3DS is a security standard that helps provide an extra layer of security for payment transactions, requiring the shopper to authenticate as an extra means to safeguard against fraud. This new security protocol, also known as Strong Customer Authentication (SCA), became mandatory for online transactions made by shoppers in European countries at the start of 2021, as the Payment Service Directive 2 (PSD2) came into effect.
The new directive provides that, unless an online transaction is exempt from the regulation, the user has to go through a challenge flow where they undergo an additional step to authenticate. An overview of the types of transactions that are exempt from SCA flows are outlined in this article. From a shopper experience point of view, the new flows run the risk of negatively impacting uninformed users. To mediate any deliberate or involuntary cart abandonment issues, merchants need to understand what the new online shopper experience in Europe looks like and adapt their communication to prepare site and app visitors for the new checkout process.
Let’s go over the customer side of the transaction and see what’s changed.
Challenge flows after PSD2
When undergoing SCA flows, shoppers go through the following steps:
1. Checkout initiation
The way the checkout is initiated has remained the same, with the user seeing their “basket” with no indication at this step whether the challenge SCA flow will be triggered. This is because the checkout is owned by the merchant’s eCommerce provider, but the 3DS authentication can also be requested by the issuing bank.
Challenge flows initiate the same as frictionless flows, with the user seeing the regular checkout.
2. Authentication triggered
After the user inputs their personal and payment information in the checkout and clicks “Place Order,” if the challenge flow is triggered by the payment provider or the issuing bank then the user is redirected to the 3D Secure page where they are informed what action they have to take to authenticate themselves. A challenge flow can be triggered regardless of where the shopper is browsing, whether it’s the merchant’s website, their app, or a marketplace platform.
In general, users are instructed to switch to their banking online account/app, where they have several options to confirm their identity.
Regardless of the medium or the device the shopper is using, if the transaction details do not qualify for a SCA exemption, then they are shown this type of message.
On the off chance that the shopper’s card is not yet enrolled in the 3DS2 scheme, but they don’t qualify for an exemption, the 2Checkout platform is set up to fall back on 3DS1 protocols. The user will still be redirected to a 3DS page from their cart, and this older authentication process will ask for a code sent via text message to the user’s mobile. One of the big advantages of 3DS2 versus its predecessor is that the new experience is optimized for mobile.
3. Authentication with issuing bank
The authentication process involves checking at least two out of three aspects established by PSD2, to ensure the user is who they say they are – the rightful owner of the payment method used during the checkout:
- Knowledge – something only the customer knows, such as a password or PIN
- Possession – something the user has, such as their mobile phone or banking token
- Inherence – something that is a part of the user themselves, such as their fingerprint or face
The majority of 3DS2 flows implemented nowadays rely on a combination of possession plus another attribute, requiring the shopper to use their mobile phone in the process. The shopper’s phone is usually enrolled in 3DS2 beforehand. Let’s see how issuing banks check the other two aspects.
In step 2 the user had been instructed to use their banking app on their phone to proceed with the authentication. Should their bank use a password as a knowledge attribute then the user gets a message on their phone to log in to their bank app and confirm the transaction.
Here the user first has to input their password to enter the app, and afterwards they are shown the pending transaction details (the merchant that receives the payment, the card that is used for the transaction, and the amount due). To authenticate the payment, the user needs to input their password again. Keep in mind that this authentication process is only available for a set amount of time, usually 10 minutes. Afterwards, if the user has failed to take action in the banking app, then the checkout will be reverted.
The user enters the bank app and approves the payment by inputting their password twice.
A comparable flow is shown when the authentication process involves an inherence attribute. The difference this time is that the user uses their fingerprint (or even a face scan using the mobile’s camera) to go through the steps in the banking app. Much like in the previous scenario, this flow is time-sensitive, as the user only has a limited amount of time when they can confirm the transaction.
The user enters the bank app with their fingerprint and then uses the fingerprint again to confirm the payment.
4. Payment completion
Taking the 3D2 steps in the banking app, however, is not sufficient for the payment to be completed. In order to finalize their order, the shopper needs to return to the merchant checkout – in the initial web page, app, or marketplace where the transaction was initiated – and wait for the cart’s refresh. It is only after the cart refreshes and confirms that the payment has been successful that the funds are debited out of the user account and they get the completion message.
Shoppers need to return to the checkout and receive confirmation for the transaction to be completed successfully.
Although this behavior is communicated in the banking app, we’ve seen high dropout points occur predominantly in this step, as the user forgets to return to their initial cart, assuming the process has been handled entirely in the banking platform. To combat these scenarios, it’s important to emphasize the need to return to the cart after confirming the payment with the bank in all SCA shopper communications.
SCA readiness checklist
If you’re planning to sell to EEA countries, check the following to ensure you are PSD2 compliant:
- Inquire with your payment provider how they are managing SCA flows and how’ve they’ve set up exemption management.
- Review your authorization rates since the start of 2021.
- Enable alternative payment methods for shoppers who prefer these payment options (which have built-in SCA compliance and are familiar to users)
- Prepare communication campaigns to inform shoppers of new compliance regulations and their new checkout experience.
- Set up dunning flows to recover abandoned carts.
As with any change, new 3DS2 flows will involve a learning curve, as users get accustomed to going through authentication flows to finalize their online payments. The enforcement of SCA flows in EEA territories will, nonetheless, be of great use to merchants and shoppers alike, who now benefit from extra security layers against online fraud and identity theft.
Discover how you are covered for full SCA compliance as a 2Checkout merchant and how we’ve adapted our platform’s capabilities to ensure correct deployment of the PSD2 regulation.