PSD2 and Strong Customer Authentication

SCA overview

Strong Customer Authentication (SCA) is a payment security regulation introduced by the European Banking Authority (EBA) to ensure multi-factor authentication for card payments. The EBA has made it mandatory to implement SCA as part of the Revised Payment Services Directive (PSD2) initiative. This applies to all online transactions where the payment processor and the card issuing bank are from the European Economic Area (EEA) or the United Kingdom (UK). The amendment was supposed to be effective from September 14, 2019, but the European Banking Authorities (in October 2019) extended full enforcement to December 31, 2020.

If your business is based in Europe or has a significant customer base in the EEA or UK, it is recommended to be SCA compliant. 3DS 2.0 is the recommended option to comply with SCA regulations.

3-D Secure
3-D Secure (3DS) is an additional authentication protocol implemented by the card networks to secure online card transactions. 3DS 2.0 authorizes card payments by collecting user-verifiable information using an authentication window. Its predecessor, 3DS 1.0, was not widely adopted due to a lack of mobile-friendliness and poor user experience, resulting in low approval rates for transactions.

3DS 2.0 improves upon 3DS 1.0 by making authentication more flexible and secure, being mobile-friendly, and providing an improved user experience. Issuing banks that do not support 3DS 2.0 will still facilitate authentication via 3DS 1.0, which redirects the user to a new window to collect a password or OTP.

List of gateways supported in Chargebee for 3DS:

1. Stripe
2. Braintree
3. Adyen
4. Checkout.com
5. BlueSnap Direct Integration
6. Worldline Online Payments (formerly Ingenico) Direct Integration
7. Mollie (Beta Release)
8. Network Merchants Incorporated (NMI) (Beta Release)
9. Cybersource Direct Integration
   

List of gateways not supported in Chargebee for 3DS:

1. Authorize.net
2. Pin
3. eWay Rapid
4. Sage Pay
5. Worldline Online Payments (formerly Ingenico) ePayments
6. Paymill
7. NMI
8. Moneris
9. Orbital (Chase Paymentech)
10. Bluepay
11. Bambora
12. Vantiv
13. Worldpay
14. PayPal Pro
15. BlueSnap via Spreedly
16. Worldline Online Payments (formerly Ingenico) via Spreedly
17. Cybersource via Spreedly

3DS workflows

Frictionless flow

Your customer's background data, such as device fingerprint and IP address, is seamlessly collected during checkout and sent to the issuing bank to check if verification is required. If the issuing bank can authenticate the customer based on the background data provided, additional verification will be exempted, and the transaction goes through a normal flow.

Challenge flow

If the issuing bank denies frictionless flow and mandates authentication, the customer is prompted to verify via challenge flow. The issuing bank will request authentication using 3DS 2.0.

If challenge flow is necessary and the issuing bank does not support 3DS 2.0, the user is redirected to a new verification window (3DS 1.0).

Fallback flow

Most off-session (customer is away) payments, such as renewals, one-time charges, subscription trial to active upgrades, etc., are merchant-initiated transactions (MITs) and ideally go through without additional verification using the customer's previously saved data.

However, there is still a minor possibility that the issuing bank may demand customer authentication in certain scenarios. Since the user would not be available to authenticate, it would lead to a payment failure. The customer then needs to be notified about the payment failure and brought online to complete the authentication.

Checklist for SCA

The steps below explain what needs to be done in Chargebee to stay SCA compliant and avoid revenue loss due to 3DS payment downturns. Completing this checklist incorporates 3DS support for Chargebee Hosted Pages (in-app checkout, single page checkout, portal) and Chargebee API users.

It is important to complete all steps in the checklist to cover all 3DS flows, allowing Chargebee to notify your customer about payment failure and follow up for payment recovery.

1. Enable 3D Secure at your gateway.
2. Enable 3D Secure in Chargebee.
3. Enable Dunning for Online Payments.
4. Configure Dunning Emails.
5. Include Failure reason and Pay Now in Dunning Emails.

Configuration: Detailed

Complete the configuration steps below to start testing payments via 3DS flow in your Chargebee test site.

1. Enable 3DS at your gateway

Stripe has 3DS enabled by default for all merchants.

Braintree also has 3DS enabled by default, but only for EU merchants. If you're operating outside the EU and using Braintree, contact Braintree support to get it enabled.

Adyen has 3DS enabled by default for one-time payments. Contact Adyen support to enable 3DS for recurring payments.

To enable 3DS for other Chargebee supported gateways, contact your gateway.

Make sure 3DS is enabled in your gateway account before enabling it in Chargebee.

2. Enable 3DS in Chargebee

You can toggle Enable 3D Secure under Settings > Configure Chargebee > Payment gateways > {gateway you use} > Cards > Manage. 3DS can only be enabled for the supported gateways in Chargebee.

You can enable 3DS in your Chargebee test site to extensively test 3DS flows. When done testing, you can then enable it in your live site and start charging customers using 3DS.

3. Enable Dunning

Dunning ensures invoices of failed payments get into a retry (charge retry) and follow-up (email notifications) cycle. Dunning is the primary payment recovery mechanism in Chargebee for 3DS payment failures due to authentication requirements. This way, the customer can be prompted to come online and complete the authentication.

Enable dunning to ensure that customers are notified when a 3DS payment failure occurs on their card.

Since 3DS authentication failure is a hard decline and needs customer intervention, Chargebee will not retry 3DS failures. The only exception is when you have set custom retry in Chargebee. For Smart retry, Chargebee will not retry if it is a 3DS payment failure. However, if you have set up custom retries, we will retry only on the last day of the dunning period before the final action is taken.

4. Configure Dunning Emails

Configure the dunning reminder email "On first payment failure" so that it can be sent as soon as a transaction fails because of 3DS authentication requirement. You can configure more reminder emails and set the frequency at which they need to be sent to remind customers about the payment failure. Dunning emails for 3DS have no separate template and will use the regular dunning emails.

Note that dunning reminder emails will be sent to your customers until the invoice is paid or until the dunning period expires.

5. Include Failure reason and Pay Now

This is an important step to notify your customers about a 3DS failure, so they can come back online and authenticate using Pay Now.

Clicking on the Pay Now option will redirect your customers to Chargebee's Pay Now page, which lists all their unpaid invoices. They can select the invoices and click Pay to authenticate and complete the transaction.

Email notifications will show a Failure reason checkbox while you click on the template (shown in the screenshot below). Make sure it is checked so that the email, when sent, will have the failure reason embedded in it.

Handling fallback flow in Chargebee

Off-session (customer is away) payments are merchant-initiated transactions, and corresponding exemptions will be applied as per the regulation. However, as mentioned in the Fallback flow, a small percentage of such off-session payments might still require 3DS authentication if the issuing bank mandates it.

In such cases, the payment will fail. However, in Chargebee, the intended action will still be performed and the invoice will get into dunning. The customer will then be followed up via dunning emails as per the frequency configured in your dunning settings, with the payment failure reason and the Pay Now option.

When the customer clicks on Pay Now, they are taken to Chargebee's Pay Now page to select the invoices they intend to pay. After selecting the invoices, when the customer clicks on Pay, they will see the 3DS verification window or pop-up to verify their identity and complete the payment.

Integrations and impacts

Chargebee Hosted Pages

Chargebee Hosted Pages can handle all the flows involved in a 3DS transaction. If you are using Chargebee's In-app Checkout, Single-page Checkout, or Portal, then enabling 3DS for your transaction can be done in just a few simple steps as explained in our PSD2 checklist and configuration.

You can test 3DS for Checkout using Chargebee Test gateway's 3DS test cards. If you need to test 3DS for Stripe, Braintree, and Adyen gateways, you can test using their respective 3DS test cards.

Also, make sure you're using one of our 3DS supported gateways. If not, contact support and we can help you with the migration.

Gateway JS and Chargebee APIs

If you have a Gateway JS + API integration with Chargebee, this flow diagram explains how your new flow will be:

Chargebee supports 3DS for JS integrations of Stripe, Braintree, and Adyen. Take a look at our sections on Stripe.js, Braintree.js, and Adyen.js to understand the changes needed for your JS integration. You can test the gateways for 3DS flows in your Chargebee test site using their respective 3DS test cards.

API-based integration

Sending raw card details to Chargebee via API is not a recommended approach for 3DS. Implementing 3DS for API-based integration is a complex process that involves multiple steps on your side, which might affect your payment approval rates.

Gateways collect background information of a customer from the browser using their JavaScript and send it to the issuing bank. In addition to communicating the customer's background data to the issuing bank, gateways also seamlessly handle 3DS flows and thus have better approval rates. We recommend switching to Chargebee.js or Gateway JS + Chargebee API integration options that we support and configure 3DS in Chargebee using those options.

For more information, please contact support.

3DS implementation in Chargebee using Gateway JS

Stripe.js

If you have an existing Chargebee - Stripe.js integration, you need to update the integration with the help of our upgraded APIs to ensure compliance with 3DS/SCA and avoid payment failures.

To understand more about integrating Stripe Elements on your checkout and testing out the 3DS flow, refer to our tutorial on 3DS supported Stripe.js integration.

Braintree.js

Braintree.js' 3DS-verified nonce for new and existing stored cards can be passed to Chargebee's APIs for performing the necessary operations. Learn more about the API upgrade for Braintree.js in our API docs.

To understand more about integrating Braintree.js on your checkout page and testing out the 3DS flow, refer to our tutorial on 3DS supported Braintree.js integration.

Adyen.js

We have implemented 3DS support for the latest version of Adyen.js using Chargebee.js 3DS helper module. If you are using Adyen's CSE (Client-Side Encryption), you need to adopt the latest version of Adyen.js to use Chargebee's 3DS helper JS.

Take a look at our 3DS helper JS implementation guide to rewire your Adyen.js integration and accommodate 3DS.

Checkout.com js

3DS support for the latest version of Checkout.com js using Chargebee.js is available. To learn more about this integration, take a look at our 3DS helper JS implementation guide.

FAQs

1. Does Chargebee support Stripe's SetupIntent?

Yes, SetupIntent can be used to authorize a 3DS transaction for a new card. There will be no amount involved, and the customer needs to undergo verification.

2. What happens to existing cards in the vault after September 14, 2019?

Cards already in the gateway's vault will not go through 3DS verification in most cases. Gateways such as Stripe, Braintree, and Adyen affirm that they will apply appropriate SCA exemptions to such cards.

3. What should I do if I face the error "Operation failed as the EU country entered in billing address by customer cannot be verified against IP address or card BIN number"?

Turn off location validation in your test site while testing 3DS, as there might be a mismatch between IP address and the card BIN.

You can find location validation under Settings* > Configure Chargebee > *Taxes. Click on the corresponding country and clear the Enable location validation checkbox.

4. How do I filter out 3DS payment failures and notify my customers to authenticate?

There are two ways to instruct customers to authenticate 3DS failed payments:

1. By sending dunning reminder emails with failure reason and Pay Now option, which is essentially steps 3, 4, and 5 in the checklist.
2. By filtering the invoices using the "With 3DS Authentication Pending" filter, and sending bulk authentication emails.
3. By navigating to any invoice facing 3DS failure and using the Send authentication reminder present at the top of the page.

5. Can I perform minimum amount 3DS authorization to ensure that future payments go through without requiring customer intervention?

Yes, you can perform minimum amount 3DS authorization, but only while collecting a new card for future payment (no immediate charge).

Using Stripe.js:

Stripe users can use the SetupIntent API to perform 3DS verification for a card without any charge. You can pass the SetupIntent id to Chargebee's payment_intent[gw_token]. SetupIntent API can only be used for cases that do not involve immediate payment.

Braintree.js:

Braintree users can use a minimum amount (for example, $1) and perform 3DS verification for that amount. Following successful verification, the minimum amount authorized will then be released to the customer automatically.