3D secure : Secure payment solutions

Progressive roll-out
of 3DS V2

By introducing new security standards for online payments, the PSD2 (Payment Services Directive 2) obliges the use of strong authentication methods with the 3D Secure V2 standard for each payment. These European regulations signal the end of the SMS OTP (One Time Password).

Discover our special DSP2 file

To maintain acceptance rates, it’s imperative to plan for scenarios that apply frictionless authentication, and even benefit from exemptions if possible.

Strong authentication

x3

Estimated trigger rate
3DS

Before strong authentication

11%

Failure rate after triggering
of 3D Secure

The frictionless journey

3D Secure V2 introduces a new frictionless authentication path. This route occurs when the cardholder is not explicitly asked to authenticate while browsing.

Payment authentication initiated

Authentication request sent to server to obtain an agreement or refusal

Response to this authentication communicated to the cardholder

Banking authorisation processed with acceptance or refusal of the transaction

Live from the blog

Have you anticipated the impact of RTS on your turnover?

See the PSD2 file

Special cases
with the frictionless route

Certain specific payment transactions will be considered outside the scope of the RTS and will not require strong authentication.

Merchant Initiated Transaction (MIT)
Mail Order and Telephone Order
Outside the European Economic Area if the PSP acquirer and/or transmitter is outside the EEA

Conditions
to promote
a frictionless course

Merchant requests frictionless mode
The merchant transmits a maximum of data
The merchant maintains a fraud rate below the threshold imposed by the RTS

The merchant has the best assets to maintain its acceptance rate

Merchant requests frictionless mode
Merchant does not transmit enough data
The merchant maintains a fraud rate below the threshold imposed by the RTS

The merchant is forced by the issuer, who can accept the request in frictionless mode or continue to apply refusals

Merchant requests frictionless mode
The merchant transmits a maximum of data
The merchant does not maintain a fraud rate below the threshold imposed by the RTS

The merchant is forced by the issuer, who may increase the trigger rate for two-factor authentication or reject transactions

Merchant does not transmit enough data
The merchant does not maintain a fraud rate below the threshold imposed by the RTS

The merchant is forced by the issuer, who rejects all transactions, all subject to systematic two-factor authentication

Course with friction (challenge stage)

When a strong client authentication (SCA) is required by the acquirer or issuer, the course is completed with a ‘challenge’ stage. This authentication process is similar to that of the 3D Secure V1.

Steps 1, 2 and 3 are identical
to the course with friction, then

The cardholder is subject to strong authentication after request from the acquirer and/or issuer

The result of the authentication is transmitted to the acquirer and issuer

The result of the authentication is sent to the e-merchant

The banking authorisation is then processed with acceptance/rejection of the transaction

Conditions for a valid,
strong authentication

RTS came into effect on September 14, 2019 to finalise the application of PSD2 in Europe, with Strong Client Authentication (SCA) to be expected for all online transactions. Strong authentication is said to be valid when the method used combines at least 2 of the following 3 criteria:

Knowledge

Information that only the user knows (PIN code, password, etc.)

Possession

Information that only the user has (a card, a mobile phone, etc.)

Inherence

User identity recognition information, biometric identification (fingerprint, iris or voice recognition)