Blog

PSD2 on Shopify, 3D Secure and Strong Customer Authentication (SCA)

February 22, 2023

UPDATE! The SCA deadline imposed by the EC to has been extended by 18 months, meaning the new compliance date for Strong Customer Authentication (SCA) is March 2021.

What is PSD2?

Payments Services Directive (PSD2) is a directive from the European Commission (EC) that deals with the changing payments landscape that affects anyone doing business in the EC. The goal is to create more competition in the banking sector and to clear up who is responsible for what when it comes to payment.

It applies to payment providers within the European Union (EU) and European Economic Area (EEA). The EU countries are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.

The EEA also includes Iceland, Liechtenstein and Norway.

Please note that UK businesses will need to adhere to PSD2 as dictated by the Financial Conduct Authority in the UK, even in the event of a no-deal Brexit.

What is SCA?

One of the new regulations is Strong Customer Authentication (SCA) for payments taken from European customers. SCA requires that checkout flows need to authenticate:

  • Something the customer knows (e.g. password or PIN)
  • Something the customer has (e.g. phone, credit card)
  • Something the customer is (e.g. facial and fingerprint recognition)

The most common interpretation is that you need to offer two-factor authentication at checkout. So not only a credit and debit card but also a password or PIN.

SCA applies to both online and offline transactions, except for contactless payments.

Stripe has an excellent summary of SCA here.

What is 3D Secure (3DS)?

The most common implementation of SCA today is ‘3D Secure’ (3DS).

3DS is a form of two-factor authentication and therefore reduces fraud and chargebacks to the merchant. It’s not possible for a fraudster to make transactions even if they have a clone of a credit card - they will need more information than that.

Common implementations of 3DS you might recognise are consumer-facing brands like Visa Secure, Mastercard Identity Check, or American Express SafeKey. The 3DS standard was developed by EMV, a consortium of credit card transaction processors like Europay, Mastercard and Visa (that’s what EMV stands for).

How does 3DS work?

In 3DS, there is an additional step in checkout where you must enter a password that you’ve agreed with your card issuer (i.e. your bank).

This is most commonly done by allowing the customer to set a password the first time they checkout with a given debit or credit card, then this password is used to authenticate the user in future.

e-commerce 3DS checkout

One problem with 3DS is that this extra step page during checkout is often left unconsidered and uses a different URL, linked to either the card issuer or the card company, rather than the merchant websites. This is confusing to many users and it’s also hard to tell if the page is genuine or not.

Monzo, a UK bank, has a notably better way of authenticating customers. During the 3DS step, the page simply asks the customer to open their Monzo app on their phone and from there they can approve the transaction.

e-commerce 3DS checkout with Monzo

Either way - 3DS is a way of authenticating a payment so that even if a card is cloned it can’t be used. Since the 3DS authentication mechanism does not rely on the merchant storing anything, there’s less chance of fraud even in the case that a merchant’s systems are compromised.

Outside of the US, banks have been encouraging the use of 3DS by offering lower processing fees to merchants or even mandating 3DS for merchants that sell high-value items. In most cases, if they are a merchant that forgoes using 3DS they must accept full fraud and chargeback liability.

Why is 3DS not used in the USA?

Our European and British readers will be used to having to complete the extra 3DS step.

The US has a much larger and more fragmented banking system and these changes encountered more resistance from customers in the mid-2000s. Instead, inferior mechanisms like CVC (card verification code) and Address Verification System (AVS, where the customer needs to enter their zip to authenticate a transaction) are still used.

Will that change? Probably. International merchants in the US will have to enable 3DS due to PSD2 anyway. And the 2nd generation of 3DS will eliminate usability problems by using contextual data from the transaction (order size, customer addresses, IP and MAC addresses, order histories and location etc) to approve transactions.

Where there is doubt, the bank will add the usual 3DS password page to challenge the customer. The good news is that even in this case, 3DS 2.0 will support modals within the merchant’s checkout, which are less confusing and easier to brand.

Does every transaction require SCA/3DS?

No - low-risk transactions can skip SCA so long as certain thresholds of fraud are not crossed.

Some implementations of 3DS will automatically approve transactions that are deemed not risky.

Does Shopify support SCA/3DS?

Not yet, but Shopify have said they will by September 14th 2019.

This covers both Shopify Payments and 3rd party gateways.

Do you need to do anything?

If you are using Shopify Payments, happily, no.

If you are using 3rd party payment gateways you should have received notifications on how it will be carried out.

Shopify will automatically enable SCA on 14th September ahead of the PSD2 deadline.

Should I switch to Shopify Payments?

Shopify are encouraging merchants to switch to Shopify Payments, which includes a host of features, but Shopify Payments is not available to all businesses, for example:

  • Those outside the United States (including US territories except Puerto Rico), Canada, United Kingdom, Australia, Ireland, New Zealand, Singapore
  • Those selling certain types of product e.g. some beauty lines
  • Those that already have payment gateways plumbed into internal ERP systems
  • Those with multi-currency requirements beyond the scope of Shopify Payments
  • Enterprise businesses that won’t be able to switch in time.

Stay tuned for developments.

Authors

Subscribe to our newsletter

Be the first to hear about what’s hot in e-commerce and Shopify Plus. Straight to your inbox.