The purpose of SCA is to ensure that only the legitimate cardholder can make payments. The approach to achieving this follows two principals:
- Collecting good quality information to establish that the Cardholder is the person making the payment.
- Using Strong Authentication (e.g. 2 Factor Authentication) where necessary to verify the cardholder.
As such, best practice for you means using 3DS2 to give the Issuer of the card good quality information and facilitating the challenge for 2 factor authentication when requested.
In the case of ECOM payments, our advice is to use 3DS2, a fully SCA compliant authentication protocol, for every transaction. By doing so, you give the Issuer the maximum amount of information possible. The Issuer then can decide to approve the transaction (frictionless) or to challenge the cardholder with SCA, for example a One Time Password sent by SMS to their phone.
Where authentication via 3DS2 is not available, we recommend using 3DS1.
In order to give the Issuer as much insight into the circumstances of the payments as possible, when processing a payment on a stored card it should be flagged as “Credential on File” to indicate to the Issuer that the card has been stored.
For the Initial payment, our recommendation for the flow of the payment is:
- Authenticate the cardholder using 3DS2. This will give the Issuer enough information to verify that the cardholder really is the person initiating the payment.
- Authorise the card. This transaction should be processed with the appropriate “Credential on File” flags. This transaction could be for a zero value amount if this is supported by your acquirer.
- Store the card. When the card has been successfully authorised the card should be stored.
For any Future payments on the stored card, our recommendation for the flow of the payment is:
- Authenticate with 3DS2
- Authorise with the appropriate “Credential on File” flags.