Implementing 3D Secure 2 (3DS2) – a cornerstone of the strong customer authentication (SCA) rules outlined in Europe’s second payments directive – represents a complex challenge for ecommerce firms and payment service providers, says JP Morgan’s executive director of product solutions, Brian Gaynor.
3DS2 is an online payment authentication mechanism, and version 2.2 includes explicit exemption flags. Exemptions can be applied on low risk transactions, payments under €30, or fixed amount subscriptions.
“From the current perspective we now have the products available to do SCA and they’ve launched in market, but the 3D Secure version 2.2, which is the one that fully supports the exemptions from SCA, is not ready yet.”
Visa recently announced its specifications for 3DS2 in April, and Gaynor predicts it will take a while before market participants make relevant changes to support the exemptions.
The European Banking Authority (EBA) published an opinion on October 16 presenting a new deadline for the migration to SCA for all ecommerce card transactions under PSD2. The opinion followed the voiding of the previous deadline, September 14, 2019, due to calls for a longer integration period from several market participants. The new deadline is December 31, 2020.
In a letter to the EBA dated September 13, the European Banking Federation, Visa, Mastercard, and others requested an additional timeframe of 18 months for full SCA implementation. Gaynor suggest market participants will be working to a tighter deadline.
“I can see that potentially products might only fully be available for merchants to start integrating 3DS 2.2 come quarter two or three,” he says. “And with the deadline being at the end of December, that’s peak period for online shopping … generally ecommerce merchants don’t put any changes to their platforms in the fourth quarter – they’re in blackout.”
“What we’re going to be saying to our merchants is that they need to code for the new specs now, get it done, and don’t be waiting for the exemption software to be available, because it may just be too late and there isn’t enough time to do it,” says Gaynor.
For Ralf Gladis, CEO at global payment service provider (PSP) Computop, SCA exemptions are an important factor in providing comfortable customer checkout experiences.
“Computop offered a full 3DS2.0 compliant API for retailers to connect even before September 14. But when the prolongation of PSD2, in the case of online card payments, came up, we recommended our customers not to switch to 3DS2 too early as many acquirers might not be ready, especially with regards to the exemptions which are mostly part of the 3DS 2.2 protocol,” said Gladis, in an email.
Holding off on implementation of certain SCA protocol has been one result of PSD2, which the EBA hopes to counter by enforcing constant communication between PSPs and national competent authorities (NCAs). Under the new EBA opinion, NCAs will be held accountable for collecting data on the types of transactions that are being registered. Previously, PSPs and merchants have feared that implementing SCA, especially without 3DS 2.2, would turn ecommerce customers away from making purchases.
“If we were to turn around to a regulator next March when the first submission is due and say, ‘No look: although we have the product ready and our merchants have it ready, we decided not to turn it on,’ I don’t think that they would look on that favourably,” says Gaynor.
He says there is little incentive to hold off on SCA with the new deadline, and that those who already have their SCA and 3DS 2.1 in place will be at an advantage.
Duncan Barrigan, chief product officer at PSP GoCardless said in an email:
“The EBA has reapplied the pressure for rapid migration to SCA. The industry was granted a much-needed extension, but the last few weeks were never a time to sit back and relax. Merchants, PSPs and all players in the payments ecosystem will now have to continue working and show demonstrable evidence of their migration plans to meet the deadline.”
“The clock is still ticking and, to stay out of the EBA's firing line, businesses need to shape up for SCA.”