Contact us

BOOK A PRESENTATION

Merchant Whitelisting within PSD2: An Overview

NO NAME
PSD2 requirement introduced Strong Customer Authentication (SCA) as a means of safer online payment authentication. With SCA also came SCA exemptions; scenarios that do not require an additional authentication step, allowing the cardholder to enjoy an entirely frictionless experience. A part of the exemptions is Merchant Whitelisting, a convenient feature included in the 3D Secure 2.2. upgrade.

PSD2 requirement introduced Strong Customer Authentication (SCA) as a means of safer online payment authentication. With SCA also came SCA exemptions; scenarios that do not require an additional authentication step, allowing the cardholder to enjoy an entirely frictionless experience. A part of the exemptions is Merchant Whitelisting, a convenient feature included in the 3D Secure 2.2. upgrade.

A brief overview of SCA

The latest PSD2 directive enforced Strong Customer Authentication (SCA) as an additional layer of security for online payment processing. To fight fraud, cardholders need to confirm their identity using two-factor authentication (2FA). This includes authenticating themselves using two out of three security elements:

  1. Knowledge – something the user knows (PINs and passwords)
  2. Possession – something the user owns (smartphone, mToken)
  3. Inherence – something the user is (biometrics)

This approach was not welcomed by issuers and merchants, raising concerns regarding the overall traffic impacted by the added authentication step. In the cardholder's eyes, SCA means more friction, and more friction is an inconvenience for the end-user. In order to address this issue, PSD2 also includes SCA exemptions.

SCA exemptions

SCA exempted scenarios include transactions that do not require an additional authentication step in order to process the payment. It is a clever concept for mitigating friction when applicable. The given transaction must meet specific criteria regarding the risk level and some predefined types of transactions to be classified as an exemption. SCA exemptions are the following:

  1. Low-risk transactions - Transactions that are classified as low risk based on risk assessment do not require an additional authentication step.
  2. Low-value payments (LVP) – Transactions amounting up to and equal to 30EUR are low-value transactions and are not a part of the SCA requirement.
  3. Corporate payments – Payments made by a card belonging to an entity rather than an individual are also considered to be SCA exemptions.
  4. Recurring payments - Subscriptions, loans, and similar payments with a fixed amount require SCA only for the first payment. In cases where the amount changes, SCA is necessary for each individual change.
  5. Merchant Whitelisting – If the merchant is eligible for whitelisting (approved by the issuing bank), the cardholder is able to whitelist a trusted merchant in order to skip the additional authentication step.

Introduction to Merchant Whitelisting (MWL)

Merchant Whitelisting, also known as Trusted Beneficiaries, enables cardholders to choose known merchants whom they trust in order to skip the additional authentication step and enjoy a genuinely frictionless online payment experience. Regardless of the transaction amount or merchant/issuer fraud rate, SCA is not necessary. Of course, not all merchants are eligible for whitelisting. The selection of merchants that a cardholder is able to whitelist is under the issuing bank's control. Based on preselected criteria regarding the industry type of the merchant, level of risk, and cardholder's transaction history, the issuer proposes a list of merchants eligible for whitelisting based on the cardholder's request.

How to whitelist a merchant?

The process of whitelisting a merchant involves transaction authentication. The cardholder who is about to make an online purchase can enroll the merchant to their whitelist. This is done through the authentication interface that contains a checkbox indicating the possibility of whitelisting a particular merchant. By checking the box and applying SCA for the given transaction, both transaction and whitelisting verification are successful and PSD2 & RTS compliant.

This means that every future purchase made by the cardholder won't require SCA, i.e., unless the cardholder decides to remove the merchant from the whitelist at some point.

The cardholder is the one in control of the whitelisting. Merchants have no information if they are either on the whitelist or removed from the whitelist by the cardholder. Also, merchants can't apply themselves for whitelisting evaluation on the issuer side. Based on the cardholder's proposal for a particular merchant to be whitelisted, the issuer conducts further risk evaluation and either approves or denies merchant inclusion on the eligible merchant list. 

MWL Authentication Flow

Regardless of the fact that the merchant is previously whitelisted by the cardholder, each transaction is sent for authentication. This happens because merchants have no idea if they are on the white list by the cardholder or not. In case the merchant was previously successfully enrolled on the cardholders whitelist, and this was verified with the initial SCA necessary for MWL enrollment, ACS skips risk analysis and processes a frictionless transaction.

Try TriDES2 DEMO

Change of liability rules?

According to Mastercard liability rules are the following:

'' The liability shift applies to 3DS independently of the program protocol version (3DS 1.0 or EMV 3DS). If the Merchant does not support 3DS or uses Data Only (refer to section Acquirer SCA Exemptions), liability in case of fraud is with the Acquirer/Merchant. In all other cases, the Issuer is liable if no Acquirer PSD2 SCA exemption applies or if the Issuer has delegated SCA to the Merchant. If the Merchant applies an Acquirer exemption through 3DS and the Issuer accepts it, then the Merchant is liable. If the Issuer goes through SCA without accepting an Acquirer exemption, the Issuer is liable.''

Initial 3D Secure liability shift states that for transactions authenticated using 3D Secure, liability shifts to the issuer. The same goes for MWL transactions. Since the issuer deemed a merchant eligible for merchant whitelisting, for any transaction that proves to be a fraudulent one, liability stays on the issuer side.

3D Secure 2 and Merchant Whitelisting

3D Secure v2.2. brings a number of new features aiming to make the solution even more flexible. By introducing SCA exemptions (Merchant Whitelisting being one of them), issuers and merchants get a sense of relief regarding SCA requirement for two-factor authentication.  Enhanced risk analysis enabled the application of SCA exemptions such as low-value payments (LVP) and merchant whitelisting (MWL). This results in a more user-friendly experience and makes the authentication process straightforward. A more detailed summary of EMV 3DS2 features is available in our recent blog post.

trides-download-datasheet

If you want to find out more, contact our Asseco 3D Secure Team or download the datasheet.

Want to learn more about cybersecurity trends and industry news?

SUBSCRIBE TO OUR NEWSLETTER

CyberSecurityhub

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram