All card brands – sunset of 3DS 2.1
All card schemes have confirmed the end of support for EMV 3DS 2.1 from September 2024.
Key Dates
|
24 September 2024 |
Support for EMV 3DS 2.1 in transaction processing ends |
|---|
24 September 2024
Support for EMV 3DS 2.1 in transaction processing ends
After 24 September 2024, no transactions authenticated using EMV 3DS 2.1 can be processed.
In addition, Mastercard has also announced a requirement to support extra EMV 3DS features:
- All ecommerce businesses must support and perform authentication app re-direction through the merchant app, the 3DS SDK and EMV 3DS v2.2 transactions if the cardholder authentication method is out of band (OOB).
- 3RI payments are optional, however they offer you the ability to system-generate a payment transaction when the cardholder is not in session. These transactions are used when there is an initial purchase while the cardholder is in session, called consumer-initiated transaction (CIT), followed by subsequent transactions that are 3RI merchant-initiated transaction (MIT). With 3RI payments, you can keep your fraud liability protection for the full amount authenticated by using the DS Transaction ID field. This proves that strong customer authentication (SCA) was used when the customer was involved
What you need to do:
To avoid a fine, contact your gateway support team to make sure they are correctly supporting EMV 3DS 2.2 in line with the card scheme rules, and that they are aware of the recently announced sunset dates for EMV 3DS 2.1.
Visa – Updates to Visa Secure for new required data fields
Visa announced a number of changes to the Visa Secure Program including 12 extra required data fields, to be effective earlier this year. Following feedback from the industry, Visa has changed the requirements, reducing the number of data fields required from 12 to five for browser transactions or three for in-app purchases.
From 12 August 2024, Visa will need the following data fields to be included in authentication:
|
Data Required – Browser |
Data Required – In-App Transactions |
|---|---|
|
Browser IP Address |
Device IP Address |
|
Browser Screen Height |
- |
|
Browser Screen Width |
- |
|
Cardholder Phone Number or Cardholder Email Address |
Cardholder Phone Number or Cardholder Email Address |
|
Cardholder Name |
Cardholder Name |
Data Required – Browser
Data Required – In-App Transactions
Browser IP Address
Device IP Address
Browser Screen Height
-
Browser Screen Width
-
Cardholder Phone Number or Cardholder Email Address
Cardholder Phone Number or Cardholder Email Address
Cardholder Name
Cardholder Name
These new data fields apply only to standard 3DS payment transactions. Non-payment transactions and 3DS requestor-initiated (3RI) transactions are exempt from these requirements.
What you need to do:
Make sure your 3DS provider is aware of this rule and is making any changes needed to meet the demand by 12 August.
Mastercard – PSD2 optimisation programme for soft declines
Under PSD2, most ecommerce transactions need strong customer authentication (SCA) unless an exemption or exclusion (like merchant-initiated transactions (MITs)) is applied.
To meet these PSD2 SCA requirements, customers need to use EMV 3DS, an appropriate exemption, or any other SCA-compliant method to avoid issuer SCA soft declines.
An SCA soft decline is a declined authorisation where the issuer requests SCA to make it successful. If you receive a soft decline you should re-submit the authorisation after successfully authenticating your customer with 3DS.
Mastercard launched the PSD2 optimisation program to monitor transactions to check if EMV 3DS was used after a SCA soft decline. If a customer fails this check non-compliance penalties could apply.
What you need to do:
You should contact your gateway support team to make sure that when transactions are soft declined, the transaction is retried with EMV 3DS. For more information relating to PSD2 please visit our website at https://www.elavon.co.uk/insights/news/psd2.html
