Strong Customer Authentication
Learn how to comply with PSD2 SCA in your unified integration. Please note that the information here should not be taken as a legal advice.
Overview
The Payment Services Directive 2 (PSD2) is an EU regulation and its key objectives are to minimize fraud and make payments more secure across Europe.
There are different aspects of PSD2, but the key article for merchants is called Strong Customer Authentication (SCA) – an extra level of security for transactions initiated by consumers. It means consumers are requested to provide two-factor authentication to confirm their identify before they can checkout online. The two factors must be independent of each other and should be from the following categories:
- Knowledge: Something only the consumer knows, e.g. a password or a PIN code.
- Possession: Something only the consumer has, e.g. a secure token or a mobile device.
- Inherence: Something only the consumer is, e.g. a biometric fingerprint or a facial recognition.
To make sure that your transactions comply with PSD2 SCA regulations, you need to implement 3D Secure authentication. For card payments this means using 3D Secure for Visa and Mastercard payments, and the equivalent authentication method for other cards, such as SafeKey for American Express and Dankort Secured by Nets for Dankort payments.
SCA introduction
Unified Commerce supports SCA through 3D secure authentication which is a protocol used to protect consumers trough an additional security check that requires action from customer in order to confirm his identity (usually a confirmation trough app is requested). Please note that Unified Commerce support SCA - 3D secure authentication, but Unified commerce is not owner of the process. All process regarding authentication is managed by Netaxept and Steps (the payment processors): acting as proxy Unified Commerce sends - forwarding what is send by merchants - specific and mapped parameters info to Netaxept.
- Merchant integrated via Unified API can chose if SCA should be forced or not to each transaction type they can perform via the API.
- Merchant can request exemption based on low value (Low value exemption supported) via Unified API.
- Exemption for Recurring transactions can be requested via Unified API.
SCA compliance
For Merchant Initiated Transactions (MIT), you need to send all parameters to Unified Commerce.
You should identify in-scope and out-of-scope transactions (to ones that are covered by Initial Payment and ones that are not covered).
SCA Exemptions is referring to specific transactions that according EU regulation do not require SCA authentication so then such phase can be bypassed. Please not that in such cases SCA exemptions is not guaranteed as the last word belongs always to Issuer which can always refuse transactions;
3DS authentication on each transaction
For each payment initiated by customer, you need to request SCA. See below table for more information on parameter and description.
| Parameter name | Parameter value | Description |
|---|---|---|
| SCAExempions | force3DS | Used to force 3DS authentication |
Recurring payments - No subscription
When a customer saves the card details for subsequent payment without any payment frequency period set, there are two difference phases for this kind of recurring payments:
- SCA in the form of 3DS for initial payment has to perform.
- SCA in the form of 3DS for subsequent payment for a Token.
See below table for more information:
| Parameter name | Parameter value | Description |
|---|---|---|
| paymentMethodDetails | InitialPaymentMethodTokenizationDetails | Used for first payment for Subscription |
| SCAExempions | force3DS | Used to force 3DS authentication |
| paymentMethodDetails | PaymentWithToken | Used for subsequent payment in case of Subscription |
MIT transactions - Subscription/Recurring payments
In this scenario, a subscription is made in form of recurring payments. You need to initiate the payment after certain period of time.
See below table for the parameters and description.
| Parameter name | Parameter value | Description |
|---|---|---|
| SCAExempions | force3DS | Used to force 3DS authentication |
| paymentMethodDetails | InitialPaymentMethodTokenizationDetails | Used for first payment for Subscription |
| paymentMethodDetails | MerchantInitiatePaymentWithToken | Used for subsequent payment in case of Subscription |
SCA Exemption
SCA can be exempted in some specific cases as below:
- Low monetary value;
- Delegated value;
In such cases, two different parameters need to be sent already mapped and mirrored, see below table
| Parameter name | Parameter value | Description | Additional information |
|---|---|---|---|
| SCAExempions | LowValue | Used to bypass 3ds authentication for low monetary value | Transactions under 30 EUR. Note: The card issuers keep track on certain counters; SCA must be applied again after 100 EUR of cumulative spending or on every 5 low-value transactions |
| SCAExempions | Delegated | Authentication on the Issuer behalf |