PSD2 and Strong Customer Authentication

SCA Overview

Strong Customer Authentication (SCA) is a payment security regulation brought forth by the European Banking Authority (EBA) to ensure that multi-factor authentication is performed for card payments. The EBA has made it mandatory to implement SCA as part of the Revised Payment Services Directive (PSD2) initiative. This applies to all online transactions where the payment processor and the card Issuing Bank are from the European Economic Area (EEA) or the United Kingdom (UK). The amendment was supposed to be effective from September 14, 2019, but the European Banking Authorities (in October 2019) extended the full enforcement to December 31, 2020.

However, if your business is based out of Europe or has a significant customer base in the EEA or UK, it is recommended to be SCA compliant. 3DS 2.0 would be your go-to option to comply with SCA regulations.

3-D Secure: 3-D Secure (3DS) is an additional authentication protocol implemented by the card networks to secure online card transactions. 3DS 2.0 authorizes card payments by collecting user-verifiable information using an authentication window. Its predecessor, 3DS 1.0, was not widely adopted due to a lack of mobile-friendliness and poor user experience, resulting in low approval rates for transactions.

3DS 2.0 has improved upon its predecessor (3DS 1.0) by making authentication more flexible and secure by being mobile-friendly and providing an improved user-experience. Issuing Banks which do not support 3DS 2.0 would still facilitate the user to complete authentication via 3DS 1.0, which redirects the user to a new window to collect password or OTP.

List of gateways supported in Chargebee for 3DS:

1. Stripe
2. Braintree
3. Adyen
4. Checkout.com
5. BlueSnap Direct Integration
6. Worldline Online Payments (formerly Ingenico) Direct Integration
7. Mollie (Beta Release)
8. Network Merchants Incorporated(NMI) (Beta Release)
9. Cybersource Direct Integration
   

List of gateways not supported in Chargebee for 3DS:

1. Authorize.net
2. Pin
3. eWay Rapid
4. Sage Pay
5. Worldline Online Payments (formerly Ingenico) ePayments
6. Paymill
7. NMI
8. Moneris
9. Orbital (Chase Paymentech)
10. Bluepay
11. Bambora
12. Vantiv
13. Worldpay
14. PayPal Pro
15. BlueSnap via Spreedly
16. Worldline Online Payments (formerly Ingenico) via Spreedly
17. Cybersource via Spreedly

3DS Workflows

Frictionless flow

Your customer's background data, such as device fingerprint, IP address, etc., are seamlessly collected during checkout and sent to the Issuing Bank to check if verification is required. If the Issuing Bank can authenticate the customer based on the background data provided, additional verification will be exempted for the customer, and the transaction goes through a normal flow.

Challenge flow

In case the Issuing Bank denies Frictionless flow and mandates authentication, the customer would be prompted to verify via Challenge flow. The Issuing Bank will now request authentication using 3DS 2.0.

If Challenge flow is necessary and the Issuing Bank does not support 3DS 2.0, the user would then be redirected to a new verification window (3DS 1.0).

Fallback flow

Most of the off-session (customer is away) payments, such as renewals, one-time charges, subscription trial to active upgrades, etc., are Merchant Initiated Transactions (MITs) and ideally go through without additional verification using the customer's previously saved data.

However, there is still a minor possibility that the Issuing Bank may demand a customer to authenticate in certain scenarios. Since the user would not be available to authenticate, it would lead to a payment failure. Then, the customer needs to be notified about the payment failure and brought online to complete the authentication.

Checklist for SCA

The series of steps below explain what needs to be done in Chargebee to stay SCA compliant and not lose revenue due to 3DS payment downturns. Completing this checklist incorporates 3DS support for Chargebee Hosted pages(In-app checkout, Single page checkout, Portal) and Chargebee API users.

It is important that you complete the entirety of steps mentioned in the checklist to cover all 3DS flows and thereby, letting Chargebee take care of notifying your customer about the payment failure and following up with them for payment recovery.

1. Enable 3D Secure at your gateway

2. Enable 3D Secure in Chargebee

3. Enable Dunning for Online Payments

4. Configure Dunning Emails

5. Include Failure reason and Pay Now in Dunning Emails

Configuration: Detailed

Complete the configuration steps below to start testing payments via 3DS flow in your Chargebee Test site,

1. Enable 3DS at your gateway

Stripe has 3DS enabled by default for all merchants.

Braintree also has 3DS enabled by default, but only for EU merchants. If you're operating outside EU and using Braintree, contact Braintree's support to get it enabled.

Adyen has 3DS enabled by default for one-time payments. Contact Adyen's support to enable 3DS for recurring payments.

To enable 3DS for other Chargebee supported gateways, contact your gateway.

Make sure 3DS is enabled in your gateway account before enabling it in Chargebee.

2. Enable 3DS in Chargebee

You can toggle Enable 3D Secure under Settings> Configure Chargebee> Payment gateways> {gateway you use}> Cards> Manage. 3DS can only be enabled for the supported gateways in Chargebee.

You can enable 3DS in your Chargebee Test site to extensively test out 3DS flows. When done testing, you can then enable it in your Live site and start charging customers the 3DS way.

3. Enable Dunning

Dunning ensures the invoices of failed payments get into a retry(charge retry) and follow up(email notifications) cycle. Dunning is the prime payment recovery mechanism in Chargebee for 3DS payment failures due to authentication requirement. This way, the customer could be prompted to come online and complete the authentication.

Enable dunning to ensure that the respective customers are acknowledged when a 3DS payment failure occurs to their card.

Since 3DS authentication failure is a hard decline and needs customer intervention, Chargebee will not retry 3DS failures. Only exception is when you have set custom retry in Chargebee. Therefore for Smart retry, Chargebee will not retry if it is a 3DS payment failure. However, if you have set up custom retries, we will retry only on the last day of dunning period before the final action is taken.

4. Configure Dunning Emails

Configure the dunning reminder email "On first payment failure", so that it can be sent as soon as a transaction fails because of 3DS authentication requirement. Further, you can configure more reminder emails and set the frequency at which they need to be sent to remind customers about the payment failure. Dunning emails for 3DS have no separate template and will hitchhike on the regular dunning emails.

Note that dunning reminder emails will be sent to your customers until the invoice is paid or until the dunning period expires.

5. Include Failure reason & Pay Now

This is an important step to acknowledge your customers about a 3DS failure, so that, they can come back online and authenticate using Pay Now.

Clicking on the Pay Now option will redirect your customers to Chargebee's Pay Now page which lists all their unpaid invoices. They can now select the invoices and click Pay to authenticate and complete the transaction.

Email notifications will show a Failure reason checkbox while you click on the template (shown in screenshot below). Make sure it is checked so that the email when sent will have the failure reason embedded in it.

Handling Fallback flow in Chargebee

Off-session (customer is away) payments are Merchant Initiated Transactions and corresponding exemptions will be applied as per the regulation. However, as mentioned in the Fallback flow, a small percentage of such off-session payments might still require 3DS authentication, if the Issuing Bank mandates it.

In such cases, the payment would fail. However in Chargebee, the intended action would still be performed and the invoice would get into dunning. The customer would then be followed up via dunning emails as per the frequency configured in your dunning settings with the payment failure reason and the Pay Now option.

When the customer clicks on Pay Now, they would be taken to Chargebee's Pay Now page to select the invoices which they intend to pay. After selecting the invoices, when the customer clicks on Pay, they will be shown the 3DS verification window/pop-up to verify their identity and complete the payment.

Integrations and Impacts

Chargebee Hosted Pages

Chargebee Hosted Pages can handle all the flows involved in a 3DS transaction. If you are using Chargebee's In-app Checkout, Single-page Checkout or Portal then enabling 3DS for your transaction can be done in just a few simple steps as explained in our PSD2 checklist and configuration.

You can test out 3DS for Checkout using Chargebee Test gateway's 3DS test cards. If you need to test 3DS for Stripe, Braintree and Adyen gateways, you can test using their respective 3DS test cards.

Also make sure you're using one of our 3DS supported gateways. If not, drop us a note at support and we can help you with the migration.

Gateway JS and Chargebee APIs

If you have a Gateway JS + API integration with Chargebee, this flow diagram explains how your new flow will be:

Chargebee supports 3DS for JS integrations of Stripe, Braintree and Adyen. Take a look at our sections on Stripe.js, Braintree.js and Adyen.js to understand the changes that needs to go into your JS integration. You can the test the gateways for 3DS flows in your Chargebee Test site using their respective 3DS test cards.

API-based Integration

Sending raw card details to Chargebee via API is not a recommended approach for 3DS. Implementing 3DS for API-based integration is a cumbersome process that involves multiple steps on your side, which might affect your payment approval rates.

Gateways play the role of collecting background information of a customer from the browser using their JavaScript and sending it to the Issuing Bank. In addition to communicating the customer's background data to the Issuing Bank, gateways also seamlessly handle 3DS flows and thus have better approval rates. We recommend switching to Chargebee.js or Gateway JS + Chargebee API integration options that we support and configure 3DS in Chargebee using those options.

For more information on this regard, please contact support.

3DS Implementation in Chargebee Using Gateway JS

Stripe.js

If you have an existing Chargebee - Stripe.js integration, you need to update the integration with the help of our upgraded APIs to ensure that you comply with 3DS/SCA and avoid payment failures.

If you have an existing Chargebee - Stripe.js integration, you need to update the integration with the help of our upgraded APIs to ensure compliance with 3DS/SCA and avoid payment failures.

To understand more about integrating Stripe Elements on your checkout and testing out the 3DS flow, refer to our tutorial on 3DS supported Stripe.js integration.

Braintree.js

Braintree.js' 3DS-verified nonce for new and existing stored cards can be passed to Chargebee's APIs for performing the necessary operations. Learn more about the API upgrade for Braintree.js in our API docs.

To understand more about integrating Braintree.js on your checkout page and testing out the 3DS flow, refer to our tutorial on 3DS supported Braintree.js integration.

Adyen.js

We have implemented 3DS support for the latest version of Adyen.js using Chargebee.js 3DS helper module. If you are using Adyen's CSE (Client-Side Encryption), you need to adopt the latest version of Adyen.js to avail Chargebee's 3DS helper JS.

Take a look at our 3DS helper JS implementation guide to rewire your Adyen.js integration and accommodate 3DS.

Checkout.com js

3DS support for the latest version of Checkout.com js using Chargebee.js is available. To learn more about this integration, take a look at our 3DS helper JS implementation guide

FAQs

1. Does Chargebee support Stripe's SetupIntent?

Yes, SetupIntent can be used to authorize a 3DS transaction for a new card. There will be no amount involved, and only important thing is that a customer needs to undergo verification.

**2. What happens to existing cards in vault after September 14, 2019? **

Cards which are already in gateway's vault will not go through 3DS verification in most cases. Gateways such as Stripe, Braintree and Adyen affirm that they would apply appropriate SCA exemptions to such cards.

3. What should I do if I face the error "Operation failed as the EU country entered in billing address by customer cannot be verified against IP address or card BIN number"?

Turn off location validation in your test site while testing 3DS, as there might be a mismatch between IP address and the card BIN.

You can find location validation under Settings> Configure Chargebee> Taxes. Click on the corresponding country and clear the Enable location validation checkbox.

4. How do I filter out 3DS payment failures and notify my customers to authenticate?

There are two ways to instruct customers to authenticate 3DS failed payments,

1. By sending Dunning reminder emails with failure reason and Pay Now option, which is essentially the steps 3, 4 and 5 in the checklist.
2. By filtering the invoices using "With 3DS Authentication Pending" filter, and sending bulk authentication email.
3. By navigating to any invoice facing 3DS failure and using the Send authentication reminder present at the top of the page.

5. Can I perform minimum amount 3DS authorization to ensure that future payments go through without requiring customer intervention?

Yes, you can perform minimum amount 3DS authorization, but only while collecting new card for future payment(no immediate charge).

Using Stripe.js:

Stripe users can make use of SetupIntent API to perform 3DS verification for a card without any charge. You can pass the SetupIntent id to Chargebee's payment_intent[gw_token]. Setup Intent API can only be used for cases that do not involve immediate payment.

Braintree.js:

Braintree users can make use of a minimum amount(say 1$) and perform 3DS verification for that amount. Following successful verification, the minimum amount authorized will then be released to the customer automatically.