On September 14, 2019, Strong Customer Authentication (SCA) requirements -- part of the revised Payment Services Directive (PSD2) regulations -- will take effect in the European Economic Area (EEA). SCA mandates that two-factor authentication be performed on many card transactions. Those merchants who don’t apply two-factor authentication to their transactions risk an increase in declines from customers’ banks.
3D Secure 2 (3DS2) is an industry-standard solution for meeting SCA requirements (and the solution Braintree is recommending that merchants adopt in order to be SCA-ready). The latest 3DS authentication protocol update will allow merchants to meet these new requirements as well as help transfer liability for fraud disputes to issuers and reduce costs associated with chargebacks.
While the solution itself is simple, the ways that merchants will need to apply SCA using 3DS2 will vary based on business models or how they transact with customers. So let’s take a closer look at how SCA can be added into payment flows for some common payment scenarios.
Ecommerce (direct-to-consumer online retailers)
A standard one-time payment for a product or service.
In this scenario, the merchant authorizes for the total amount of the purchase and settles for the same amount. If the transaction qualifies under SCA requirements, merchants can use 3DS2 to verify the cardholder during the checkout process. Merchants can apply for exemptions if they choose to do so, but need to be aware that they will be responsible for chargebacks categorized as fraud.
Subscription (ex. gym membership); metered billing (ex. utility bill)
A recurring payment, either for the same amount and same frequency or for variable amounts and/or variable frequency.
In this scenario, the merchant can request a cardholder challenge to establish SCA when the card is first authorized for the subscription. This can occur with a verification or the first transaction, however we would generally recommend that SCA be applied to the first transaction whenever possible. As long as the customer has been challenged for the first authorization, subsequent recurring transactions will qualify as merchant-initiated, which are out of scope from SCA.
Ecommerce (direct-to-consumer online retailers)
An order in which products ship separately at different times due to availability or fulfilment, and payments are captured at the time of shipment.
In this scenario, the merchant can authenticate and authorize the cardholder for the full amount, but would later need to perform merchant-initiated transactions (MITs) to capture each portion of the total when products are shipped and delivered.
Food delivery, ride sharing
A transaction in which tips or other additional charges are added by the customer after the initial amount.
In this scenario, the merchant authenticates, authorizes, and captures the original transaction amount. If the final amount after the tip is added is higher than the original amount, the merchant would need to perform a second authentication for the difference. (Merchants could also authenticate for more than the original amount the first time so that what is eventually captured after tips are added is still less than that authenticated amount, but doing so may lead to customer confusion.)
Ride sharing, hotels
A transaction in which additional charges are added by the merchant after the initial amount.
In this scenario, the merchant authenticates, authorizes, and captures the original transaction amount. If the final amount after any incidentals are added is higher than the original amount, the merchant would need to perform an MIT to capture the difference. (Merchants could also authenticate for more than the original amount the first time so that what is eventually captured after incidentals are added is still less than that authenticated amount, but doing so may lead to customer confusion.)
Marketplaces (ex. online travel agencies with flight, hotel, and rental-car vendors)
An order in which multiple sellers are paid from a single consumer checkout experience.
For this scenario, each card network has set up its own guidelines for processing in accordance with the PSD2 requirement to “[ensure] that the elements dynamically link the transaction to an amount and a payee specified by the payer when initiating the transaction.” So while there will be variability from card network to card network, each solution can be implemented without any inherent risk of declines.
Regardless of business model or payment scenario, merchants who do not perform SCA on transactions that require it are likely to see an increase in declines after the September 14, 2019 enforcement date. 3DS2 via Braintree provides a simple way to authenticate cardholders with a no- to low-friction checkout experience for cardholders, and allows merchants to shift liability to the issuers on authenticated transactions to help reduce costs associated with chargebacks categorized as fraud. Our FAQs blog post can help if you still have questions about preparing for SCA, and if you're ready to integrate Braintree's 3DS2 solution, get started with our adoption guide.