Payments / Features / 3-D Secure

3-D Secure

3-D Secure is an authentication process used by buyers when a credit card is not physically present. 3D-Secure provides an additional security cover to buyers with a secured verification process and fraud prevention. We highly recommend enabling 3D-secure in your shop systems so that buyers can use the most secured payment method which complies with online payment's authentication regulations - Strong Customer Authentication(SCA)

The Strong Customer Authentication(SCA) regulation by PSD2 in Europe requires 3-D Secure 2.0 for card payments from 2021.

What is Strong Customer Authentication?

It is a new EU Revised Directive on Payment Services (PSD2) requirement to reduce fraud and make online payments with multi-factor authentication to increase online payments security. To comply with SCA requirements, you need to have additional authentication in your checkout flow. According to the authentication required by SCA regulations, the cardholder must verify their identity through at least two of the following three elements,

Something they know, (eg., a password or PIN)

Something they own (eg., a phone or smart card)

Something they are, referring to biometrics (eg., fingerprint or facial recognition)

You can find the SCA requirements here.

Banks start to decline payments that don’t meet the SCA requirements. We expect these requirements to be enforced by regulators from 1st January 2021.

Strong Customer Authentication is required for Customer Initiated Transactions (CIT) within Europe, and it is not necessary for Merchant initiated Transactions (MIT) like recurring, variable (or) follow-up payments.

How does it work?

In general, the most common way for authenticating an online card payments relies on 3-D Secure which is supported by most of the European cards. The typical 3-D Secure process involves additional step after the checkout where the bank of the cardholder prompted to provide additional information to complete a payment (e.g. by entering the static password or one-time code which is sent to the registered mobile number or email).

3-D Secure 2

3-D Secure 2 is the new version of the authentication protocol, which will meet the SCA requirements. This version introduces a better user experience (compare to 3-D Secure 1) that minimizes some friction authentication that adds to the checkout flow.

Based on the card issuing bank’s requirements, the buyer may do a frictionless flow transaction or a challenge flow transaction.

Friction-less flow

The issuing bank, the acquirer, and the card scheme communicate with each other in the background without the buyer's involvement, making an easy and effortless transaction. This passive authentication uses the buyer's biometric details.

Challenge flow

Based on the risk-level of a transaction, the buyer is challenged with further verification steps. Additional buyer information is collected to improve risk-based authentication. Factors like transaction value, buyer details (new or existing), transaction history, behavioral history, and device details are considered for risk determination. If any one of the factors shows feasibility for lower risk levels, the transaction gets completed with no further screening.

Strong Customer Authentication Exemptions

Based on this new regulation, some of the low-risk payments may exempt from Strong Customer Authentication. The authentication of online payments involves some additional steps during the checkout, which leads to a drop-off in the user experience.

We have designed our new SCA-supported Card payments to let you take advantage of exemptions whenever possible, which helps to protect your conversion rate. Once we send the exemption request, the cardholder's issuing bank will assess the transaction's risk level and decide whether to approve the exemption or authentication is still needed.

Even though we use the exemption flags, it is up to the bank to decide whether authentication needs for the transaction or not.

Low value transactions

The Strong Customer Authentication will exempt the transactions under 30 EUR. However, the issuing bank will keep track of the total amount booked by the user within the period. If the total amount attempted on the card without Strong Customer Authentication is higher than 100 EUR, then the SCA will be required. Also, the SCA will apply for every five transactions.

Transaction Risk Analysis (TRA)

Transaction Risk Analysis is a process that evaluates the average fraud rate of the card issuer and acquirer processing the transaction. The low-risk exemptions will apply for the low fraud rate level transactions.

Merchant Initiated Transactions - MIT (incl. recurring)

We can apply the SCA exemptions for the transactions made with stored card data when the customer is not present (CNP) during the checkout flow. The cardholder needs to authenticate either when storing the card details or on the first payment to use a merchant-initiated transaction exemption. The same exemptions can also apply for recurring transactions.

What do you need as a merchant?

If you are using our Hosted Payment Page, Direct API or Plugins with 3-D Secure 1 integration, You are ready to support 3-D Secure 2.0 through the same redirect page.

How do you wish to integrate?

Choose the integration type per your business model, but you need to enable Credit Card in the Novalnet Admin Portal before that.

Hosted Payment Page

With minimal work, use the secured, comprehensive, and most dynamic hosted payment page at Novalnet.

Direct API

Make use of our APIs and build your payment form if you want full control over your checkout page's look and feel.

Payment-Plugins

Novalnet's payment plugins that can bridge your web store to our payment gateway promises to deliver a hosted payment page checkout experience.