All card brands – sunset of 3-DS 2.1

All card schemes have confirmed the sunsetting of support for EMV 3-DS 2.1 from September 2024.

After 24 September 2024, no transactions authenticated using EMV 3DS 2.1 can be processed.

In addition Mastercard has also announced a requirement to support additional EMV 3DS features:

• All ecommerce businesses must support and perform authentication app re-direction through the merchant app, the 3DS SDK and EMV 3DS v2.2 transactions if the cardholder authentication method is out of band (OOB).
• 3RI payments are optional, however they offer you the ability to system-generate a payment transaction when the cardholder is not in session. These transactions are used where there is an initial purchase transaction while the cardholder is in session, called consumer-initiated transaction (CIT), followed by subsequent transactions that are 3RI merchant-initiated transaction (MIT). With 3RI payments, you can provide evidence, using the DS Transaction ID field, that strong customer authentication (SCA) has been performed where the customer was involved and maintain your fraud liability protection for the full amount that has been authenticated. 

What you need to do:

To avoid non-compliance penalties, you should contact your gateway support team to make sure they are correctly supporting EMV 3DS 2.2 in line with the above requirements, and that they are aware of the recently announced sunset dates for EMV 3DS 2.1.

Mastercard – PSD2 optimisation programme for soft declines

Under PSD2, most ecommerce transactions require strong customer authentication (SCA) unless an exemption or exclusion (like merchant-initiated transactions (MITs)) is applied. 

To satisfy these PSD2 SCA requirements, customers are required to use EMV 3DS, an appropriate exemption, or any other SCA-compliant method to avoid issuer SCA soft declines. A SCA soft decline is a declined authorisation where the issuer requests SCA to make it successful. In the event you receive a soft decline you should re-submit the authorisation after successfully authenticating your customer with 3DS.

 
Mastercard launched the PSD2 optimisation program to monitor transactions to check if EMV 3DS was used after a SCA soft decline. Where a customer is identified as failing this check, under this programme, non-compliance penalties could apply.

What you need to do: 

You should contact your gateway support team to make sure that when transactions are soft declined, the transaction is retried with EMV 3DS. For more information relating to PSD2 please visit our website at https://www.elavon.co.uk/insights/news/psd2.html

Mastercard uses Merchant Advice Codes (MAC) in authorisation request responses to tell merchants about a cardholder’s account. MAC clarifies the reasons why a transaction was declined and offers advice on how merchants can retry a declined authorisation request in an informed manner to reduce the chance of further declines.

Merchants should therefore familiarise themselves with these MACs. The benefits of using Merchant Advice Codes for Elavon customers include:

• Clear reasons for declined authorisations
• Allows fast resolution of any issues to prevent customer loss and optimises your customer’s experience
• Prevents loss of revenue
• Reduces false declines

Below is a table showing the Issuer Response Code, the MAC that could be received back as part of the authorisation request and the action that should be taken:

NB: The above table shows a selection of possible combinations of response and merchant advice codes, however other combinations are possible.

What you need to do: 

If you are using an Elavon point-of-sale (POS) terminal or ecommerce gateway you have no action to take as we look after this for you. 

If you are using a third-party POS or gateway provider, you should contact your provider to understand if you need to take any action.