Upgrading Your Payer Authentication Implementation
This section describes how the benefits from upgrading to EMV 3-D Secure 2.x for
merchants currently using Payer Authentication services.
Benefits
EMV 3-D Secure 2.x provides these benefits:
- Transactions that are more secure by providing additional data about the customer.
- Backward compatibility. Additional data is automatically sent to issuers as they upgrade to EMV 3-D Secure 2.x.
- Improved user-friendly shopping experience for customers, including frictionless authentication and shorter transaction times.
- Can result in higher authorization rates.
- Easier to upgrade to EMV 3-D Secure 2.2. Version 2.2 includes support for exemptions for PSD2. These exemptions that might allow frictionless authentication, include acquirer/issuer transactional risk assessment; white listing; low value, one leg out, and merchant-initiated transactions. These exemptions will be defined as they become available.
PSD2 Impact
If PSD2 affects you, you must upgrade to EMV 3-D Secure 2.x.
PSD2 requires additional security measures outlined in the Regulatory Technical
Standards (RTS) that will apply in the future. PSD2 requires stronger identity checks
for online payments, particularly for high-value transactions.
PSD2 means changes for all companies in Europe that deal with payments. Some of
the implications for merchants include:
- Requiring two-factor authentication for all electronic payments although there are exemptions to allow a frictionless flow.
- Requiring EMV 3-D Secure e-commerce merchants to integrate dynamic authentication tools (such as EMV 3-D Secure 2.x).
Recommended Integration
Two types of integration are available for EMV 3-D Secure 2.x:
- Direct API
- SDK integration for your mobile application
If you are currently using Payer Authentication services in your business
processes and need to upgrade to EMV 3-D Secure 2.x, we recommend using the Direct API
integration. The Direct API integration most closely resembles the current process in
which you request the Enrollment Check service to verify that the customer is enrolled
in one of the card authentication programs and receive a response. With EMV 3-D Secure
2.x, that response includes a new value, the processor transaction ID.
For enrolled cards, include the Access Control Server (ACS) URL, payload, and
processor transaction ID to proceed with the authentication session. Then, request the
validation service, sending the processor transaction ID with your request, and receive
a response with the e-commerce indicator and Cardholder Authentication Verification
Value (CAVV) or Account Authentication Value (AAV).
For more information about the Direct API, see Implementing Direct API for Payer Authentication.
For details about the other integrations, see Implementing SDK Payer Authentication.
IMPORTANT
If you are using tokenization, use the Direct API integration method
for Payer Authentication.
Migrating from EMV 3-D Secure 1.x to 2.x FAQ
Q: Is a new JWT required for each transaction?
A: Yes, even though the JWT does not expire for two hours, you should send a
new JWT with each new transaction.
Q: How do you link the device data to the transaction-level data?
A: There are two ways:
- You can create a reference ID in the original JWT and then pass that same value for the request field for the Check Enrollment service.
- You can use the session ID returned fromPayments.setupCompletefor the request field for the Check Enrollment service.
Q: When will the Payer Authentication reports include the new fields for EMV
3-D Secure 2.x?
A: They will be added in a future release.
Q: Will my current implementation continue to work while I am implementing and
testing the newer version in parallel?
A: Yes, current implementation will continue to work.
Q: What testing should I conduct to ensure that my code is working
correctly?
A: Use the test cases (Test Cases for 3-D Secure 2.x) to test
your preliminary code and make the appropriate changes.
Q: How does EMV 3-D Secure 2.x authentication improve the experience for a
customer who uses a mobile or tablet device?
A: EMV 3-D Secure 2.x works the same for each device, and you have control over
the formatting of the authentication form. EMV 3-D Secure 2.x also supports newer, more
secure authentication delivery tools, such as a one-time password (OTP) sent to a
customer’s mobile device or email.