If you are using 3D Secure 1 this is still a fully compliant SCA solution.
If you are not currently using 3D Secure 1 you will need to begin doing so.
The schemes have confirmed that best practice going forward will be to support both 3DS1 and 3DS2.

The Strong Customer Authentication regulations are complex and are not a comfortable fit for the card-payments industry. The industry at large, including the card schemes, have struggled to adapt in time for the 14 September 2021 deadline date. The requirements of the Regulators was not made clear until Q1 2019 which had knock on effects throughout the eco-system. The inevitable impact of this is that despite best efforts, some of the required work will slip beyond the September time period.

If this is the case for you, as a customer of GP, we will be in contact regarding the proposed release date for your acquirer, and the good news here is that we have coverage of 3DS1 across almost all of our acquirer connections to date which will ensure merchant impact is kept to a minimum.

This work will deliver value and allow you to make use of 3D Secure 2 as soon as your Acquirer has certified your gateway connection. 3D Secure 1 has been in-life for over a decade delivering cardholder authentication and reducing fraud. 3D Secure 2 will likewise have a long shelf life and will continue to deliver value worldwide for many many years to come.

As PSD2 and SCA has been adopted into UK/Irish/EU Member State law, there is no mechanism to secure a waiver from this requirement. This is a legal requirement not a scheme mandate.

While guidance from the card schemes indicate there shouldn’t be, it is still predicted that 3DS V.1 would lead to an increase in the declined rate since the card issuer may wish to authenticate the cardholder with more information which is available in 3DS V.2 transactions.
Not using either 3DS V.1 or 3DS V.2 will mean an increase in declined rates by the card issuer.

3Dsecure 1 fully complies with the requirements set out in the regulation, so the transaction can be authenticated using SCA and Issuers should continue to authorise your transactions without issue.

3DS2 Integration and Sandbox is available currently. Please refer to the Developer Portal for more details.

The full date, and outcome of an UK exit from the EEA should not have an impact on the requirements defined in the PSD2 Regulation. The FCA have commited to proceding with these regulatory changes regardless of the outcome of Brexit.

The payment card industry as a whole expects these new European regulations to have a knock-on effect that may, at least initially, negatively effect transaction success. With that in mind, when everything is implemented correctly this impact should be minimised. Please note if you do not make these changes you will start to experience ‘soft declines’ from early 2021.

If you experience an increase in Declines the first thing to do is to contact your account manager. They will be able to work with you to ensure that there are no issues with your connection to Global Payments and that your transactions are being flagged correctly. If necessary your account manager can follow up with your acquirer if there is something that needs investigating further downstream. Additionally they will help identify if the issues are isolated to a particular Issuer, BIN or Card Scheme for example and will work with you to identify the best course of action to resolve any issues.

The Payments Service Directive 2 is a set of Europe wide regulations impacting various aspects of banking and how payments are made.

The original Payment Services Directive (PSD) looked to regulate payments, and create a consistent payments experience across Europe. PSD2 looks to build on this by increasing security, consumer protection and payment options.

One of the ways in which PSD2 affect card processing is that it mandates Strong Customer Authentication for all electronic payments, whether face to face or remote. This entered into UK law in all EEA countries (including the UK) from 31 December 2020 to be able to accept cards issued in the EEA and September 2021 for cards issued in the UK.

SCA requires a customer to authenticate themselves for a transaction using at least two independent factors. These factors can be:
• Something the customer knows (for example, a PIN number or password)
• Something the customer is (biometrics, such as a finger print or voice recognition)
• Something the customer is in possession of (for example, a card or a mobile phone)

For ecommerce transactions, 3D Secure (3DS) version 1 meets the basic criteria to support SCA but 3DS version 2 has more functionality allowing it to provide a better SCA experience.

The expectation is that for Ecommerce, the cardholder will receive a one-time password, either by text or email, which they’ll input into the 3DS window instead of the static password used today.

For most face to face transactions, chip and PIN will continue to operate the same as it does today, although Contactless transactions may step up to chip and PIN validation more often, at the request of the card issuer.

Under PSD2, card issuers are obliged to challenge and potentially decline non SCA transactions to protect their cardholders. All merchants will be effected.
After 14 September 2021, a card issuer has the choice to approve, decline or request SCA (if it hasn’t been done already) for a transaction. Please note if you do not make these changes you will start to experience ‘soft declines’ from early 2021.

No. Some transactions, where SCA isn’t possible, are out of scope and some transactions can be exempt.

• In a face to face environment, unattended parking and transport terminals don’t need to support chip and PIN.
• Mail Order and Telephone Order (MOTO) transactions and subsequent recurring and MerchantInitiated Transactions (Credential on File Transactions – see Q11) are out of scope.
• For ‘one leg out’ transactions, UK based customers may not be able to apply SCA to transactions when the card issuer isn’t located in the EEA. However, they should still attempt SCA for all transactions.
• Anonymous transactions on pre-paid cards aren’t subject to the SCA mandate.

This is defined as a transaction that’s initiated without any involvement from the cardholder. They’re also known as Stored Credential Transactions or Credential on File Transactions, for example, Recurring Transactions or Instalment Payments. See Q18 to find out where to find more information.

Generally, if there’s any action or involvement with the cardholder, SCA needs to be undertaken.

For chip and PIN and mobile phone payments, nothing is changing. We’ll make the necessary changes to the terminal for the SCA requirements for Contactless transactions (see Q14).

If you own or rent your terminals from someone else then you need to contact the supplier and ensure that it’ll meet the new regulations from 14 September 2021.

Contactless transaction have been made exempt from the regulation, but will have increased security. Card issuers may request cardholders to do a chip and PIN transaction instead of approving the Contactless transaction, more often.

Today some card issuers have counters on the card chip that request ‘step up’ to chip and PIN. The request happens the moment the card is tapped and it doesn’t happen very often.

From September 2021, it’ll be required for all card issuers to do this and they’ll do it from their issuing systems (so there may be a short delay before you get the message). The rules about when they are obliged to request SCA are quite stringent and it’s likely to happen more often than before.

Ensure that you and your staff understand what is happening and be ready to reassure customers there is no problem with their card or their account, just that it is an extra security check requested by their card issuer.

While MOTO and Merchant Initiated Transactions (Stored Credential Transactions, also known as Credential on File Transactions, where card details are stored for future use – see Q18), are out of scope for SCA, if the card issuer doesn’t know they’re one of these kinds of transactions, they may request SCA. If the cardholder is unable to provide the necessary authentication, the transaction will be declined. So, it’s important that these transactions are properly flagged.

If you use our terminals or our E-Commerce Platform, then your transactions will be flagged correctly providing you follow the instructions we provide on the screens. If you own or rent your terminal from another source or use a third party provider for your ecommerce service, contact them to ensure your transactions are flagged correctly. Ensure they’ve made the necessary updates for the Credential on File changes and have the SCA changes in hand.

Visit our website at https://www.globalpaymentsinc.com/en-gb for more information and the guides to implementing those changes. You’ll find these within our Customer Centre, under the Stored Credential Transactions tile.

SCA will be required for all ecommerce transactions. Merchants that haven’t adequately authenticated their customers will run the substantial risk that card issuers will decline their transactions.

At a minimum you need to support 3DS1. You may wish to adopt 3DS2 to take advantage of extra functionality available to improve the customer experience and possible SCA exemptions.

Contact your Payment Service Provider (PSP) urgently and ensure that you can submit 3DS authentication requests before September 2021.

You don’t need to do anything before September 2021 to meet the minimum requirements but you should contact your PSP to discuss supporting 3DS V.2 as support of 3DS V.1 will cease 14 October 2022.

The Card Schemes haven’t yet mandated 3DS2 nor issued a specific end date for 3DS1, but they have clearly stated that in the future they intend to issue a sunset date for 3DS1.

3DS2 has more functionality. It allows merchants to pass much more data to the card issuer to give them greater confidence in the authentication of their cardholder. It also gives card issuers and merchants more ways of authenticating customers. The extra information gives a card issuer the confidence to exempt a transaction from SCA. This could be because the merchant has requested it or the issuer doesn’t feel it is necessary.

The technical specifications for SCA are in our PSD2 and Strong Customer Authentication Technical Implementation Guide, which is on our website in the Customer Centre, under the Strong Customer Authentication tile.

If they also need to implement the changes for Credential on File, these technical specifications are in our Stored Credential - Technical Implementation Guide, which is also in the Customer Centre, under the Stored Credential Transactions tile.

If you are using 3DSV.1 this remains fully compliant. However, this will not support the ability to utilise exceptions and this may mean an issuer can’t apply all checks on the cardholder.
If you are not currently using 3D Secure 1 you will need to begin doing so.
The schemes have confirmed that best practice going forward will be to support both 3DS1 and 3DS2.

There are no fee changes as a result of SCA, however, if you process 3DS transactions, Visa are introducing a new fee for Verified by Visa authentications, their 3DS solution.

This fee will only apply if you process Visa ecommerce transaction via 3DS.

Mastercard already charge for using their SecureCode authentication service.

Now that Mastercard, Visa and Amex are charging for authentications, we’re changing the current Mastercard SecureCode fee to include Verified by Visa authentications. The fee itself will remain the same amount but you’ll see the new description (VISA & MCARD AUTHENTICATION FEE) on your invoice from September 2021, which you’ll receive at the start of October 2021.

The SCA requirement means you must support 3DS. 3DS can also help reduce fraud and transaction abandonments, making transactions more secure. Transactions where 3DS isn’t used may be declined by the card issuer as SCA hasn’t been provided. Ecommerce transaction that are taken without using 3DS also attract Non-Secure Fees.