3-D Secure

As 3-D Secure is controlled by Visa and MasterCard the following cards can be used : Visa, Visa Delta, Mastercard, Mastercard Debit, international Maestro, UK Maestro, Laser, and Visa Electron.

• Liability shift – The main benefit to companies using the 3-D Secure scheme is the availability of a liability shift for a successfully verified transaction. This offers protection by the card issuers against chargebacks as the liability is assumed. 

Note: Vendors will need to confirm with their merchant bank for exact terms on liability shifts.

• No extra cost – There are no extra costs to add 3-D Secure onto your Opayo account. Your acquiring bank may charge to add this onto your merchant number however you may also find that your transaction charges lower as a result of using 3-D Secure.
• Easy to set up and control – The set-up of the 3-D Secure scheme is controlled within your MyOpayo administration area along with the option of setting custom rules to automatically validate cards registered with 3-D Secure.

• Chargebacks can still occur – Fully authenticated 3-D Secure transactions do not guarantee a liability shift, this is decided on the discretion of your merchant bank.
• Not all cards are part of the scheme – At the moment there isn’t a similar initiative for Diners Club cards.

Opayo also advise using the 3-D Secure scheme alongside our other fraud prevention tools that are available to our customers.

Activating & adding a 3-D Secure rule

Opayo has minimised the impact that this mandated change will have on you and your customers, keeping your business compliant for ecommerce transactions within the EEA. We recommend you update to Protocol 4.

Below you can find out if you need to make any changes to your integration:

1. Form integration – There will be no mandatory changes to your current integration. Simply activate 3-D Secure within MyOpayo. To do this click on the Settings tab, followed by 3-D secure. You will then be able to activate the 3-D Secure scheme. If you are using Custom Templates you will need to update your templates to take advantage of 3DSv2 - kits can be downloaded here
2. Server integration – There will be no mandatory changes to your current integration. Simply activate 3-D Secure within MyOpayo. To do this click on the Settings tab, followed by 3-D secure. You will then be able to activate the 3D secure scheme. If you are using Custom Templates you will need to update your templates to take advantage of 3DSv2 - kits can be downloaded here
3. Direct integration – Minimal impact, the 3DSv2 flow will be the same as the current 3DSv1 flow, however, an additional 9 fields will be required. Please refer to the parameters in the table you can find here.
4. Pi integration – Minimal impact, the 3DSv2 flow will be the same as the current 3DSv1 flow, however, an additional 8 fields will be required. Please refer to the parameters in the table you can find here.

Since 3DSv2 is mandated, you will no longer be able to bypass the checks by submitting the Apply3DSecure field with a value of ‘2’ for form, server or direct. You will need to change this value to ‘0’ or use one of the other permitted values (1 or 3). This is only likely if you have a bespoke Opayo integration with your website, but your web developer will be able to tell you if this is the case. If you have integrated using Pi, you will need to pass UseMSPSetting or one of the other permitted values (Force or ForceIgnoringRules).

If you don’t know which integration your website uses, you can find this in MyOpayo by clicking on any successful payment, then choose ‘Additional Details’ from the left menu. You will see the integration in the system used field.

1. Enrolment – Opayo will enrol your MID/Merchant Number for 3DSv2 if not already done.
2. Activation – You will need to activate 3-D Secure from within MyOpayo. If you have not already activated 3-D Secure, please find the instructions to do so here. If you are using our PI or Direct integration you will also need to include the 3-D Secure steps of the integration.
3. Enablement – We will check all accounts and enable 3-D Secure shortly before the deadline on March 14th 2022. If 3D Secure is not already enabled, we will email you to let you know and then we will activate 3-D Secure automatically. To avoid disruption to your payment processing we strongly recommend you activate 3-D Secure within My Sage Pay before March, the sooner the better.
4. Technical Update – If you use our Direct integration - then you’ll need to undertake some additional development and upgrade to Protocol 4.00 before activating 3-D Secure. Direct Documentation is available here. If you use our Pi integration – then you’ll need to undertake additional work to your Pi integration. Pi Documentation is available here.
5. Test your Changes – Our 3DSv2 test and live environments are available to developers and merchants to begin testing their integration and optimising 3DSv2 checkout flows

Once you have logged into your MyOpayo account you will then need to activate the checks on your account.

To do this click on the settings tab, followed by 3-D Secure.

You will then be able to activate the 3-D Secure scheme and manage the rules within your account.

Now that you have activated 3-D Secure you are able to add rules to your account. By selecting add rule within your MyOpayo you are able to add conditions to your account based upon the results of the 3-D Secure authentication.

Once you have selected add rule you will then be presented with the add a new 3-D Secure rule screen.

This screen will allow you to add a start value, and end value to the rule and then add the restrictions to the rule.

Within this screen you are presented with 5 options when adding rules to your account. You are free to select as many, or as few of these options as you see fit:

• Perform the 3-D Secure authentication – If you would like 3-D Secure to be checked, you must select this box. If not, 3-D Secure will be unavailable for the price range you have defined.
  
• Accept non-3-D Secure cards to be authorised – As 3-D Secure is a scheme that shoppers have to register for, some customers on your site will not have this enabled. By selecting this option, you will allow all shoppers who do not have 3-D Secure enabled on their cards to processed for authorisation.
• Accept authorisations when MPI errors occur – Because we do not control the 3-D Secure scheme we cannot ensure its availability at all times. By selecting this option you will be able to process transactions without 3-D Secure when the scheme encounters difficulty.
• Accept cards from non-3-D Secure issuers to be authorised – As only Visa and MasterCard, and recently American Express are eligible for 3-D Secure this option allows cards to be accepted when they are not part of 3-D Secure. Japanese Credit Bureau and Diners Club cards are not part of the scheme, and if you accept those cards on your account you will need to select this box.
• Accept 3-D Secure failures to continue for authorisation – This final option allows you to allow transactions to process if the shopper has entered the incorrect details and failed the 3-D Secure checks.

Each option that is selected will allow transactions that meet the criteria to be successfully sent for authorisation.

If the transaction does not meet the requirements of the rules that have been set, the transaction will be rejected and appear on your account as a failed transaction.

Now that you have added one rule to your account you are able to have more if you want.

In order to add multiple rules to your account you simply need to complete the same steps as above.

When adding another rule you cannot have the start, or end values overlapping as this will not be allowed on the system and not add the rule to your account.

Multiple rules are used when you would like additional security over multiple price ranges. This also enables you to vary the levels of security on your account depending on the price ranges you wish to implement.

Activating & adding AVS/CV2 rules
Chargebacks and you

Just like Verified by Visa and MasterCard Secure code, American Express SafeKey is there to offer password protection to shoppers who have an American Express card.

The scheme gives shoppers the chance to assign a password to their card and verify this when processing a transaction.

You will be taken to the SafeKey screen once your card details have been captured and prompted to enter a password in order to complete your order.

When you are taken to the SafeKey page you will be required to enter your password in order to proceed through the checks and get your payment verified.

After you have entered your password, the transaction will then go for authorisation as normal.

• Additional protection – SafeKey grants all American Express card holders extra protection against fraud, this also applies to companies using the scheme on their sites, reducing fraud.
• No extra costs – Using SafeKey will not cost anything extra, this is a free fraud prevention tool and you will not be asked to pay any additional costs from Opayo to have this on your account.
• Easy to manage – Just like verified by Visa and Mastercard Secure Code the fraud prevention tool can be easily controlled within My Opayo.

• Chargebacks can still happen – Full American Express SafeKey does not guarantee a liability shift, cover is always determined at the discretion of your merchant bank.
• Not all cards are registered – Not all American Express card holders are part of the scheme.

American Express automatically enrol all accounts in their SafeKey scheme so they are ready for the new SCA regulations. Opayo register these details as part of the process of adding American Express to your account, all you need to do is activate it in MyOpayo once your American Express merchant number is Live. Full instructions on how to do this can be found here

If you would like to know more about SafeKey use the button below to be taken to the American Express website.

Fraud screening explained
Address, postcode, and security key checks

PSD2 was introduced as a follow up to the original Payment Services Directive (PSD) by the European Commission, it took effect in January 2018. The aim was to bring in new laws to increase customer protection, foster innovation and inspire pan-European competition.

A key element of PSD2 is the introduction of the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) which applies to card-based ecommerce transactions in the European Economic Area (EEA).

Strong Customer Authentication was due to come into force in the UK on 14 September 2021. The Financial Conduct Authority (FCA) announced a 6-month extension to the deadline in recognition of the exceptional circumstances of the Covid crisis. The final implementation date was 14 March 2022. The next milestone in the SCA implementation timeline is the retirement of 3DSv1 by card schemes on 15 October 2022.

From the 1 June 2021, card schemes gradually begin their implementation of Strong Customer Authentication and ecommerce transactions increasingly being checked for 3-D Secure compliance. We recommended that merchants enable 3DSv2 before this date to ensure no disruption to payment processing as the ramp-up begins.

The first step to achieving SCA compliance, is to ensure your ecommerce payments have version one enabled. You can find out how to do this on page 8 of our MyOpayo User Guide.

3DSv2 functionality is now available to Opayo customers in our test and live environments giving merchants an early opportunity to test how best to incorporate SCA compliance together with an improved user experience at checkout.

Strong Customer Authentication makes payments more secure for both your business and the customer by adding an extra layer of protection known as two-factor authentication (2FA). Customers are now required to provide at least two of the following forms of identification when making a payment:

• Something the customer knows e.g. a pin or password
• Something the customer possesses e.g. a smartphone
• Something the customer is e.g. biometric fingerprint

All ecommerce transactions are being processed via secured industry protocol such as 3-D Secure from 14 March 2022 (with some exemptions detailed below).

Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. Merchants increasingly face a delicate balance between ensuring customer security and convenience, while minimising fraud and friction.

Strong Customer Authentication has been introduced to help combat fraud by improving customer security while reducing the liability held against businesses for unauthorised transactions.

Today, payments are typically authenticated using 3DSv2 (sometimes known as verified by Visa, Mastercard SecureCode, Amex SafeKey, Diners ProtectBuy, and JCB J-Secure) where the customer is asked to provide additional authentication data such as a password or an SMS verification code.

From March 2020, UK card issuers and/or acquirers began to gradually step up payments, requesting for 3-D Secure to be performed with two-factor authentication (2FA). When 3DSv2 is used, around 90% to 95% of authentication requests have resulted in a frictionless authentication, where the customer doesn’t even realise that authentication has taken place.

Contactless card machine transactions are subject to new rules. Card issuers are required to prompt the cardholder to perform a chip and PIN transaction each time their cumulative contactless spend reaches £150 since their last chip and PIN transaction.

During a 3-D Secure authentication, how the authentication is performed is up to the card issuer. Opayo’s upgrade to 3DSv2 introduces a better user experience:

• Added security and protection for your business and your customers
• Increased cardholder confidence when transacting with your business
• Reduced fraud and chargebacks - liability shifts to the card issuer
• Frictionless challenges where the customer doesn’t even realise that authentication has taken place e.g. biometric authentication using fingerprint, facial or voice recognition
• Improved risk-based decisions using rich cardholder data leading to higher approval rates
• Full support for all available exemption types and payment device types

When 3DSv2 is enabled, it is estimated that only 5% to 10% of authentications result in the cardholder having to be re-directed to their bank’s 3-D Secure page to enter 2FA. Most authentication requests result in a frictionless authentication with an authorisation rate of up to 90%. What’s more, liability for unauthorised transactions passes to the card issuer, saving you time and money on potential disputes.

Since 14th March 2022 the card issuing banks have expected full 3-D Secure V2 authentications for in session e-commerce transactions, any non-3D Secure transactions after this point risk declining. 3-D Secure V1 will be decommissioned by the card schemes on 15th October 2022, therefore your integration needs to fully support 3-D Secure V2 verifications by this date.

3DSv2 functionality is now available to Opayo customers in our test and live environments giving merchants an opportunity to test how best to incorporate SCA compliance together with an improved user experience at checkout.

You can find out how to do this on page 10 of our MyOpayo user guide.

Your integration type determines if you need to make any further changes to support 3DSv2: ​

• Form – No change. Fully supports 3DSv2
• Server – No change. Fully supports 3DSv2
• Direct – Extra 9 fields need to be submitted for 3DSv2.
• Pi - Extra 8 fields need to be submitted for 3DSv2

If you don’t know which integration your website uses, you can find this in MyOpayo by clicking on any successful payment, then choose Additional Details from the left menu. You will see the integration in the System Used field.

• If you are using the direct integration method integration documentation can be found here.
• If you are using the Pi integration method integration documentation can be found here.
• For form and server integrations, there is no change with the payment flow or with request and responses that you will submit to and receive from Opayo. You can, if you choose to, try some of the magic values to see the difference between the frictionless and challenge flows.

There are several exemptions to SCA that may be requested to improve the payment experience.

You first need to speak with your acquirer to get their approval of any exemptions you choose to use. Once your acquirer has advised of suitable exemptions for your business model, you can request an exemption on a per transaction basis when submitting your transaction request to Opayo. If you choose to use an exemption, any chargeback liability is passed to you for the transaction.

The card issuer may not always agree with your exemption. In this instance, they may return a ‘soft decline’ and request that 2FA is performed.

Trusted beneficiaries
Card issuers will allow your customer to add you as a trusted beneficiary, either during 2FA, or when they log into their card account. Once they have added you as a trusted beneficiary, you can apply for this exemption so that this applies every time they shop with you.

Recurring transactions or subscriptions
After initial set up, a subscription or membership fee consisting of repeat payments of the same amount to the same payee i.e. direct debit, will be exempt from authentication. Since your customer is off session when a recurring transaction is performed, they cannot be expected to perform an authentication. However, 2FA must be performed for the first transaction of a recurring series, where your customer is in-session.

Trusted Risk Analysis (TRA)

This exemption can be used if you have a low chargeback rate. Typically, between 1 and 13 chargebacks per 10,000 transactions. It varies depending on the transaction amount value up to and including £430 (€500). You cannot use this exemption for transaction values over £430 (€500). Overall fraud rates for card payments must not exceed the following thresholds:
0.13% to exempt transactions below £90 (€100)
0.06% to exempt transactions below £215 (€250)
0.01% to exempt transactions below £430 (€500)

Low-value transactions (LVT
A Low Value Transaction (LVT) is one that is 30 EUR or less. This exemption is permitted for a maximum of five LVT per card account, per day, where the cumulative value does not reach more than €100 a day. If the cardholder uses their card to make 5 consecutive low value payments, or a total that exceeds €100, SCA will be required. This is not a straightforward exemption; your customer could already have consumed their permitted allowance elsewhere before purchasing an item from your website. If this is the case, the card issuer may “soft-decline” the transaction and request that your customer performs 2FA.

Delegated Authentication
You can only use this exemption if you have participated in a delegated authentication program with the card schemes, where the card scheme approves delegation of the authentication process to you.

Secure Corporate payment
If your customer is using a corporate card, that is a lodged corporate card (typically used to book travel for all employees of a company), then this exemption can be used. It cannot be used for personal corporate cards.

No

Strong Customer Authentication applies to card-based ecommerce transactions (including digital wallets backed by cards) where both the card issuer (i.e. financial institution with whom cardholder has relationship) and the acquirer (i.e. financial institution with whom the merchant has a relationship) both reside within the European Economic Area (EEA).

As an example, if your customer is making a purchase with a card issued outside of the EEA, then SCA does not apply. If your customer is making a purchase with a card issued inside the EEA, but your acquirer is registered outside of the EEA, then SCA does not apply.

For more information please visit our support pages. We're here to help 24/7, 365 days a year. Existing customers can contact our dedicated UK-based support team on 0191 313 0299 or email us and we'll aim to get back to you within 24 hours.