Strong Customer Authentication in Sage pay

Introduction :-

          Sagepay Payment Services Directive (PSD2) was introduced as a follow up to the original Payment Services Directive by the European Commission, it took effect in January 2018. The aim is to bring in new laws to increase customer protection, foster innovation, and inspire pan-European competition.

Strong Customer Authentication :-  Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. From 2017 to the end of 2018, losses through card fraud in the UK increased by 19% – costing businesses around 760 million euros. 

Strong Customer Authentication has been introduced to help combat fraud by improving customer security whilst reducing the liability held against businesses for unauthorised transactions. It makes payments more secure for both your business and your customer by adding an extra layer of protection known as two-factor authentication (2FA).SCA applies to card-based ecommerce transactions (including digital wallets supported by cards) where both the card issuer (i.e. the financial institution with whom the cardholder has a relationship) and the acquirer (i.e. the financial institution with which the merchant has a relationship) are located in the European Economic Area (EEA).

From 2017 — 2018 card fraud cost businesses around €760m.

How will the shopper be authenticated :- When SCA comes into effect, customers will be required to provide at least two of the following forms of identification when making a payment.

1. Something you know :- Password, Passphrase, Pin, Sequence, Secret, fact.

2. Something you own :- Mobile Phone, Wearable Device, Smart Card, Token.

3. Something you are :- Retina Scan, Fingerprint, Voice Pattern, Facial Recognition.

Strong Customer Authentication was due to come into force on 14 September 2019. The Financial Conduct Authority (FCA) has recognised the complexity and challenges of implementing this directive within the payments environment and has extended its original deadline, giving UK businesses, banks, and online account providers more time to implement the tools and processes for compliance.

The existing 3D Secure solution will be supported until the end of 2020, at which point 3DSv2 will become obligatory globally. In the UK, the next ecommerce compliance date is September 14, 2021. The new date for ecommerce compliance in Europe is December 31, 2020.

3DSv2 functionality is now available to Sage Pay customers in our test environment, giving merchants an early opportunity to test how best to incorporate SCA compliance together with an improved user experience at checkout.

EMV 3D Secure :- EMV 3D Secure is the standard protocol for SCA when accepting payments over the internet. It helps to reduce fraud and cart abandonment, whilst seamlessly supplementing existing data with additional information.

Upgrading to the latest version will allow you more flexibility as the merchant. This will also provide you with the traditional shift in liability expected when EMV 3D Secure is activated.

Benefits of upgrading to the latest version of 3D Secure :- During a 3D Secure authentication, how the authentication is performed is up to the card issuer. It’s possible to achieve SCA with 3DSv1, however 3DSv2 makes this much easier.

Sage Pay’s upgrade to 3DSv2 introduces a better user experience :- 

Increased security and safety for your organisation and its customers.

Increased cardholder trust when doing business with you.

Reduced fraud and chargebacks – liability is transferred

Frictionless challenges e.g. biometric authentication using a fingerprint, facial or voice recognition.

Improved risk-based choices using comprehensive cardholder data resulted in increased acceptance rates.

Complete support for all available exemption and payment device kinds.

When 3DSv2 is enabled, it is estimated that only 5% to 10% of authentications will result in the cardholder having to be re-directed to their banks 3D Secure page to enter 2FA. Most authentication requests will result in a frictionless authentication with an authorisation rate of up to 90%. Furthermore, liability for unauthorised transactions shifts to the card issuer, saving you time and money on any disputes.

Activating 3D Secure :- The first step to achieving SCA compliance is to activate 3D Secure within your MySagePay account.

Your integration type decides whether you need to make any additional changes to enable 3DSv2 :- 

Form – No change. Fully supports 3DSv1 and 3DSv2

Server – No change. Fully supports 3DSv1 and 3DSv2

Direct – Fully supports 3DSv1. An extra 9 fields need to be submitted for 3DSv2

Pi - Fully supports 3DSv1. An extra 8 fields need to be submitted for 3DSv2

Testing :- For Form and Server integrations, there is no change with the payment flow or with request and responses that you will submit to and receive from Sage Pay.