Strong Customer Authentication and 3D secure?

[Lucan Unlordly]

A number of our customers are experiencing difficulty making online payments via Worldpay, due we are told to the governments roll out of SCA (Strong Customer Authentication) and 3D secure. I hadn't a clue about this happening and neither it seems does the general public so I'm trying to establish the facts in idiot proof form so that we can send out an explanatory email.

Need to cover:
1. When the actual final deadline for rollout is? . (EDITED: apparently the deadlines 14th March 2022)

2. Worldpay tell me 3d secure is set up by the cardholder via their card issuing banking app. On a financial advice website it says that retailers should be ready and prepared. Confused?

3. Any other helpful advice?

 

[Solve My Problem]

This has been in the pipeline for a very long time and 3d secure notices are more and more common with customers requiring approval using apps and txts.

I am pretty sure the majority of people have come across this in the last 24 months and are used to it in the form of 3d secure, but the new enhanced version is 3DSv2. It basically means the customer has to confirm the purchase. It's a pain, but it is what it is.

The Strong Customer Authentication (SCA) is an EU regulation that has been gearing up for a while and already implemented in one guise or another.

Your ecommerce system should be running the latest Worldpay integration, and it should be fairly seamless. Customer orders, a validation popups, the customer confirms, the validation closes and confirms the checkout.

If you see more declines, call the customer, take a payment over the phone.

Barclays have the following timeline

From 18 January 2022, if you are non-compliant, you could be at risk of losing up to 10% of your card sales. This is because UK card issuers are increasingly required to decline non-compliant payments in the run-up to the deadline. That loss of card sales could rapidly increase to up to 50% by the end of February in the run-up to the SCA regulatory deadline.

From 14 March 2022, all online card payments that are non-compliant (not using 3DS or have valid exemptions) will be declined. In short, if you don’t take action as a merchant, you may experience:

• declined transactions and loss of card sales

• potential scheme fines (we’ll provide notice if fines are to be applied)

• Potential increased fraud risk

• Increased customer calls or complaints

Darren

 

[Ozzy]

The problem we've come against in our eFiling platform is the merchants not updating their configuration from 3D Secure v1 to v2 which includes SCA, despite having rolled out the update in our platform some 7-8 months ago. So I would check you are using Worldpay's latest integration/plugin.
At the moment declines are at the discretion of the card issuer, so we are seeing a mix of approve and declines especially around stored card payments. Recurring payments are fine, but from what we see it's intermittent declines for now.

 

[Lucan Unlordly]

so we are seeing a mix of approve and declines

That's what's happening to us.

Worldpay tell us that the customer needs to talk to their card issuer, to download their banking app etc.,?

I don't have any banking apps on my mobile.

 

[Solve My Problem]

I don't have any banking apps on my mobile.

Most people are being pushed this way, they generally still use phone/sms as well, the app being the smoothest way.

It's not optional for merchants, for low value transactions this isn't an issue although I believe a daily allowance will also take effect.

Lloyds for example list the following.

When checking out purchases over a certain amount, you’ll notice the extra security during payment. The payment screen will ask you to verify yourself. You can do this through your:

• App: Use the app to verify your purchase..
• Mobile: We’ll text a passcode to your mobile phone, which you then enter on the payment screen.
• Landline: This will be an automated call to your landline, asking you to say a code which comes up on the payment screen.

The other option is to put a notice on the website before the checkout, advising of the new security in place.

 

[Lucan Unlordly]

I've just done a test purchase on our system using a Barclays VISA Debit card, ticked Captcha and had no 3d secure request.

My customer has just tried to pay using a Barclays VISA Debit card and cannot get past Captcha nor see a 3d security request!

The plot thickens!

 

[Deleted member 59730]

Doesn't happen in a shop. Especially if paying cash.

 

[antropy]

Yes these new EU laws are coming in and a lot of online payment systems are starting to fail.

No one is ready, the laws are not fit for purpose ... problems will only get worse ...

Paul.

 

[Lucan Unlordly]

UPDATE: This is a Worldpay issue. Whether it's just our setup or a broader issue is unknown but as a 24 hour fix the latter seems more probable?

The declined payments are primarily from customers using VISA cards starting with the same sets of 4 digits. Most of those that have failed to complete start with 4658. This is to do with 3D secure not being applied to our sites.

 

[Nico Albrecht]

4658

I would expect at least 7 digits. First for scheme ( 4 visa) followed by 6 digit bank identifier. In your case this would be Barclays debit UK issued 46 58 xxx

 

[SecuredPay]

That's what's happening to us.

Worldpay tell us that the customer needs to talk to their card issuer, to download their banking app etc.,?

I don't have any banking apps on my mobile.

Hi,

They are kind of right, it depends what WorldPay gateway you are using?

WorldPay online is a discontinued gateway.
The Business gateway is very old tech.
Their integration with Shopify via XML can only support 3DS1
Corporate gateway just costs a lot of money.

Let me know and I’ll tell you what they aren’t telling you.

 

[SecuredPay]

What does SCA mean for ecommerce? ​

Online shoppers will see more challenges for authentication to prove they actually are the card owner. With 3DS1, issuers typically require a password to be entered to verify the transaction.

3DS2 is far more sophisticated and improves the checkout experience compared to 3DS1. It can use over 100 data elements (such as the customer’s shipping address, device fingerprint, and payment history) sent to the issuer to assess its risk level. This all takes place behind the scenes within the checkout process, meaning a smoother, more secure payment flow. Based on this data, the issuer will either authorise the payment (frictionless-flow) or “step up” to a two-factor authenticated transaction by challenging the cardholder to provide additional information to authenticate the transaction by, for example entering a one-time passcode sent to their mobile device.

Exemptions​

Not all transactions will require additional authentication. PSD2 provides a number of exemptions to SCA, to minimise friction in customer payment journeys. Those relevant to customers are:

1. Low value exemption
2. Specific MCC exemption
3. Recurring payment exemption
4. Whitelisting (or trusted beneficiary) exemption
5. Mail order / Telephone order (MOTO)

Low-value exemption​

Card transactions below €50 are considered low value and are generally exempt from SCA. However, if the customer initiates more than five consecutive low value payments or if the total payments value exceeds €100, SCA will be required.

 

[SecuredPay]

We are seeing an increased decline in B2B payments, the reason for this is admin staff using Directors cards. In these cases the card holder isn’t present for the transacts this the process fails.

While I don’t encourage this practice my customers are losing money and customers. We do have a work around using API.

Happy to chat through situations individually.

Kev

 

[Lucan Unlordly]

Hi,

They are kind of right, it depends what WorldPay gateway you are using?

WorldPay online is a discontinued gateway.
The Business gateway is very old tech.
Their integration with Shopify via XML can only support 3DS1
Corporate gateway just costs a lot of money.

Let me know and I’ll tell you what they aren’t telling you.

As per previous post, it was a Worldpay issue whereby 3D secure on certain cards had not been 'switched on' ...

 

[Lucan Unlordly]

I'm bouncing this thread to see if anyone else is experiencing issues with Mastercards and 3D secure when using Worldpay?

The declined payments are primarily from customers using VISA cards starting with the same sets of 4 digits. Most of those that have failed to complete start with 4658. This is to do with 3D secure not being applied to our sites.

...as per my post back in February, the problem is now with Mastercards, or rather getting Worldpay to do something about it. It's been well over a week now, 3 phonecalls, 3 emails and zero satisfactory outcome.

Is anybody else experiencing similar difficulties?

 

[Ozzy]

Is anybody else experiencing similar difficulties?

An update from us on this, we removed our integration with Worldpay from our platform as they were so far behind in implementing 3DSv2 (SCA) that their gateway became incompatible with the current VISA and MasterCard standards.
Our clients needed to migrate onto a different payment gateway and since then have not had any issues.

 

[Lucan Unlordly]

UPDATE: ...as per post of February 1st, this is an easy fix but one that Worldpay Customer Service and Tech Department seem unable to identify without some 'strong guidance'.

The same applied this time with Mastercard's starting with the same 4 numbers. Having been told it was our customers trying to avoid 3D secure (it wasn't) and us insisting this was a simple 'tick' in the relevant box as before, we were asked to email Customer Amendments to check that 3D was enabled on all cards. Having received no reply and at the end of our tether a very helpful lady, after some persuasion, went back to Tech and found the problem. All sorted in a matter of minutes after a week and several long winded phone calls.

One would hope that a memo will be going out to everyone who answer the Worldpay telephones now?

 

[Paul Carmen]

We are seeing B2B issues, we think we've resolved our own issues (taking payments) well in advance, this is mainly for our invoice or B2C payments, so the cardholder is expecting the challenge.

However, we have had problems with regular B2B payments we make to 3rd parties. This is effectively where our credit card/debit cards are charged by 3rd party service providers. These transactions can be regular, but are often large and for variable amounts.

These seem to either auto decline or challenge, but as these can go through at potentially any time (e.g. to top up funds on some systems). As we don't know when this will happen, its hard to manage, as it could be in the middle of the night with many US suppliers!

I spoke to our business bank/card issuer (Santander), as already knowing about this I asked to whitelist several regular merchants (that would be at our risk), as per our understanding of 3DSv2 (SCA). I've escalated it as a complaint to try get more info, but they basically said they know nothing about this whitelisting option and it can't be done!!!

I get that whitelisting can be done on an online payment via the 3d secure option. But, if this does not come up, or its auto declined, or an SMS is sent, how does it work, have I misunderstood or is there some way of doing it that I'm missing/not aware of?

Alternatively, and more worryingly, has this just been thought of largely for B2C one off sales and the needs/behaviours of B2B transactions is ill thought out?

 

[Solve My Problem]

Interesting Royal Mail click and drop current status

Mar 16, 2022
Unresolved incident: There is an issue with our payment provider, that is causing payments to fail..

 

[SecuredPay]

We are seeing B2B issues, we think we've resolved our own issues (taking payments) well in advance, this is mainly for our invoice or B2C payments, so the cardholder is expecting the challenge.

However, we have had problems with regular B2B payments we make to 3rd parties. This is effectively where our credit card/debit cards are charged by 3rd party service providers. These transactions can be regular, but are often large and for variable amounts.

These seem to either auto decline or challenge, but as these can go through at potentially any time (e.g. to top up funds on some systems). As we don't know when this will happen, its hard to manage, as it could be in the middle of the night with many US suppliers!

I spoke to our business bank/card issuer (Santander), as already knowing about this I asked to whitelist several regular merchants (that would be at our risk), as per our understanding of 3DSv2 (SCA). I've escalated it as a complaint to try get more info, but they basically said they know nothing about this whitelisting option and it can't be done!!!

I get that whitelisting can be done on an online payment via the 3d secure option. But, if this does not come up, or its auto declined, or an SMS is sent, how does it work, have I misunderstood or is there some way of doing it that I'm missing/not aware of?

Alternatively, and more worryingly, has this just been thought of largely for B2C one off sales and the needs/behaviours of B2B transactions is ill thought out?

Sorry, why are payments being challenged in the middle of the night?

SCA / 3DS2 will only happen when it is a customer initiated transaction. If your card is stored / tokenised for settlement against an invoice this payment is a merchant initiated transaction and will therefore be none secure i.e. moto payment, so no SCA / 3DS2.

My understanding is, and no one is willing to admit this at present, there are a few PSPs that are wrongfully applying SCA / 3DS2 to what should be MOTO payments.

Whitelisting will be a step too far for Santander.

As an ex-employee of 2 large UK merchant acquirers I know merchants are being fobbed off. Service staff don’t know or understand. I am currently challenging 2 merchant banks and a PSP for 2 of my clients, it’s very frustrating.

 

[Paul Carmen]

Sorry, why are payments being challenged in the middle of the night?

SCA / 3DS2 will only happen when it is a customer initiated transaction. If your card is stored / tokenised for settlement against an invoice this payment is a merchant initiated transaction and will therefore be none secure i.e. moto payment, so no SCA / 3DS2.

I've no idea, Santander business banking are about as much help as a chocolate teapot, they kept referring me to a pre written page that was vague at best!

My suspicion is these are transactions that either have swapped over to SCA / 3DS2, and one is a USA based company has not migrated properly in time.

We pay for several service/software based systems. These recur every month/quarter and have overages above packages that will charge ad hoc when usage means the balance falls below a threshold, so can be charged at any day/time.

It's these that are being challenged now. The annoying thing is if I could whitelist them then no problem, but the challenges don't let me.

One has auto declined repeatedly, Santander's advice was to use a different payment method (non card), but that's not an option. The other sent a challenge via SMS (with no option to whitelist), which I approved via SMS, but I had to then reprocess the payment online, but it went straight through with no 3Ds challenge, so again I couldn't whitelist anything and may be in the same boat next month!

Are these MOTO payments, as they are automated online, and if so I'm assuming this challenge isn't meant to work that way, as its not fit for purpose?

 

[Sparetoolparts]

I was told this:

Your integration needs to pass "challengeRequested: true" on the "verifyCard()" call or when invoking 3D Secure. Because these parameters are a part of your client-side integration, and because your client-side is handled by your Magento integration, you will need to work with Magento to ensure you are requesting a challenge

 

[antropy]

because your client-side is handled by your Magento integration, you will need to work with Magento to ensure you are requesting a challenge

How do you find Magento?

Paul.

 

[Sparetoolparts]

A beast to keep up-to-date but I'm too far invested to move at present, just in the middle of the upgrade cycle

 

[antropy]

A beast to keep up-to-date but I'm too far invested to move at present, just in the middle of the upgrade cycle

Indeed it is, I wrote about why that is here: https://www.antropy.co.uk/blog/the-lure-of-magento/

"too far invested" you know in accounting they call that the sunk cost fallacy:
"This is the sunk cost fallacy, and such behavior may be described as "throwing good money after bad",[20][15] while refusing to succumb to what may be described as "cutting one's losses".[15] For example, some people remain in failing relationships because they “have already invested too much to leave.” Still others are swayed by arguments that a war must continue because lives will have been sacrificed in vain unless victory is achieved. Likewise, individuals caught up in psychic scams will continue investing time, money and emotional energy into the project, despite doubts or suspicions that something is not right.[21] These types of behaviour do not seem to accord with rational choice theory and are often classified as behavioural errors.[22]"
https://en.wikipedia.org/wiki/Sunk_cost#Fallacy_effect

Presumably your site is very custom?

Paul.

 

[14Steve14]

We use Stripe SCA for our payments and with 3DSecure setup on the account we are having the odd problem with unaware customers not knowing how the system works. The biggest problem we are having is those who use a mobile to order from the website, then get confused when the message pings and they loose or shutdown the website to see the number, then they don't come back to the site to make the payment even though the items are still in their basket. It has occasionally failed when customers use a banks app for some reason.

I can honestly say our recover carts mod was worth the money and is nor earning its keep on the site.