All card brands – sunset of 3-DS 2.1

All card schemes have confirmed the sunsetting of support for EMV 3-DS 2.1 from September 2024.

After 24 September 2024, no transactions authenticated using EMV 3-DS 2.1 can be processed.

In addition, Mastercard has announced a requirement to support additional EMV 3-DS features:

• All ecommerce businesses must support and perform authentication app re-direction through the merchant app, the 3-DS SDK and EMV 3-DS v2.2 transactions if the cardholder authentication method is OOB (out of band).
• 3RI payments are optional. However, they offer you the option to system-generate a payment transaction when the cardholder is not in session. These transactions are used for cases where there is an initial purchase transaction while the cardholder is in session, called consumer-initiated transaction (CIT), followed by subsequent transactions that are 3RI MIT (merchant-initiated transaction). With 3RI payments, you can provide evidence, using the DS Transaction ID field, that SCA has been performed where the customer was involved and maintain your fraud liability protection for the full amount that has been authenticated. 

What you need to do:

To avoid potential non-compliance penalties, you should contact your gateway support team to make sure they are correctly supporting EMV 3-DS 2.2 in line with the above requirements, and that they are aware of the recently announced sunset dates for EMV 3-DS 2.1.

Mastercard – new check for latest version of 3-DS

Mastercard has introduced a new check to monitor adoption of the latest version of EMV 3-DS.

This check monitors 3-DS authentications to ensure that the transactions are being authenticated with the minimum required version of EMV 3-DS (currently EMV 3-DS 2.2) or higher.

For example: where the version used is lower than EMV 3-DS 2.2, but the issuer supports 2.2 or higher, a transaction will be considered non-performing. Where the issuer does not support EMV 3-DS 2.2, you may use a lower version to complete the transaction and this is still considered compliant.

What you need to do: 

You should contact your gateway support team to make sure that transactions are being processed using the highest version of EMV 3-DS.

Mastercard – PSD2 optimisation programme for soft declines

Under PSD2, most ecommerce transactions require Strong Customer Authentication (SCA) unless an exemption or exclusion (like merchant-initiated transactions, or MITs) is applied.

To satisfy these PSD2 SCA requirements, customers are required to use EMV 3-DS, an appropriate exemption or any other SCA-compliant method to avoid issuer SCA soft declines. A SCA soft decline is a declined authorisation where the issuer requests SCA to make it successful. In the event you receive a soft decline, you should re-submit the authorisation after successfully authenticating your customer with 3-DS.

Mastercard launched the PSD2 optimisation program to monitor transactions to check if EMV 3-DS was used after a SCA soft decline. Where a customer is identified as failing this check, under this programme, non-compliance penalties could apply.

What you need to do: 

You should contact your gateway support team to make sure that when transactions are soft declined, the transaction is retried with EMV 3-DS. 

From 28 March 2023, in line with the Payment Services Directive 2 (PSD2), Visa made a change to the way merchant-initiated transactions (MITs) are processed.

From this date, MITs with the interim transaction identifier may not be used, and the original transaction ID must be used. If this change is not implemented, these transactions will be declined. In addition, fines levied by Visa for non-compliance may be passed onto you. 

There are two options to obtain a valid original transaction identifier (OTID) to replace the Interim transaction ID:

• Request a cardholder-initiated transaction (reauthenticate) and store OTID for future use.
• Use transaction ID of any previous MIT within the same merchant-cardholder agreement.

What you need to do:

If you have not already spoken to your gateway provider about this change, you need to contact them immediately. It is important that you know what the implementation plan is for your business, so that you do not end up with declined MITs and potential fines.