SCA (Strong Customer Authentication)

With the introduction of PSD2 (an EU directive that stands for "Payment Service Directive 2", which is a revised version of PSD1), new standards are set for how payments are handled in the European payment industry. Without going into detail, this means that a number of measures have been introduced to make online payments more secure, while making validation with 3D-Secure more automated, making it easier to shop online. The procedure is called SCA, which stands for "Strong Customer Authentication", and includes a new version of 3D-Secure, which we abbreviate as 3DSv2 (3D-secure version 2).

HINT: See our glossary below if you want to know more about what the abbreviations in this article mean.

Setup

You can find the settings under Settings > Acquirers:

SCA Settings

1. SCA mode

  • On EU payments: All cards issued in EU and EEA countries are forced through 3DSv2 (the remaining are assessed individually)
  • All payments: All cards regardless of country are forced through 3DSv2

Notice: Transactions forced through 3DSv2 are attempted to be validated via a frictionless flow (an invisible validation based on a number of factors in 3DSv2) and must be approved by the card holder if necessary. The remaining transactions are risk assessed and run through 3DSv2 where necessary. "EU payments" are payments covered by the PSD2 requirement. Outside the EU, other rules apply, although the most common card types support 3DSv2.

2. SCA Exemptions

  • Low value: Amounts below 30 EUR are not sent through 3DSv2
  • Low risk (only NETS): For amounts below 100 EUR, a risk assessment is made to determine if 3DSv2 can be omitted (if the "Low value" function is used simultaneously, amounts between 30 and 100 EUR will be subject to risk assessment, and the rest will be processed without 3DSv2).

Notice: Make sure to review your card rules and possible limitation of card types set on the payment window, as this also has an impact on which payments you can receive.

Glossary

  • Card holder: The customer (the person holding the payment card)
  • SCA: Strong Customer Authentication
  • 3DSv2: 3D Secure version 2
  • SBN: Secured by Nets (changed from "DSBN" in connection with with future support of Forbrugsforeningen cards. Has built-in low risk exception of 30 EUR as of Jan 2021)
  • EEA: European Economic Area
  • Challange flow: 3D Secure validation process using an SMS kode, a password, mobile app, etc.
  • Frictionless flow: 3D Secure validation process is attempted automatically (only with 3DSv2)

3DSv2 symbol explanation for actions and results in OnPay

The authorization process is divided into three stages in OnPay, which can be seen under the "Action" column in the transaction log:

  • 3dsv2-pre-auth: Before authorization
  • 3dsv2-auth: During authorization
  • 3dsv2-post-auth: After authorization

The three stages are linked to underlying procedures in the authentication process involving different parties in the payments industry. This can result in several of the following status codes, which can be seen under the "Result" column in OnPay:

  • Y: Authentication/Account Verification Successful
  • N: Not Authenticated/Account Not Verified; Transaction denied
  • U: Authentication/Account Verification Could Not Be Performed; Technical or other problem
  • A: Attempts Processing Performed; Not Authenticated/Verified, but a proof of attempted authentication/verification is provided
  • C: Challenge Required; Additional authentication is required
  • R: Authentication/Account Verification Rejected; Issuer is rejecting authentication/verification and request that authorization not be attempted

Eksempel: if you have a transaction in OnPay that looks like this:

  • 3dsv2-pre-auth
  • 3dsv2-auth: C
  • 3dsv2-post-auth: N

- This means that the cardholder has been asked to authorize using the challenge flow (C), i.e. with App/SMS code/MitID etc. and that the authorization has been rejected (N).