Vendors – Strong Customer Authentication(SCA) and 3D Secure(3DS)

As of September 14th, 2019 payment gateways now require additional security steps regarding “SCA” for customer purchases in the European Union.

This will trigger the 3DS payment gateway security features for the customer to authorize their payment.


What is SCA?
Strong Customer Authentication (SCA) is a European regulation set in place on September 14th, 2019 to reduce fraud and make online payments more secure for purchasing customers by adding additional security steps for purchases and subscriptions.

When is SCA applied?
SCA currently only applies to EU businesses that are selling to EU based customers and match any of the following criteria

(a) accesses their payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Most card payments and all bank transfer payments will require SCA.

When is SCA not required?
There are scenarios in which SCA may not be required for the customer’s purchase.

  • Low-risk transactions: payment gateways (like Stripe) will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s or bank’s overall fraud rates for card payments do not exceed the set threshold of fraud rates.
  • Payments below 30 euro: Transactions below €30 will be considered “low value transactions” and may be exempted from SCA. Banks will need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.
  • Fixed amount subscriptions:  This can apply when the customer makes a series of recurring payments for the same amount, to the same business(Subscriptions). SCA will be required for the customer’s first payment but rebill charges may be exempt from SCA.
  • Merchant-initiated transactions: Vendor initiated payments made using the billing method when the customer is not present in the checkout flow (“manual transactions”) may qualify as merchant-initiated transactions.
  • Trusted beneficiaries: When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
  • Corporate Payments: This exemption may cover payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).
PLEASE NOTE: None of the above factors which suggest SCA may not be required are any guarantee that SCA will actually not be required for the customer purchase. This ultimately depends on the discretion of the bank or payment method being used to make the purchase.

What is 3DS?

3D Secure (3DS) is a fraud prevention measure that acts as an additional layer of security when taking card payments. It gives customers a secure 2 step authentication before they can purchase online; ensuring that they’re using the correct card details to help protect against card payment fraud.

3DS serves as the authentication method required by SCA regulations.

What payment gateways support 3ds? 

  • Authorize.net: Not Supported
  • Braintree: Supported
  • EasyPayDirect: Not Supported
  • PayPal: Not required
  • Stripe: Supported

How do vendors enable 3ds for their payment gateways in PayKickstart?

NOTE: Please also consult with your payment processor to ensure they do not require any additional actions to set up 3ds.

Go to the Integrations section, locate your payment gateway and enter the settings, then click enable 3ds.

After you enable 3DS for the payment gateway go to the platform settings to set your SCA subscription billing reminders in the subscription section for the SCA authentication emails that will be sent to customers to authenticate their transaction. Set the number of SCA reminders (1 per day) you’d like to send your customers before marking the transaction as failed

 

IMPORTANT: SCA & 3DS is only supported on non-legacy templates. If you are an EEA-based vendor and have previously created products before 9/10/19, then you must disable the “Use legacy templates” option in your products’ settings(section 2) in order to be able to use SCA.

Please note that after switching to the new templates you may need to check your template’s design settings and/or reset the checkout template (resetting the template will reset any customizations in the legacy and non-legacy version of the templates)

NOTE FOR VENDORS WHO DO NOT SEE THIS LEGACY OPTION IN THEIR PRODUCTS: 
Legacy templates only apply to products created before 9/10/19.
All newly created or cloned products will NOT offer a legacy option.  If you do not see this option, your product is using the current non-legacy templates by default.


How will 3DS work for customers?

1. After entering their checkout info and clicking buy for a subscription-based product, European customers or customers required to use 3ds with their payment method will see a modal window popup (from the payment gateway the vendor is using to sell the product) The modal is created and controlled by the payment gateway. PayKickstart has no control over this modal.
2. Customers will need to follow the instructions provided by their bank in the modal window to authenticate the 3ds purchase themselves.

 

3. When a subscription rebill charge happens, we set that related transaction to a pending status until the rebill is authenticated by the customer. We then send an email to the customer for authentication of the rebill.
    • NOTE: If the customer does not authenticate the transaction within the allotted grace period(1-3 days: contact vendor of product for their grace period), the transaction will be marked as failed.

4. Our system confirms the customer’s rebill transaction and Paykickstart will attempt to process the transaction as normal.

NOTE: The transaction may still decline at this point if, for example, there are insufficient funds in the account.

Related Articles