The PSD2 (Payment Service Directive version 2) is a European directive that aims to encourage innovation, improve consumer protection and enhance the security of payment services.
RTS regulations (Regulatory and Technical Standards) related to PSD2 require the use of the authentication process for all e-commerce payments initiated by cardholders.
The aim is to meet the requirements of Strong Customer Authentication to reduce the risk for the merchant and bith simplify and smooth the customer journey.
3DSV2 Definitions
Strong Customer Authentication (SCA)
Strong Customer Authentication is a regulatory requirement introduced under PSD2.
During an online payment, a strong two-factor authentication can be requested to the cardholder, in order to confirm that the person doing the online payment is the holder of the card used for the payment.
Authentication is considered strong when it combines two of the following three authentication factors:
- an element known to the cardholder (password, secret code, etc.)
- an item owned by the cardholder (mobile phone via the bank application, a bank card, etc.)
- a biometric feature (a fingerprint, voice recognition, etc.)
Frictionless
The merchant can request an exemption of the customer authentication. The final decision is owned by the cardholder issuing bank.
In a frictionless transaction a passive authentication of the holder is performed, he has nothing to do.
In few words, this process reduces the actions of the buyer during the payment process.
In the case of frictionless transactions, the liability shift is related to the card brand : Liability shift and 3DS Matrix
Merchant choices : no Preference / challenge / mandate
The merchant can request a strong authentication or an exemption. He has several choices:
- The merchant takes no action (no preference): the choice of exemption is left to the issuer.
- The merchant requires strong authentication (challenge):
- Mandatory (mandate): the issuer must authenticate the buyer (e.g. for the first subscription transaction)
- Preference (request): The merchant wishes to authenticate the buyer. The final choice remains with the issuer.
- The merchant requests an exemption of the strong authentication (no Challenge - Frictionless): The issuer will accept or not the merchant’s request according to the information he sent.
In the case of frictionless transactions, the liability shift is related to the card brand : Liability shift and 3DS Matrix
Soft decline
PSD2 allows issuing banks to refuse a transaction if a strong 3D Secure authentication has not been implemented. This mechanism is called the Soft Decline.
In this case, Axepta performs an automatic retry, the transaction is played again and the cardholder has to do a strong authentication.
Transactions not affected by SCA
With PSD2, some payment cases are exempted from strong customer authentication, such as:
- Recurring payments (MIT-Merchant Initiated Transactions): The initial payment requires strong authentication but the following payments will be exempted. If there is a change in subscription price, the cardholder will have to do a new strong authentication.
- MOTO transactions (Mail Orders and Telephone Orders) : this type of transaction is not considered an electronic payment.
Exemptions
The merchant can request an exemption for :
- Low-value transactions (below 30€) : Banks must, however, request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of the previously exempted payments exceeds €100.
- Low risk transactions (TRA: Transaction Risk Analysis) : a derogation of the strong customer authentication may be granted. This requires the prior agreement of the acquirer (based on a real-time risk analysis of each transaction).
Increase 'Frictionless' payments
Several parameters can be added to the payment request to increase frictionless payments.
For further details : Exemptions & 'Frictionless' payments