Authentication: Updates to 3-D Secure 2 and PSD2
What you need to know right now about the latest 3-D Secure 2 security standard and PSD2, and what action you need to take.
3-D Secure 2
As already mentioned in newsletters 3 and 4 last year, acquirers, issuers and credit card schemes will start the official ramp-up phase for 3-D Secure 2 this April. The technical prerequisites for this are implemented in our latest standardised interfaces Redirect, Lightbox, Secure Fields and SDK.
In the case of existing 3-D Secure contracts, the new 3-D Secure 2 process will be activated automatically by Datatrans and the acquirer. Merchants who have integrated 3-D Secure through our current standardised interfaces do not need to make any technical changes for the time being. Otherwise, merchants must ensure that their integration is operating in accordance with the latest standard (see “What you need to do”).
Datatrans recommends that merchants use the latest standardised interfaces and run through the 3-D Secure 2 implementation checklist outlined below.
More detailed information can be found on our website:
With regard to the technical implementation, we remain in constant contact with acquirers and credit card schemes, and will keep you updated at all times.
PSD2 and Strong Customer Authentication (SCA)
The Regulatory Technical Standards (RTS) on strong customer authentication and secure communications pursuant to PSD2 come into effect on 14 September 2019.
Merchants that offer goods and services in the EU/EEA and that have acquirers that are also located in these areas are subject to the PSD2 rules. In general, we recommend that all merchants that sell to individuals in the EU/EEA comply with the requirements of PSD2 irrespective of where their acquirer is based. Any merchant engaged in remote payments must ensure that 3-D Secure is used for customer-initiated payments. Orders or transactions placed by telephone/fax/post (MOTO or mail/telephone orders) are excluded from the rules.
The data protection requirements pursuant to GDPR do not contradict the PSD2 obligations for strong customer authentication.
Much of the data comprise personal data as defined in GDPR. The guidelines on protecting such data must therefore be strictly observed. Responsibility for the processing of biometric data, on the other hand, lies solely with the issuer.
What needs to be done?
- Merchants that have no 3-D Secure agreement are advised to contact their acquirers now to verify their agreements and make any required additions.
- Merchants that offer customer-initiated card payment processes via the Datatrans Payment Page are required to use 3-D Secure.
- Merchants that use a customer-initiated credit card process based on a purely server-to-server API (e.g. one-click checkout flows via a Datatrans alias solution) are also required to switch to the web-based API of the Datatrans Payment Page and use 3-D Secure.
- When it comes to merchant-initiated transactions, 3-D Secure is only required for the initial card registration process, in which the cardholder must grant explicit agreement. Any subsequent merchant-initiated transaction does not require SCA.
Further information about PSD2 and 3-DS 2 can be found at:
Datatrans will continue to inform you about developments in relation to PSD2 and in particular 3-DS 2.
Do you have other questions about this topic? Please write to us at the following email address: [email protected]