Let’s talk about 3-D Secure Fallback! ??
Bilal El Kouche
?? Chief Community Officer @ NORBr | Redefining Payment Infrastructure for Payfacs, ISVs and beyond | Driving Unmatched Revenue Growth with Next-Gen Solutions ????
First of all… What’s an SCA?
Strong Customer Authentication (SCA) is defined in the PSD2 as an "authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”
Most European Issuers choose to rely on EMV 3-D Secure 2.x protocol to meet PSD2 requirements for card payment authentication.
What’s EMV 3D-Secure?
EMV 3-D Secure 2.x is an evolution of Visa 3-D Secure v1.x protocol made to improve UX and acceptance rate while reducing Card Non-Present fraud.
The main evolution is the quantity and quality of data shared between the Merchant and the Issuer (through the Acquirer and the Card Scheme).
What’s new with EMV 3-D Secure v2.2?
3-D Secure v2.1 xvs v2.1+ vs v2.2:
Delegated Authentication:
The merchant can send data to the issuer through the 3-D Secure protocol to prove that the customer has been authenticated by the Merchant. This enables a frictionless one-click payment, compliant with PSD2.
Decoupled Authentication:
The authentication is separated from the payment transaction and can take place up to seven days after the actual payment. Such authentication can occur for example after a 3-D Secure outage.
Requestor initiated Payments (3RI):
It allows merchants to initiate transactions on their own. For recurring payments, even with different amounts, and even if the cardholder is offline.
All is for the best in the best of worlds…
3-D Secure Server :
Located in the Acquirer Domain, the 3DS Server is in charge of initiating the Authentication, using the Scheme Directory Server to locate the issuer ACS to contact.
Scheme Directory Server:
Located in the Interoperability Domain, the scheme Directory Server, will identify the card issuer Access Control Server and contact it to assess whether the card is enrolled with 3-D Secure or not.
Issuer Access Control Server:
Located in the Issuer Domain, it allows cardholders to confirm their identity using multi-factor authentication.
Out-of-band authentication:
Located in the Issuer Domain, the Out-Of-Band authentication means the usage of two different channels or two factors to verify cardholder identity. Both of them should be applicable to 3-D Secure 2.x.
For example, the primary authentication may be passed by biometry, while the second pass may be granted with a cryptographic token issued by the e-banking app.
Authorization:
Authorization is straddling the three domains. The request for authorization is sent through the Merchant Acquirer to determine the Issuer bank. Then the issuer decides whether the transaction will be approved or declined based on the cardholder account status and 3-D Secure Authentication results.
In theory, there is no difference between theory and practice – in practice, there is…
As with any complex system, issues could happen on many elements.
All the comments below are valid if your provider is fully compliant with 3-D Secure v2.1 (or higher) for Authentication AND Authorization.
3-D Secure Server:
If your 3rd party 3-DS Server or your PSP 3-DS Server is down, skipping the authentication could lead to a soft decline.
Being able to route this transaction through another partner is the only solution.
Actively monitoring 3-DS Server availability and switching to a different partner dynamically is a critical feature.
Scheme Directory Server:
In case of a time-out between the 3-DS Server and the Directory Server (Authentication Request 2.1 on the diagram), EMVCo has specified the authorization message to inform the issuer. Based on this message, the issuer can accept or decline (soft decline ??) the transaction following their Transaction Risk Analysis.
For co-branded cards, the Directory Server is locking the path of your transaction:
Since 2015, EU REGULATION 2015/751 is regulating scheme usage rules.
A transaction authenticated on a specific scheme shouldn’t be authorized using a different one.
Switching from a scheme to another, even in case of an outage, could lead to breaking this regulation. But as the proverb says, “necessity is the mother of invention.”
Actively monitoring DS availability and switching to a different scheme dynamically on eligible cards or choose the most efficient PSP is a critical feature.
Issuer Access Control Server and after:
If a time-out occurs between the DS and the ACS during the Authentication Request (2.2 on the diagram ), Schemes and the issuers have agreed to use a specific Authorization message. Based on this message, the issuer can accept or decline (soft decline ??) the transaction following their Transaction Risk Analysis.
But if the issue happened after Stage 2.2 in the diagram, including Out-of-band Authentication, no automated fallback is available.
In this case, the issuer(s) and the scheme(s) will “manually” agree to activate the same fallback process as if the issue happened on stage 2.2.
Then the issuer can accept or decline (soft decline ??) the transaction following their Transaction Risk Analysis.
Actively monitoring the 3-D Secure Authentication success rate and raising alerts to Merchant, PSP, and Schemes, when a deviation occurs, is a critical feature.
“Finally, in conclusion, let me say just this.”
If your PSP hasn’t upgraded to at least 3-D Secure v2.1+ (and CB2A 1.5 or better 1.6 for France), your only fallback option will be using a non-3-Ds flow with a potentially high amount of transactions declined by the issuer...
You want to clarify some point, improve your PSD2 compliance without compromising your turnover, or share some thoughts, just drop us an email at [email protected]