The UK's Financial Conduct Authority is working towards the full implementation of Strong Customer Authentication (SCA) guidelines by March 14, 2022. Read more here .
Strong Customer Authentication (SCA) is payment security regulation brought forth by the European Banking Authority (EBA) , to ensure that Multi-factor authentication is performed for card payments. EBA has made it mandatory to implement SCA as a part of the Revised Payment Services Directive (PSD2) initiative. This applies to all online transactions where the payment processor and the card Issuing Bank are from the European Economic Area (EEA) or United Kingdom (UK). The amendment was supposed to be effective from September 14, 2019 but the European Banking Authorities (in October 2019) extended the full enforcement to December 31, 2020.
However, if your business is based out of Europe or has a significant customer base in the EEA or UK, it is recommended to be SCA compliant. 3DS 2.0 would be your go-to option to comply with SCA regulations.
3-D Secure:
3-D Secure (3DS) is an additional authentication protocol implemented by the Card networks to secure online card transactions. 3DS 2.0 authorizes card payment by collecting user-verifiable information using an authentication window. Its predecessor (3DS 1.0), was not widely adopted due to lack of mobile-friendliness and poor user experience, resulting in low approval rates for transactions.
3DS 2.0 has improved upon its predecessor (3DS 1.0) by making authentication more flexible and secure by being mobile-friendly and providing an improved user-experience. Issuing Banks which do not support 3DS 2.0 would still facilitate the user to complete authentication via 3DS 1.0, which redirects the user to a new window to collect password or OTP.
List of gateways supported in Chargebee for 3DS:
List of gateways not supported in Chargebee for 3DS:
If you are impacted by PSD2 and have been using any of the unsupported gateways, contact support and we will help you migrate to one of the 3DS supported gateways.
Your customer's background data such as device fingerprint, IP address etc., are seamlessly collected during checkout and sent to the Issuing Bank to check if verification is required. If Issuing Bank can authenticate the customer based on the background data provided, additional verification will be exempted for the customer and the transaction goes through a normal flow.
In case the Issuing Bank denies Frictionless flow and mandates authentication , the customer would be prompted to verify via Challenge flow. The Issuing Bank will now request authentication using 3DS 2.0.
If Challenge flow is necessary and the Issuing Bank does not support 3DS 2.0, the user would then be redirected to a new verification window (3DS 1.0).
Most of the off-session(customer is away) payments such as renewals, one-time charges, subscription trial to active upgrades etc., are Merchant Initiated Transactions(MITs), and ideally go through without additional verification using the customer's previously saved data.
However, there is still a minor possibility that the Issuing Bank may demand a customer to authenticate in certain scenarios. Since the user would not be available to authenticate, it would lead to a payment failure. Then, the customer needs to be notified about the payment failure and brought online to complete the authentication.
Chargebee only facilitates 3DS with the help of Gateways. Eventually, it is up to the Issuing Bank to decide whether 3DS verification is necessary for the customer.
The series of steps below explain what needs to be done in Chargebee to stay SCA compliant and not lose revenue due to 3DS payment downturns. Completing this checklist incorporates 3DS support for Chargebee Hosted pages(In-app checkout, Single page checkout, Portal) and Chargebee API users.
It is important that you complete the entirety of steps mentioned in the checklist to cover all 3DS flows and thereby, letting Chargebee take care of notifying your customer about the payment failure and following up with them for payment recovery.
Enable 3D Secure at your gateway
Enable 3D Secure in Chargebee
Enable Dunning for Online Payments
Configure Dunning Emails
Include Failure reason and Pay Now in Dunning Emails
Complete the configuration steps below to start testing payments via 3DS flow in your Chargebee Test site,
Stripe has 3DS enabled by default for all merchants.
Braintree also has 3DS enabled by default, but only for EU merchants. If you're operating outside EU and using Braintree, contact Braintree's support to get it enabled.
Adyen has 3DS enabled by default for one-time payments. Contact Adyen's support to enable 3DS for recurring payments.
To enable 3DS for other Chargebee supported gateways, contact your gateway.
Make sure 3DS is enabled in your gateway account before enabling it in Chargebee.
You can toggle Enable 3D Secure under Settings> Configure Chargebee> Payment gateways> {gateway you use}> Cards> Manage. 3DS can only be enabled for the supported gateways in Chargebee.
You can enable 3DS in your Chargebee Test site to extensively test out 3DS flows. When done testing, you can then enable it in your Live site and start charging customers the 3DS way.
Dunning ensures the invoices of failed payments get into a retry(charge retry) and follow up(email notifications) cycle. Dunning is the prime payment recovery mechanism in Chargebee for 3DS payment failures due to authentication requirement. This way, the customer could be prompted to come online and complete the authentication.
Enable dunning to ensure that the respective customers are acknowledged when a 3DS payment failure occurs to their card.
Since 3DS authentication failure is a hard decline and needs customer intervention, Chargebee will not retry 3DS failures. Only exception is when you have set custom retry in Chargebee. Therefore for Smart retry, Chargebee will not retry if it is a 3DS payment failure. However, if you have set up custom retries, we will retry only on the last day of dunning period before the final action is taken.
Configure the dunning reminder email "On first payment failure", so that it can be sent as soon as a transaction fails because of 3DS authentication requirement. Further, you can configure more reminder emails and set the frequency at which they need to be sent to remind customers about the payment failure. Dunning emails for 3DS have no separate template and will hitchhike on the regular dunning emails.
Note that dunning reminder emails will be sent to your customers until the invoice is paid or until the dunning period expires.
This is an important step to acknowledge your customers about a 3DS failure, so that, they can come back online and authenticate using Pay Now.
Clicking on the Pay Now option will redirect your customers to Chargebee's Pay Now page which lists all their unpaid invoices. They can now select the invoices and click Pay to authenticate and complete the transaction.
Email notifications will show a Failure reason checkbox while you click on the template (shown in screenshot below). Make sure it is checked so that the email when sent will have the failure reason embedded in it.
Off-session (customer is away) payments are Merchant Initiated Transactions and corresponding exemptions will be applied as per the regulation. However, as mentioned in the Fallback flow, a small percentage of such off-session payments might still require 3DS authentication, if the Issuing Bank mandates it.
In such cases, the payment would fail. However in Chargebee, the intended action would still be performed and the invoice would get into dunning. The customer would then be followed up via dunning emails as per the frequency configured in your dunning settings with the payment failure reason and the Pay Now option.
When the customer clicks on Pay Now, they would be taken to Chargebee's Pay Now page to select the invoices which they intend to pay. After selecting the invoices, when the customer clicks on Pay, they will be shown the 3DS verification window/pop-up to verify their identity and complete the payment.
Chargebee Hosted Pages can handle all the flows involved in a 3DS transaction. If you are using Chargebee's In-app Checkout, Single-page Checkout or Portal then enabling 3DS for your transaction can be done in just a few simple steps as explained in our PSD2 checklist and configuration.
You can test out 3DS for Checkout using Chargebee Test gateway's 3DS test cards. If you need to test 3DS for Stripe, Braintree and Adyen gateways, you can test using their respective 3DS test cards.
Also make sure you're using one of our 3DS supported gateways. If not, drop us a note at support and we can help you with the migration.
If you have a Gateway JS + API integration with Chargebee, this flow diagram explains how your new flow will be:
Chargebee supports 3DS for JS integrations of Stripe, Braintree and Adyen. Take a look at our sections on Stripe.js , Braintree.js and Adyen.js to understand the changes that needs to go into your JS integration. You can the test the gateways for 3DS flows in your Chargebee Test site using their respective 3DS test cards.
Sending raw card details to Chargebee via API is not a recommended approach for 3DS. Implementing 3DS for API based Integration is a cumbersome process and involves multiple steps on your side, this might affect your payment approval rates as well.
Gateways play the role of collecting the background information of a customer from the browser using their JS and sending it to the Issuing Bank. Apart from communicating customer's background data to the Issuing Bank, Gateways also seamlessly handle 3DS flows and hence have better approval rates. We recommend you to switch to Chargebee.js or Gateway JS + Chargebee API integration options that we support and configure 3DS in Chargebee using those options.
For more information on this regard, please contact support .
If you have an existing Chargebee - Stripe.js integration, you need to update the integration with the help of our upgraded APIs to ensure that you comply with 3DS/SCA and avoid payment failures.
To understand more about integrating Stripe Elements on your checkout and testing out the 3DS flow, refer to our tutorial on 3DS supported Stripe.js integration.
Braintree.js' 3DS-verified nonce for new and existing stored cards can be passed to Chargebee's APIs for performing the necessary operations. Learn more about the API upgrade for Braintree.js in our API docs.
To understand more about integrating Braintree.js on your checkout page and testing out the 3DS flow, refer to our tutorial on 3DS supported Braintree.js integration.
We have implemented 3DS support for the latest version of Adyen.js using Chargebee.js' 3DS helper module. If you are using Adyen's CSE (Client-Side Encryption), you need to adopt the latest version of Adyen.js to avail Chargebee's 3DS helper JS.
Take a look at our 3DS helper JS implementation guide to rewire your Adyen.js integration and accommodate 3DS.
3DS support for the latest version of Checkout.com js using Chargebee.js is available. To learn more about this integration, take a look at our 3DS helper JS implementation guide
1. Does Chargebee support Stripe's SetupIntent?
Yes, SetupIntent can be used to authorize a 3DS transaction for a new card. There will be no amount involved, and only important thing is that a customer needs to undergo verification.
*2. What happens to existing cards in vault after September 14, 2019? *
Cards which are already in gateway's vault will not go through 3DS verification in most cases. Gateways such as Stripe, Braintree and Adyen affirm that they would apply appropriate SCA exemptions to such cards.
3. What should I do if I face the error "Operation failed as the EU country entered in billing address by customer cannot be verified against IP address or card BIN number"?
Turn off location validation in your test site while testing 3DS, as there might be a mismatch between IP address and the card BIN.
You can find location validation under Settings> Configure Chargebee> Taxes. Click on the corresponding country and clear the Enable location validation checkbox.
4. How do I filter out 3DS payment failures and notify my customers to authenticate?
There are two ways to instruct customers to authenticate 3DS failed payments,
5. Can I perform minimum amount 3DS authorization to ensure that future payments go through without requiring customer intervention?
Yes, you can perform minimum amount 3DS authorization, but only while collecting new card for future payment(no immediate charge).
Using Stripe.js:
Stripe users can make use of SetupIntent API to perform 3DS verification for a card without any charge. You can pass the SetupIntent id to Chargebee's payment_intent[gw_token]
. Setup Intent API can only be used for cases that do not involve immediate payment.
Braintree.js:
Braintree users can make use of a minimum amount(say 1$) and perform 3DS verification for that amount. Following successful verification, the minimum amount authorized will then be released to the customer automatically.