Following the transposition of the Second European Directive on Payment Services (PSD2) into Spanish law on November 23rd, many doubts have been raised about its impact, the steps to be taken to comply with it and, in short, what the situation will be after September 14th.
During this time, the focus of the PSD2 has become evident in the increase of security in transactions, an area in which the 3-D Secure protocol will play an important role.
But, what is 3DSecure and why is it relevant to the implementation of the new regulation?
EMV 3-D Secure is a global technology standard designed to help merchants and card issuers authenticate users in online operations. It is developed by EMVCo, a body overseen by major card brands that facilitates the interoperability and acceptance of online payments. Through its updates, the 3DS protocol seeks to better adapt to the changing online payment environment as well as to the new Payment Services Directive (PSD2). With 2.0 version, a greater transmission of information was achieved with respect to version 1.0, as well as the use in a variety of devices and the standardization of the protocol.
Currently, version 2.1 is already developed, but although this version already complies with the legal requirements of PSD2 (also versions 1.0 and 2.0), we will have to wait for version 2.2 to improve the user experience.
How will the 3DS 2.2 protocol benefit the user experience?
The new regulation makes strong customer authentication mandatory in transactions, through a minimum of two factors: something the user has (card, device), something the user knows (password, PIN) or something the user is (biometrics). These security requirements will have a lower impact on the offline environment, as in these cases it would be enough to present the card or mobile phone and validate the operation by a PIN number. On the other hand, in the online environment, it will be necessary to introduce new ways of authentication beyond the card data. This could affect the user experience, as it may initially involve a longer or more complex checkout process. For this reason, a series of exemptions have been designed within the regulation, that allow for the non-authentication of certain transactions. It is at this point where the 3DS protocol takes on particular importance, as its version 2.2 will facilitate the application of these exemptions.
What implications will it have, therefore, for businesses?
Merchants that do not yet have the 3DS protocol must at least migrate to version 1.0 to comply with the regulations. Although this requirement is sufficient at the normative level, it is advisable to have versions 2.0 or 2.1, which allow a greater transmission of information and facilitate the application of double authentication, as well as some exemptions. Once developed, they will be able to move on to version 2.2 because, although it is not mandatory, it will allow greater application of exemptions, which is therefore essential to improve the user experience and thus minimise the impact on consumer conversion rate.
In short, all businesses will have to prepare to operate under secure commerce, with the 3DS protocol, before September 14th. From Sipay Plus, the Spanish payment gateway specialized in innovative solutions, they find a positive perspective in these changes because “while these changes may seem a great challenge, the application of exemptions and the use of authentication factors that provide a good user experience will reduce their impact. In addition, this increased security will bring benefits such as reduced fraud and increased confidence in online commerce, so the positive aspects for businesses will be numerous”.