Last updated October 1, 2019.
Strong Customer Authentication (SCA) requirements -- part of the revised Payment Services Directive (PSD2) regulations in Europe -- mandate that two-factor authentication be performed on many card transactions. Merchants that don’t apply two-factor authentication to their transactions risk an increase in declines from customers’ banks once the requirements are enforced. For the latest information on the ever-evolving regulatory landscape in Europe, please refer to our SCA cheatsheet.
3D Secure 2 (3DS2) is the solution Braintree recommends merchants adopt in order to be SCA-ready. The latest 3DS authentication protocol update allows merchants to meet these new requirements as well as help transfer liability for fraud disputes to issuers and reduce costs associated with chargebacks.
While the solution itself is simple, the ways that merchants will need to apply SCA using 3DS2 will vary based on business models or how they transact with customers. So let’s take a closer look at how SCA can be added into payment flows for some common payment scenarios.
Ecommerce (direct-to-consumer online retailers)
A standard one-time payment for a product or service.
In this scenario, the customer authenticates for the total amount of the purchase, the issuer authorizes that amount, then the merchant captures and settles for that amount. If the transaction qualifies under SCA requirements, merchants can use 3DS2 to verify the cardholder during the checkout process. Merchants can apply for exemptions if they choose to do so, but need to be aware that they will be responsible for chargebacks categorized as fraud.
Subscription (ex. gym membership); metered billing (ex. utility bill)
A recurring payment, either for the same amount and same frequency or for variable amounts and/or variable frequency.
In this scenario, the merchant can request a cardholder challenge to establish SCA when the card is first authorized for the subscription. This can occur with a verification or the first transaction, however we would generally recommend that SCA be applied to the first transaction whenever possible. As long as the customer has authenticated the first authorization, subsequent recurring transactions will qualify as merchant-initiated, which are out of scope from SCA.
Ecommerce (direct-to-consumer online retailers)
An order in which products ship separately at different times due to availability or fulfilment, and payments are captured at the time of shipment.
In this scenario, the customer authenticates for the full amount, the issuer authorizes that amount, but the merchant would later need to perform merchant-initiated transactions (MITs) to capture each portion of the total when products are shipped and delivered.
Food delivery, ride sharing
A transaction in which tips or other additional charges are added by the customer after the initial amount.
In this scenario, the customer authenticates for the original transaction amount, the issuer authorizes that amount, then the merchant captures and settles that amount. If the final amount after the tip is added is higher than the original amount, the customer would need to perform a second authentication for the difference, followed by issuer authorization and merchant capture and settlement for the difference. (Merchants could also authenticate for more than the original amount the first time so that what is eventually captured after tips are added is still less than that authenticated amount, but doing so may lead to customer confusion.)
Ride sharing, hotels
A transaction in which additional charges are added by the merchant after the initial amount.
In this scenario, the customer authenticates for the original transaction amount, the issuer authorizes that amount, then the merchant captures and settles that amount. If the final amount after any incidentals are added is higher than the original amount, the merchant would need to perform an MIT to capture the difference. (Merchants could also authenticate for more than the original amount the first time so that what is eventually captured after incidentals are added is still less than that authenticated amount, but doing so may lead to customer confusion.)
Marketplaces (ex. online travel agencies with flight, hotel, and rental-car vendors)
An order in which multiple sellers are paid from a single consumer checkout experience.
For this scenario, each card network has set up its own guidelines for processing in accordance with the PSD2 requirement to “[ensure] that the elements dynamically link the transaction to an amount and a payee specified by the payer when initiating the transaction.” So while there will be variability from card network to card network, each solution can be implemented without any inherent risk of declines.
Regardless of business model or payment scenario, merchants who do not perform SCA on transactions that require it are likely to see an increase in declines after the requirement is enforced. 3DS2 via Braintree provides a simple way to authenticate cardholders with a no- to low-friction checkout experience for cardholders, and allows merchants to shift liability to the issuers on authenticated transactions to help reduce costs associated with chargebacks categorized as fraud. Braintree’s 3DS2 solution also offers built-in support for both 3DS2 and 3DS1 protocols and can automatically divert your transactions, so you can be sure your business will be SCA-compliant regardless of issuer readiness.