Vendors – Strong Customer Authentication(SCA) and 3D Secure(3DS)

As of September 14th, 2019 payment gateways now require additional security steps regarding “SCA” for customer purchases in the European Union.

This will trigger the 3DS payment gateway security features for the customer to authorize their payment.

What is SCA?
Strong Customer Authentication (SCA) is a European regulation set in place on September 14th, 2019 to reduce fraud and make online payments more secure for purchasing customers by adding additional security steps for purchases and subscriptions.

When is SCA applied?
SCA primarily applies to but is not limited to, EU businesses that are selling to EU based customers and match any of the following criteria

(a) accesses their payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Most card payments and all bank transfer payments will require SCA.

When could SCA not be required?
There are scenarios in which SCA may not be required for the customer’s purchase.

• Low-risk transactions: payment gateways (like Stripe) will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s or bank’s overall fraud rates for card payments do not exceed the set threshold of fraud rates.
• Payments below 30 euro: Transactions below €30 will be considered “low value transactions” and may be exempted from SCA. Banks will need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.
• Fixed amount subscriptions:  This can apply when the customer makes a series of recurring payments for the same amount, to the same business(Subscriptions). SCA will be required for the customer’s first payment but rebill charges may be exempt from SCA.
• Merchant-initiated transactions: Vendor initiated payments made using the billing method when the customer is not present in the checkout flow (“manual transactions”) may qualify as merchant-initiated transactions.
• Trusted beneficiaries: When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
• Corporate Payments: This exemption may cover payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).

What is 3DS?

3D Secure (3DS) is a fraud prevention measure that acts as an additional layer of security when taking card payments. It gives customers a secure 2 step authentication before they can purchase online; ensuring that they’re using the correct card details to help protect against card payment fraud.

3DS serves as the authentication method required by SCA regulations.

What payment gateways support 3ds? 

• Authorize.net: Not Supported
• Braintree: Supported
• EasyPayDirect: Not Supported
• PayPal: Not required
• Stripe: Supported

How do vendors handle 3ds for their payment gateways?

NOTE: Please consult with your payment gateway to ensure they do not require any additional actions to set up 3ds.

• Braintree: Vendors using Braintree will need to ensure 3DS is enabled in their account. You can check if your BT account has 3DS enabled by following the guide here: https://articles.braintreepayments.com/guides/fraud-tools/3d-secure#confirm-setupIf 3ds is not enabled for your BT account, please contact BT support to get it enabled.
• Stripe: Stripe handles this automatically to enable 3DS on your Stripe account. No additional action on the Stripe account should be required.

NOTE: If using the API to run customer transactions(developer option), you will need to follow the additional SCA/3DS setup instructions located on the New Purchase API call.

After you enable 3DS for the payment gateway(if needed) go to the platform settings to set your SCA subscription billing reminders in the subscription section for the SCA authentication emails that will be sent to customers to authenticate their transaction if SCA/3DS is triggered. Set the number of SCA reminders (1 per day) you’d like to send your customers before marking the transaction as failed

How will 3DS work for customers?