3D Secure 2 — the most common questions

Yes, if you accept online credit and debit card payments and your acquiring bank is located within the European Economic Area.

Please note that strong customer authentication (SCA) is part of the PSD2 — the regulation that comes into effect on 14 September 2019. The 3D Secure 2 will make you stay compliant with the directive as it is considered the main method of authenticating online card payments.

This is why we strongly recommend enabling our non-invasive 3D Secure in order to stay compliant with new regulations. If you still don’t have 3DS enabled, please contact our support team.

The main differences are:

• stronger authentication — static passwords will be replaced with tokens and biometric
• enhanced customer experience
• better conversion thanks to reducing friction in the transaction process
• support for mobile clients.

For more details on the differences read one of our past blog posts: 3D Secure 2.0 specifications in a nutshell.

Please stay aware that not using 3D Secure may cause severe consequences after September 14 when PSD2 comes into force. Here’s what you may face when the 3DS is not built into the checkout flow:

• transaction declines
• a massive drop in conversion
• checkout friction and poor customer experience
• increased risk of cart abandonment.

If you have the non-invasive 3D Secure enabled, you can stay assured that your business is ready for new requirements. As our customized 3DS was designed with the highest security level and the customer experience in mind (which is similar to 3DS2), you will smoothly transit to 3D Secure 2 without any extra action on your part. We’ve got your back, so you may focus on your core business.

If any action is required, you will be notified immediately.

If you have the non-invasive 3D Secure in place, you are ready for the 3DS2 version. No extra action is required.

If you don’t have our non-invasive 3D Secure implemented, follow the instructions.

If you’re using SecurionPay Checkout, you need to implement the 3D Secure method into your Checkout Request object. Find out more details in the documentation (threeDSecure object).

To find the Custom form follow the documentation. When creating a charge, please set the threeDSecure object requireAttempt to true and requireSuccessfulLiabilityShiftForEnrolledCard to false.

If you accept card payments from customers outside Europe (there are no European cards) and the issuer or acquirer is not based in Europe, you don’t need to enable 3DS2.

Both the non-invasive 3D Secure and 3DS2 are designed to add a security layer and minimize the chargeback ratio without hindering conversion. Though keep in mind that the main goal of introducing SCA is increased fraud prevention.

When it comes to recurring transactions with a fixed amount, only the initial one requires strong customer authentication. However, 3DS will be required for every new amount when the amount changes.

As most subscription-based payments are perceived as merchant initiated, they are out of the SCA scope, but it’s still up to the bank whether the transaction needs to be authenticated or not.

There are exemptions from SCA defined for different use cases. It can be based on the amount (transactions lower than €30), transaction type, level of risk, etc. Overall, it is the cardholder bank’s decision whether to accept an exemption.