Conceal or skip 3-D Secure
The SCA guidelines come with a set of features that allow you to:
- Implement the authentication step as a background process (the so-called frictionless flow), making it imperceptible for your customers. If needs be, you can also request the full authentication process (the so-called challenge flow).
- Skip 3-D Secure altogether if certain conditions are met. We offer various features that allow this.
Learn here how to implement these features in a safe and compliant way.
Implement Challenge/Frictionless flow
Whenever you send a card transaction request to our platform, two 3-D Secure authentication scenarios are possible:
-
Frictionless flow: You have provided enough information in the mandatory/recommended/optional properties about the cardholder in the transaction request itself. Hence, the cardholder’s issuer considers the risk of a fraudulent use of the credit card in question low. Consequentially, your card holder does not have to authenticate her/himself at the issuer’s site: There is no redirection to the issuer from our secure payment page (for Hosted Checkout Page transactions) or your check-out page (for Hosted Tokenization Page/Server-to-Server/Mobile integration method). By skipping this step in the transaction flow, the overall payment experience becomes a lot smoother.
To enhance the chances of a frictionless flow, send as many recommended/optional properties in your request. Add optional parameter cardPaymentMethodSpecificInput.threeDSecure.challengeIndicator="no-challenge-requested" to your request.
However, some issuers will still insist the card holder authenticate her/himself. This will result in a challenge flow.
- Challenge flow: Regardless of what you have provided in the mandatory/recommended/optional properties about the cardholder, the issuer insist the cardholder authenticate her/himself. Consequentially, there is a redirection to the issuer from our secure payment page (for Hosted Checkout Page transactions) or your check-out page (for Hosted Tokenization Page/Server-to-Server/Mobile integration method).
In some cases (especially when creating a token for recurring payments), you might want to enforce yourself the challenge flow. Add optional parameter: cardPaymentMethodSpecificInput.threeDSecure.challengeIndicator=" challenge-requested" or "challenge-required" to your request.
Implement SCA exemptions
Unlike SCA exclusions, you need to actively request SCA exemptions in your transaction requests. Transaction eligible for exemptions are:
- White-listed merchants: Your customers can request an exemption to their issuer to white-list you as a "trusted beneficiaries".
- Corporate transactions: Transactions between two corporations.
- Acquirer TRA (Transaction Risk Analysis): You can request an exemption for transactions you consider low risk. As the acquirer is liable, it decides to grant/reject an exemptions based on the overall portfolio of the transaction (transaction value, fraud rate).
- Issuer TRA: The customer’s issuer can request an exemption if you or the acquirer did not. As the issuer is liable, it decides to grant/reject an exemptions based on the overall portfolio of the transaction (transaction value, fraud rate).
- Low amount transactions: For purchases lower than €30. However, SCA will be necessary if a customer makes five transactions in a row or reaches a value of more than €100.
- Delegated authentication (certified wallet): An issuer can give authority to a third-party such as a certified wallet provider or a merchant to perform SCA on their behalf.
Depending on the card scheme, it requests an exemption this in one of the two ways:
- On authentication level: Add cardPaymentMethodSpecificInput.threeDSecure.challengeIndicator and cardPaymentMethodSpecificInput.threeDSecure.exemptionRequest with the appropriate values (depending on the use case) to your request.
- On authorisation level: Add cardPaymentMethodSpecificInput.threeDSecure.skipAuthentication and cardPaymentMethodSpecificInput.threeDSecure.exemptionRequest with the appropriate values (depending on the use case) to your request.
Contact your card scheme which is the appropriate one and adapt your CreatePayment/CreateHostedCheckout request accordingly.
Find detailed information about these properties in our CreatePaymentAPI/CreateHostedCheckoutAPI.
Check payment.paymentOutput.CardPaymentSpecificOutput.threeDSecureResults.appliedExemption from our response whether the issuer has granted the exemption. If the issuer declines the transaction(statusOutput=2), our platform returns errors.errorCode=40001139.
Mind that
- You are liable for fraudulent transactions if the issuer accepts the transaction without 3-D Secure. Check property paymentOutput.cardPaymentMethodSpecificOutput.threeDSecureResults.liability for GetPayment/GetPaymentDetails requests. Be aware that this is only an indication, as the definite accountability depends on various factors.
We recommend sticking to the frictionless flow feature if you prefer to keep your liability protection. - We offer the Exemption Engine feature that automatically requests exemptions when applicable. Read our dedicated chapter to learn more.
Implement Soft Decline feature
SCA guidelines allow you process transactions via the frictionless flow. However, there is always a chance that your customer’s bank insist on the challenge flow, resulting in a declined transaction. Our Soft Decline mechanism allows you to recover these transactions. Read our dedicated guide to learn more.
Implement Exemption Engine
If a transaction meets specific requirements, it is exempt from 3-D Secure. However, checking these requirements and sending appropriate payment requests adds complexity to your integration efforts. Our Exemption Engine feature offers a welcoming relief. Read our dedicated guide to learn more.
Implement Decoupled amount feature
It is possible to process different amounts during the authentication (the 3-D Secure check) and the authorisation (blocking the funds on your customers’ credit card). This feature is very helpful for processing delayed/partially split payments or incrementing an authorised amount. Read our dedicated guide to learn more.
To learn more about 3-D Secure statuses, read our dedicated article Understand 3-D Secure Statuses.