Meeting SCA Requirements With 3DS2
3D Secure 2.0 (3DS2), the next generation of 3D Secure (3DS), is a multi-factor authentication protocol used to confirm digital identity at checkout. It meets the authentication requirements for Strong Customer Authentication (SCA) for the European Union’s Payment Services Directive (PSD2). SCA requires that consumers authenticate with two of three categories: something you know (knowledge), something you possess (possession), or something you are (inherence). These requirements must be implemented by December 31, 2020.
Both Fonteva and Spreedly, Fonteva’s payment service, have enabled 3DS2 so you can configure payment gateways for your Business Group with 3DS2 to meet SCA requirements. This guide will show you all the steps for successful configuration of 3DS2 on your Business Group’s payment gateway.
Make sure you follow each step completely and in order. Do not skip ahead, or you might miss valuable information.
Does My Payment Gateway Need To Meet SCA Requirements?
SCA requirements must be met for customer-initiated payments where both the business and the cardholder’s bank are located in the European Economic Area (EEA). The EEA includes the 26 EU member states, Iceland, Norway, Liechtenstein, the United Kingdom (UK), and Croatia. Other participating countries include Switzerland, Andorra, Monaco, and San Marino.
Let’s look at an example.
A customer buys a t-shirt from your association’s Community Portal store. Your association’s bank is located in London, UK, and the customer is paying with their credit card issued from their bank in Paris, France. This is a customer-initiated payment, and both your association and the customer are using banks located in the EEA, so this transaction falls under the conditions of SCA, and would require a payment gateway with 3DS2 enabled.
Essentially, if your business’s bank is located in an EEA country and you have customers located in the EEA that make purchases from your Community Portal, you will need to make your payment gateway compliant to SCA by enabling 3DS2.
Transactions That Don’t Need To Meet SCA Requirements:
Certain transactions do not meet the conditions for SCA and do not fall under its requirements. These out-of-scope transactions will not be challenged by 3DS2 at purchase.
Mail or telephone order transactions do not need to meet SCA requirements. For Fonteva, this covers backend staff purchases made in Rapid Order Entry or on the Apply Payment page. These purchases will not be challenged.
If the merchant, not the customer, is initiating payment, SCA requirements do not apply since the customer’s payment method would have to be authenticated over and over. This covers Recurring Payments and subscriptions with an Installment Schedule. These purchases will not be challenged.
Interregional transactions are transactions where either the paying customer or the business is located outside of the EEA. To call back to our earlier example, if the customer buying a t-shirt from your association paid with a credit card issued from a bank in Washington, D.C. instead of Paris, France, that transaction would no longer meet the conditions for SCA requirements. These purchases will not be challenged.
There are additional exemptions identified under PSD2/SCA, and issuers will handle them based on the rules. You can read them on Spreedly’s PSD2 SCA Compliance page.
Now that you have an understanding of SCA requirements, it’s time to move forward with 3DS2 configuration. Get started with Prerequisites For 3DS2 to make sure your org is up-to-date for 3DS2.