Strong Customer Authentication (SCA) is payment security regulation brought forth by the European Banking Authority (EBA) , to ensure that Multi-factor authentication is performed for card payments. EBA has made it mandatory to implement SCA as a part of the Revised Payment Services Directive (PSD2) initiative. The amendment is effective from September 14, 2019 and applies to all online transactions where the payment processor and the card Issuing Bank are from the European Economic Area (EEA) .
However, if your business is based out of Europe or has a significant customer base in the EEA, it is recommended to be SCA compliant. 3DS 2.0 would be your go-to option to comply with SCA regulations.
To learn more about the aspects, implications and exemptions of PSD2, take a look at our PSD2 Guide .
3-D Secure (3DS) is an additional authentication protocol implemented by the Card networks to secure online card transactions. 3DS 2.0 authorizes card payment by collecting user-verifiable information using an authentication window. Its predecessor (3DS 1.0), was not widely adopted due to lack of mobile-friendliness and poor user experience, resulting in low approval rates for transactions.
3DS 2.0 has improved upon its predecessor (3DS 1.0) by making authentication more flexible and secure by being mobile-friendly and providing an improved user-experience. Issuing Banks which do not support 3DS 2.0 would still facilitate the user to complete authentication via 3DS 1.0, which redirects the user to a new window to collect password or OTP.
List of gateways supported in Chargebee for 3DS:
List of gateways not supported in Chargebee for 3DS:
Your customer's background data such as device fingerprint, IP address etc., are seamlessly collected during checkout and sent to the Issuing Bank to check if verification is required. If Issuing Bank can authenticate the customer based on the background data provided, additional verification will be exempted for the customer and the transaction goes through a normal flow with 3DS-verified status.
In case the Issuing Bank denies Frictionless flow and mandates authentication , the customer would be prompted to verify via Challenge flow. The Issuing Bank will now request authentication using 3DS 2.0.
If Challenge flow is necessary and the Issuing Bank does not support 3DS 2.0, the user would then be redirected to a new verification window (3DS 1.0).
Most of the off-session(customer is away) payments such as renewals, one-time charges, subscription trial to active upgrades etc., are Merchant Initiated Transactions(MITs), and ideally go through without additional verification, using the customer's previously saved data.
However, there is still a minor possibility that the Issuing Bank may demand a customer to authenticate in certain scenarios. Since the user would not be available to authenticate, it would lead to a payment failure. The customer has to be notified about the payment failure, and brought online to complete the authentication.
Chargebee only facilitates 3DS with the help of Gateways, eventually it is upto the Issuing Bank to decide whether 3DS verification is necessary for the customer.
We are working on upgrading our In-app Checkout and Single-page Checkout to handle 3DS flows. When complete, we would handle the 3DS flows (Frictionless or Challenge) and redirections for authentication based on the Issuing Bank's obligation. This way, Chargebee Checkout will ensure that 3DS verification is done if the Issuing Bank demands it.
If you have a Gateway JS + API integration with Chargebee, this flow diagram explains how your new flow will be:
Be prepared to make changes to your Gateway JS and API Integration with Chargebee. We would be releasing our upgraded 3DS-handling APIs and associated docs in the near future.
Sending raw card details to Chargebee via API is not a recommended approach for 3DS. Implementing 3DS for API based Integration is a cumbersome process and involves multiple steps on your side, this might affect your payment approval rates as well.
Gateways play the role of collecting the background information of a customer from the browser using their JS and sending it to the Issuing Bank. Apart from communicating customer's background data to the Issuing Bank, Gateways also seamlessly handle 3DS flows and hence have better approval rates. We recommend you to switch to Gateway JS + Chargebee API integration options that we offer.
For more information on this regard, please contact firstname.lastname@example.org .
Most off-session (customer is away) payments that are Merchant Initiated Transactions are treated as 3DS exemptions as per the regulation. However, as mentioned in the fallback flow, a small percentage of such off-session payments might still require 3DS authentication, if the Issuing Bank mandates it. Such cases can be handled by configuring email notifications for 3DS in Chargebee. This way, the respective customers are notified via email to come online and complete the authentication.
More details on the feature and configuration will be updated soon.
If you have an existing Chargebee - Stripe.js integration, you need to update the integration with the help of our upgraded APIs to ensure that you comply with 3DS/SCA and avoid payment failures.
To understand more about integrating Stripe Elements on your checkout and testing out the 3DS flow, refer to our tutorial on 3DS supported Stripe.js integration.
Braintree.js' 3DS-verified nonce for new and existing stored cards can be passed to Chargebee's APIs for performing the necessary operations. Learn more about the API upgrade for Braintree.js in our API docs.
To understand more about integrating Braintree.js on your checkout page and testing out the 3DS flow, refer to our tutorial on 3DS supported Braintree.js integration.
We have implemented 3DS support for the latest version of Adyen.js using Chargebee.js' 3DS helper module. If you are using Adyen's CSE (Client-Side Encryption), you need to adopt the latest version of Adyen.js to avail Chargebee's 3DS helper JS.
Take a look at our 3DS helper JS implementation guide to rewire your Adyen.js integration and accommodate 3DS.
Here's our tentative release plan to roll out 3DS updates in Chargebee:
Week 4, July:
Week 1, August:
Week 2, August:
Week 3, August:
Week 5, August: