The authentication method is left for choice to each Issuer. In the previous version, 3D Secure v1.0.2, which is still live, static passwords were allowed. As of early 2015, ECB issued guidelines for strong authentication on eCommerce transactions. Since January 2016, when PSD2 became official, such guidelines became mandatory with up to two years of the maximum period for adjustment. The new specification for 3D Secure 2.1 strongly recommends two-factor strong authentication methods such as One Time Password, biometric authentication (fingerprint, face or voice recognition), etc.
3D Secure allows methods aligned with the PSD2 requirements, i.e., all methods that are Strong Customer Authentication methods or the use of two-factor authentication methods.
Most common methods include One Time Passwords generated by HW of SW tokens, fingerprint or face recognition biometry methods, and push notifications.
Yes. When the user goes to checkout, ACS presents a screen with an option to choose the authentication method (radio button).
The SCA requirements officially came into effect on 14 September 2019.
However, on 16 October 2019, the European Banking Authority (EBA) published an Opinion stating that it will allow national regulators to delay enforcement of SCA until 31 December 2020.
Most European regulators are aligned with this roadmap.
Currently: Seven countries stated, before the above Opinion, that they would align with the transition timeline set out by the EBA: Cyprus, Czech Republic, Greece, Ireland, Lithuania, Luxembourg, and Slovakia.
Nineteen countries have subsequently aligned themselves with the EBA's 15-month transition period: Austria, Bulgaria, Croatia, Denmark, Estonia, Finland, France, Germany, Italy, Latvia, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovenia, Spain, and Sweden.
France has formally aligned itself with the 15-month transition period but maintains an extra 3-month grace period on a case-by-case basis.
The United Kingdom has confirmed its decision to stick to its own 18-month transition period.
Hungary has yet to announce whether or not it will maintain its previous position of a 12-month transition period.
Regardless of the delay in enforcement, we recommend that you start supporting 3DS 2.0 as soon as possible to avoid any potential issues, particularly where issuers may decline transactions submitted without SCA.
Issuing banks should check national regulations, national bank guidelines, and national PSD2 directives. Some national regulations do not accept this method as two factor SCA authentication method. To mitigate such requirements, an additional password or PIN can be added to OTPbySMS. In this case, this method is the SCA method and can be used in 3D Secure 2. However, card schemes suggest using more confident methods such as a fingerprint.
No. Card scheme 3D Secure programs encourage banks to apply frictionless authentication in as many cases as possible, up to 90%. That means that transactions should be analyzed in order to apply for SCA exemptions, as defined in PSD2 requirements. Exemptions can be based on low-risk assessment, low transaction value considering counter limits, for recurring transactions in case of the same amount and payee, etc.
When choosing the most suitable authentication method, the issuing bank should consider whether cardholders are familiar with the method. Also, they need to consider necessary resources available to their cardholders - do they have the appropriate mobile device tokens; customer segment - are their cardholders willing to download mobile applications for payment authentication; applicable regulations - this includes PSD2 and local regulations. The best way to go about this is to offer a minimum of two authentication methods and allow the cardholders to select their preferred method of authentication. It is important to note that the best authentication rate is achieved in cases when 3D Secure and digital channels use the same authentication methods, simply because the cardholders are used to it.
If you have any additional questions regarding our 3D Secure solutions or hosting services, need advice or support related to 3D Secure online fraud protection for your customers, don't hesitate to contact your ASEE Key Account Manager, Sales Representative or send an email at mailto:trides@asseco-see.hr.
