Upgrading Your Payer Authentication Implementation

This section describes how the benefits from upgrading to EMV 3-D Secure 2.x for merchants currently using Payer Authentication services.

Benefits

EMV 3-D Secure 2.x provides these benefits:
  • Transactions that are more secure by providing additional data about the customer.
  • Backward compatibility. Additional data is automatically sent to issuers as they upgrade to EMV 3-D Secure 2.x.
  • Improved user-friendly shopping experience for customers, including frictionless authentication and shorter transaction times.
  • Can result in higher authorization rates.
  • Easier to upgrade to EMV 3-D Secure 2.2. Version 2.2 includes support for exemptions for PSD2. These exemptions that might allow frictionless authentication, include acquirer/issuer transactional risk assessment; white listing; low value, one leg out, and merchant-initiated transactions. These exemptions will be defined as they become available.
Upgrading Your Payer Authentication Implementation

PSD2 Impact

If PSD2 affects you, you must upgrade to EMV 3-D Secure 2.x.
PSD2 requires additional security measures outlined in the Regulatory Technical Standards (RTS) that will apply in the future. PSD2 requires stronger identity checks for online payments, particularly for high-value transactions.
PSD2 means changes for all companies in Europe that deal with payments. Some of the implications for merchants include:
  • Requiring two-factor authentication for all electronic payments although there are exemptions to allow a frictionless flow.
  • Requiring EMV 3-D Secure e-commerce merchants to integrate dynamic authentication tools (such as EMV 3-D Secure 2.x).
Upgrading Your Payer Authentication Implementation

Recommended Integration

Two types of integration are available for EMV 3-D Secure 2.x:
  • Direct API
  • SDK integration for your mobile application
If you are currently using Payer Authentication services in your business processes and need to upgrade to EMV 3-D Secure 2.x, we recommend using the Direct API integration. The Direct API integration most closely resembles the current process in which you request the Enrollment Check service to verify that the customer is enrolled in one of the card authentication programs and receive a response. With EMV 3-D Secure 2.x, that response includes a new value, the processor transaction ID.
For enrolled cards, include the Access Control Server (ACS) URL, payload, and processor transaction ID to proceed with the authentication session. Then, request the validation service, sending the processor transaction ID with your request, and receive a response with the e-commerce indicator and Cardholder Authentication Verification Value (CAVV) or Account Authentication Value (AAV).
For more information about the Direct API, see Implementing Direct API for Payer Authentication.
For details about the other integrations, see Implementing SDK Payer Authentication.
IMPORTANT
If you are using tokenization, use the Direct API integration method for Payer Authentication.
Upgrading Your Payer Authentication Implementation

Migrating from EMV 3-D Secure 1.x to 2.x FAQ

Q: Is a new JWT required for each transaction?
A: Yes, even though the JWT does not expire for two hours, you should send a new JWT with each new transaction.
Q: How do you link the device data to the transaction-level data?
A: There are two ways:
  • You can create a reference ID in the original JWT and then pass that same value for the request field for the Check Enrollment service.
  • You can use the session ID returned from
    Payments.setupComplete
    for the request field for the Check Enrollment service.
Q: When will the Payer Authentication reports include the new fields for EMV 3-D Secure 2.x?
A: They will be added in a future release.
Q: Will my current implementation continue to work while I am implementing and testing the newer version in parallel?
A: Yes, current implementation will continue to work.
Q: What testing should I conduct to ensure that my code is working correctly?
A: Use the test cases (Test Cases for 3-D Secure 2.x) to test your preliminary code and make the appropriate changes.
Q: How does EMV 3-D Secure 2.x authentication improve the experience for a customer who uses a mobile or tablet device?
A: EMV 3-D Secure 2.x works the same for each device, and you have control over the formatting of the authentication form. EMV 3-D Secure 2.x also supports newer, more secure authentication delivery tools, such as a one-time password (OTP) sent to a customer’s mobile device or email.
Upgrading Your Payer Authentication Implementation