, you need to know what these three new regulations mean and how they affect you.
Here are some basic questions we’ve seen online, heard from customers, and researched extensively.
What are 3DS2, PSD2, and SCA?
3DS2 is the second 3D Secure authentication protocol for online card payments. It improved on 3DS1 by creating a much smoother user experience. It’s used primarily in Europe, although it is also widely used in India and South Africa. 3DS2 requires merchants send additional data with each transaction, so each bank can ensure that the person making the purchase is the actual cardholder.
PSD2 is the European Union’s second Payment Services Directive which regulates payments and payment service providers. Its purpose is to create safer payment services and to create new payment services. It also requires European banks and financial institutions to give third-party payment service providers, like personal finance apps, bill payment apps, and wealth management apps. Its other major requirement was the adoption of multi-factor authentication, called Strong Customer Authentication.
SCA is the Strong Customer Authentication born out of the PSD2 requirements. Each credit card or debit card transaction require two of these three items:
- Something the customer has (smartphone, smart card, wearable device).
- Something the customer knows (password or PIN).
- Something the customer is (fingerprint, facial recognition, voice recognition).
What’s the difference between 3DS1 and 3DS2?
Well, if I remember my high school algebra correctly, it’s 3DS1.
The original 3D Secure protocol, 3DS1, was originally established by Visa in 1999 as a way to create two-way authentication, originally used for desktop browsers. 3DS2 was then developed by EMVCo, the six-member organization made up of American Express, Discover, JCB, Mastercard, UnionPay, and Visa.
3DS2 is also available on all sorts of devices and platforms, including retail terminals, online/ecommerce payments, and mobile payments. That means that not only is the user’s payment experience much smoother, but now it also works on mobile payment apps, money transfer apps, and in-person payments as well, thus greatly reducing the risk of fraudulent activity.
How does 3DS2 make transactions safer?
It starts by following an AI-driven risk-based authentication algorithm that looks at whether a transaction should be allowed or challenged through a Transaction Risk Analysis (TRA). It looks at the data collected during the transaction, such as the device information, transaction location, merchant location, time zone, cardholder spending and behavioral patterns, and several other factors.
If the transaction falls within normal patterns (e.g. buying lunch during lunchtime hours a few miles from the customer’s home), then the transaction is processed. But if something unusual happens (e.g. buying a television online from a big box store in another country at 3:00 AM), then the TRA will kick in and ask for additional information as part of the “challenge flow.”
Is 3DS2 required for all merchants?
It’s only mandatory for transactions conducted in the European Economic Area. That means it’s not required in North America or Asia, unless you have European customers who are buying directly from your website. In that case, you are required to follow all 3SD2, PSD2, and SCA requirements for your European customers.
While cash may not be possible for ecommerce merchants, there are ways to offer certain kinds of discounts and surcharges for credit card payments. Corepay can show you how. For more information, please visit our website or call us at (800) 408-0095.
Photo credit: HLundgaard (Wikimedia Commons, Creative Commons 3.0)
We appreciate you following Corepay’s blog. Let’s collaborate, send us your article suggestions, questions, and/or feedback to: [email protected]