• What is PSD2?
    The EU’s Second Payment Services Directive (2015/2366 PSD2) entered into force in January 2018, aiming to ensure consumer protection across all payment types, promoting an even more open, competitive payments landscape. Acting as a payment service provider, Ingenico ePayments prides itself on being confirmed PSD2 compliant since 29 May 2018.

    One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the EU from September 2019. SCA will require cardholders to authenticate themselves with at least TWO out of the following three methods:

    • Something they know (PIN, password, …)
    • Something they possess (card reader, mobile. …)
    • Something they are (voice recognition, fingerprint, …

    This means your customers, in practice, will no longer be able to make a card payment online by using only the information on their cards. Instead they will have to, for example, verify their identity on a bank app that is connected to their phone and requires a password or fingerprint to approve the purchase.

    More information about PSD2 can be found here: https://www.europeanpaymentscouncil.eu/sites/default/files/infographic/2018-04/EPC_Infographic_PSD2_April%202018.pdf

  • How does PSD2 impact me as a merchant?

    On September 14th, Strong Customer Authentication (SCA) rules will come into effect for all digital payments in Europe. Right now, banks, payment service providers and card networks are all working on technical solutions that will comply with the requirements for PSD2. To accept payments after September 14th you will have to make sure that these technical solutions will work with your online store.

    Accepting payments from the world’s largest card networks, Visa, Mastercard and Amex, will require that you have implemented the security solution 3D Secure for your online store. 3D Secure has been used since 2001 to improve the security for online card transaction but now a new version has been developed that will facilitate the PSD2 Strong Customer Authentication requirements.

    Ingenico ePayments is recommending to use 3-D Secure, since it helps prevent fraud and also protects you from liability in case of any fraud. From September 14th it will also be a requirement for accepting the payments from major cards.

  • What is the new 3-D Secure v2.1?

    Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

    One of the core differences in version 2 is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge).

    Separately the Strong Customer Authentication (SCA) required in Europe by September 14th, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible. In short 3-D Secure version 2 means:

    • You will need to implement 3-D Secure before September 14th, 2019 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
    • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
    • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
    • A much better user experience for your consumers

    The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the cardholder compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

  • What is the difference between exemption and exclusion?

    Exclusions are transactions that are OUT of scope for PSD2 SCA regulations:

    • Mail order/telephone order
    • One leg journey - Payee's PSP (aka Merchant's acquirer) or Payer's PSP (aka Buyer's payment method issuer) is outside of EEA zone
    • Anonymous prepaid cards up to 150€ (article 63)
    • MIT - merchant initiated transactions

    Exemptions are transactions that are IN the scope of PSD2 SCA regulations:

    • Low value transactions
    • Subscriptions
    • Risk analysis
    • Whitelisting
  • What are the exemptions for SCA?

    To make things easier for both merchants and consumers, PSD2 allows for some exemptions from strong customer authentication. What’s important to note is that all transactions that qualify for an exemption won’t be automatically exempted. In the case of card transactions, for example, it’s the card issuing bank that decides if an exemption is approved or not. So, even if a transaction qualifies for an exemption the customer might still have to make a strong customer authentication, if the card issuing bank chooses to demand it.

    • Low value transactions: This exemption will, most likely, be the most frequently used. The exemption says that if a customer makes a purchase for under 30 euros they can be exempted from making a strong customer authentication. This exemption is limited and if a customer makes five such transactions in a row or reaches a value of more than 100 euros, a strong customer authentication will always be required.
    • Subscriptions: Another type of transaction that can be exempted is recurring and subscription payments where the sum for each transaction is the same. For these transactions a strong customer authentication will only be required when the customer first signs up for the subscription and not for every individual transaction.
    • Risk analysis: Exemptions can also be made based on what is called “transaction risk analysis”. This means that a payment service provider, like Ingenico ePayments, can be allowed to make exemptions for transactions that are deemed as “low risk” based on the requirements in PSD2’s technical standards. This exemption has a limit when it comes to transaction value and can only be applied if the payment service provider has a sufficiently low fraud rate for that specific type of transaction.
    • Whitelisting: A final type of exemption is called whitelisted recipients. Whitelisting means that a customer can register certain payment recipients as “trusted” with their card issuing bank. By doing that they won’t have to carry out a strong customer authentication when paying to that specific recipient, subject to the issuing bank agreement.
  • When will Ingenico ePayments be ready?

    The EBA (European Banking Authority) and national banks in each affected country agreed on a grace period (until at least March 2020). This will give every player in the eCommerce business the opportunity to clarify all details related to this new regulation. However, we still strongly recommend to activate 3DS in your account(s) as soon as possible.

    Since our TEST environment is ready, we advise you to start testing your integration as soon as possible.

    Click here if you’re using Ingenico eCommerce page. If you’re using your own page, click here.

  • Is Credentials/Card on file (COF) part of the exclusion/exemptions list?
    COF in a nutshell: Customer initiates a first transaction with a merchant with a 3D-S (CIT). From this first transaction experience, the merchant has the possibility to do recurring transactions (subscription or with customer approval -> tokenization), flagged as MIT transactions.

    MIT are one of the exemptions foreseen within the 3DSv2., if they fulfill the following cumulative conditions:
    • subsequent transactions of an initial CIT 
    • CIT was done with a mandatory authentication
    • A dynamic ID linking is made between initial CIT and the subsequent MITs
    After initial authentication, exemptions/exclusions can apply:
    • Either because of legal recurring exemptions which apply to subscriptions with a fixed amount and periodicity (merchants are indeed advised to authenticate for full amount + provide details about number of agreed payments with card holders)
    • Either because other type of transactions are excluded from SCA scope... at merchant sole risk in case of chargeback (protection limited to authenticated amount) AND need for issuer to accept that risk to be taken:
      • Unscheduled COF: principle of subsequent transactions is agreed with card holder, but amount and/or periodicity is not fixed
      • Industry practices: incremental, no show, etc...

    For the transitional period, schemes have defined default ID to be used for subsequent MITs created before introduction of 3DS v2.

  • What do I need to do to comply to PSD2 and SCA?
    First, you need to make sure that 3-DS is enabled on your online store for all your payment methods (Visa, MasterCard, American Express, Carte Bancaire, JCB). Make sure it's done. If not, please ask our support to activate it.

    As 3-D Secure version 2 (3DSv2) aims to grant the Strong Customer Authentication (SCA) trigger to the issuing bank, the issuing bank needs to better assess the risk involved within transaction. As a consequence the 3DSv2 specification contains a lot of data elements. Good news if you are using our fraud tool, since some of them are already commonly used in our fraud screening!  Of course, some are new and specific to 3-D Secure v2. In summary the data elements can be categorized as follows:
    • Mandatory information - browser data:
        • Integration with Shopping Carts?
          You are kindly invited to go onto the shopping cart market place to install the latest version of the Ingenico ePayments plugin or take contact with your supplier directly. 
        • If you are using our eCommerce page, mandatory information are collected by Ingenico ePayments. You can directly go to the recommended information below.
        • If you are using your own payment page, you will need to collect mandatory information yourself as per below. We advise you to consult our support page to find out how and take a look at the example of java script.
      • Read more in the Directlink 3D guide
    • Recommended information - these could possibly be used as part of fraud prevention screening:
        • Card holder name (CN)
        • Email (EMAIL)
        • IP address (REMOTE_ADDR)
        • Phone number (Mpi.WorkPhone.subscriber, Mpi.HomePhone.subscriber ...)
        • Billing address (ECOM_BILLTO_POSTAL_CITY, ECOM_BILLTO_POSTAL_COUNTRYCODE, ECOM_BILLTO_POSTAL_STREET_LINE1 ...)
        • Shipping address (ECOM_SHIPTO_POSTAL_CITY, ECOM_SHIPTO_POSTAL_COUNTRYCODE, ECOM_SHIPTO_POSTAL_STREET_LINE1 ...)
      • Note that the recommended/optional parameters should be provided to benefit from the friction less flow which can increase your conversion.
    • Optional information – extended cardholder/account data as introduced by EMVCo:
        • Mpi.cardholderAccountAgeIndicator
        • Mpi.cardholderAccountChange
        • Mpi.cardholderAccountPasswordChange
        • Mpi.suspiciousAccountActivityDetected
        • Mpi.threeDSRequestorChallengeIndicator
      • Read more in the full list

    Our existing APIs already capture a lot of the data elements, but we are adding a lot of new data elements. The reason is that we believe that everybody in the payments ecosystem benefits from increased security, with the least amount of negative impact to the experience of the consumer. Payments are based on trust and by providing more data it becomes easier for parties to trust one-another, without requiring additional challenges to authenticate the consumer. Almost all of the newly added data elements are optional, but we advise you to supply as much of them as possible. This increases the likelihood of your transactions following the frictionless flow, while you benefit from liability shift. In case you use the Ingenico ePayments hosted payment page, we will capture the browser related data automatically.

    The level of required changes will differ based on the type of integration you have with Ingenico ePayments.

  • Can I start with implementing and testing?

    Yes, our test platform is ready for you to start testing. A simulator will support all different scenarios.

    Testing cards have been provided and can be found on the support site, as well as in the TEST environment (Configuration > Technical Information > Test info).

  • How can I capture additional data for SCA?

    If you use our eCommerce page, Ingenico ePayments will take care of all mandatory fields.

    If you are integrated in DirectLink, meaning that you have your own payment page, we have a Javascript example available on the support page to collect the mandatory data.

    For the optional information collection, refer to our support page on how to integrate with Ingenico ePayments.

  • Could we provide Secure authentication performed on another MPI than the Ingenico ePayments one?
    No and it is also not planned to do so.
  • What happens if merchant is not sending V2 mandatory fields?

    This situation is only possible if you are integrated via DirectLink only (Merchant own page / FlexCheckOut), as in Ingenico ePayments hosted payment page page, Ingenico ePayments is collecting the mandatory data.

    First of all, Ingenico ePayments will identifiy the flow to be directed to v1 or v2 based on the card numbers.

    If the card is enrolled V2, there are the following possible scenarios:

    Mandatory data:

    • If the wrong data is passed, transaction is blocked
    • If some data is missing, Ingenico ePayments will direct your transaction to v1 flow
    • If no data is passed, transaction is NOT blocked but diverted to flow v1

    Recommended or optional data:

    • if no data is passed, transaction is NOT blocked, but cannot benefit from exemption. 
  • What do I need to know on PSD2 and personal data sharing (GDPR)?

    3DSv2 is inviting merchants to send additional information (mandatory / recommended ... ). All you need to know as a merchant can be found here:

    https://ingenico.be/privacy-policy section 3.



  • My PCI certification is less than 1 year old. Do I need to pass it again if I change my acquirer?

    Your PCI certificate is valid for a year and is compliant for any acquirer.

  • What happens if the issuer is not ready?

    In a case like this, Ingenico ePayments will automatically manage a fallback to 3-D Secure v1.

  • What happens if 3-D Secure is not activated on the merchant's account?
    If the issuer is applying new PSD2 ruleset and 3DS is not active in the merchant's account, the transaction will be rejected. Therefore, please make sure to have 3DS active for each brand in your account(s).
  • What happens if the merchant requests 3-D Secure and the issuing bank does not trigger it?
    Unless the authentication is an obligatory step (i.e. in case of a card registration or an initial transaction of a series of recurring transactions), issuers can decide to pass on the authentication. In such a scenario the issuer will be liable in case of a charge back.
  • How many cards will be compatible with 3DSv2 by 14th September 2019?
    As issuers have not provided us with reliable data yet, we don't have information on that. MasterCard is currently running surveys in Europe, but results may vary drastically depending on the country.  The status will continue to evolve until September. In January 2019, only 2/3 of issuers completed the EMVCo v2.1 certification and within this list of issuers, support of exemptions fluctuated from 80% (Recurring) to 50% (White Listing).
  • How can I find out if a transaction was performed with Secure v1 or v2?
    Along with the platform release in July we have enhanced our transaction overview details. Individual transactions accessible now contain detailed information on which flow (legacy 3DS v1  or 3Dsv2) was applied. More information can be found in our notes for Release 04.133 in the Backoffice via Support > Platform Releases > Release 04.133

    In addition to that we have added the new parameter VERSION_3DS to our electronic reporting tool.

    The possible values for VERSION_3DS are

    V1  (for 3DS v1)
    V2C (for 3DS v2 challenge flow)
    V2F (for 3DS v2 frictionless flow) 

    To add this parameter to your transaction file downloads, follow the instructions as shown in this video:


  • When will Ingenico ePayments be ready for 3DS v2.2?
    We cannot provide you with a timeline for the introduction of this 3DS version yet. Depending on further developments and the maturity of v2.1 on the market, we hope to establish v2.2 around Q3 2020.
  • Will a 3DS V2 card have the same delay in terms of response or is there a longer delay?
    As 3DSv2 introduces frictionless authentication, the time for processing a transaction may be reduced. Conversely, if Strong Customer Authentication is requested, the processing time may be longer.
  • What is the time line for introducing 3DSv2 in France?

    As this is defined by the acquirers' readiness, the availability of 3DSv2 depends on the individual acquirer. 

    Most of the French acquirers will support Strong Customer Authentication by September 14th 2019, but not exemptions. The introduction of exemptions will be made available by the individual acquirers between October 2019 and March 2020.
  • What does "add card value" mean?
    Add Card value refers to the case when a wallet provider uses 3DS protocol to add a card to their wallet. This will be implemented by the respective wallet provider.
  • What is the difference between 3DS v2.1 and v2.2?
    The latest version of the specification includes:
    • Further promotion of frictionless flow
    1. Improved communication between merchants and issuers to maximize available exemptions for SCA.
    2. Expansion of existing data elements to promote communication of pre-checkout authentication events and support of the FIDO Alliance standards
    • Two new features that provide offline authentication capability for various transaction scenarios, including MOTO transactions (mail order and telephone order):
      1. The addition of 3DS Requestor Initiated (3RI) payments. This provides the ability for a merchant to initiate a transaction even if the cardholder is not present. This channel supported previously only non-payment transactions for v2.1.0
      2. The inclusion of the new authentication method ‘decoupled authentication’. This allows cardholder authentication to occur if the cardholder is offline. However, this authentication method can also be used if the cardholder is online via browser and app channels
    • Improvements to the user experiences and checkout flows
    • Improvements to the EMV 3DS caching process via additional data elements in the PReq/PRes cycles
As a leading global digital payment service provider, Ingenico Payment Services provides a seamless response to the complexity of payments, whatever the channel: online, mobile and point-of-sale. Offering innovative e-commerce, multi-channel, financial, and marketing solutions, it helps merchants to manage, collect and secure their payments, prevent fraud and increase their revenues through higher conversions. Ingenico Payment Services is part of the Ingenico Group, the global leader in seamless payment.

This website uses cookies to be able to give you the best user experience. If you don't want to accept these cookies, we allow you to change the cookie settings. Click 'Accept' to allow all cookies from this website.

Cookie settings

Introduction

Functional

Functional cookies are required for the website to operate correctly. These cookies cannot be disabled.

Optimized

Optimization cookies allow us to analyze site usage so we can measure and improve our website.
This is the default level.

Personalized

Personalization cookies are used for social media and advanced personalization. They allow us to show you information related to your company.


Example functionality allowed

  • Store country preference
  • Store language preference

Example functionality not allowed

  • Saving personal data
  • Anonymous tracking via Google Analytics
  • Tracking for remarketing purposes

Example functionality allowed

  • Store country preference
  • Store language preference
  • Anonymous tracking via Google Analytics

Example functionality not allowed

  • Saving personal data
  • Tracking for remarketing purposes

Example functionality allowed

  • Store country preference
  • Store language preference
  • Anonymous tracking via Google Analytics
  • Serve content relevant to your interests
  • Serve ads relevant to your interests
  • Tracking for remarketing purposes

Example functionality not allowed

  • Saving personal data