Payments, Authentication and Security: Understanding 3DS

The digitalisation of banking has inevitably resulted in stronger online security to protect consumers. Sadly, payment fraud is not uncommon, and Financial Conduct Authority (FCA) has taken matters into its own hands to keep online consumers safe while reducing the liability of businesses when an authorised transaction is processed.

As a result of ongoing security concerns, the Payment Services Directive (PSD) and Strong Customer Authenticated (SCA) have been introduced, resulting in 3D secure payments. These regulatory measures will affect all businesses operating online, including those working in the self-catering industry. We understand that SuperControl users have come across difficulties with SCA concerning guest bookings. We have compiled the below guide to help you understand the regulation and what this means for your business.

I’ve come across a lot of acronyms. What do these mean?

A lot of jargon and acronyms are used when describing regulatory measures surrounding the payment industry. We understand this can be frustrating and have created a short glossary to make sense of the language used and what this means.

  • PSD2:  This stands for the Payment Services Directive(two). The Payment Services Directive is legislation that enforces payment service providers to enhance their security by improving customer authentication. It is a security requirement that protects consumers and reduces the risk of fraud.
  • 2FA: This stands for two-factor authentication. Two-factor authentication is a process where somebody accessing an account or paying online needs to provide two authentication factors to prove their identity. For example, if you’re checking out online, you might be redirected to your online banking app to provide a PIN to verify yourself.
  • 3DS: This stands for 3D secure. 3D secure is an online payment service available for Visa and MasterCard cards. This measure was first put in place to prevent fraud back in 2001 and has become a key security factor when you take payments online through a payment gateway. 3D secure will ask the buyer to verify their identity by entering a password or sending a one-time authentication code to their mobile.
  • SCA: This stands for Strong Customer Authentication. This is a requirement of the PSD2 legislation we mentioned earlier, and it asks businesses to require two different authentication factors to prove a consumer’s identity (2FA). This affects both online and offline businesses and protects consumers against fraud. It will become a legal requirement for all e-commerce transactions by March 2022.

Why are my payments failing?

On the 1st of June 2021, card providers such as MasterCard, American Express and Visa have started to implement Strong Customer Authentication in line with the regulation coming into full force in March 2022. Digital transactions are being checked for 3DS compliance through two-factor authentication as an indicator of Strong Customer Authentication more frequently.

This requirement might mean your payments are failing, and this is because your guests are not using 3D secure cards to make a payment. If your guest isn’t correctly following their identifying prompt (e.g., a text message from their bank to verify their identity), the payment will fail. Unfortunately, this is out of your control and is up to the card provider, the consumer and their individual education on 3D secure payments. This hurdle isn’t specific to SuperControl or payment providers such as Opayo and HolidayRentPayment and affects every industry and business taking online payments.

Why do some payments work and others don’t? 

You might notice that some transactions are successful and others aren’t. This is because all transactions that are made directly by a guest now must pass the 3D secure test, even if the consumer doesn’t have a 3D secure card, meaning if they’re selected to provide two-factor authentication on a payment, it will ultimately fail. Much like contactless payments, transactions are randomly chosen to complete the 3D secure process. Alternatively, a consumer might have a 3D secure card but is unaware of how to complete the authentication process, resulting in payment failure. If the guest is using a 3D secure card, but the payment is still failing, this could be for several reasons:

  • The one time pin (OTP) sent from the bank was entered incorrectly.
  • They did not receive the OTP or authorisation message from their bank to approve the transaction, or they are entering an old/expired pin.
  • The OTP or authorisation message sent from their bank was not entered or approved within the required time frame.

Why does strong customer authentication matter?

Strong Customer Authentication doesn’t only increase security for the consumer, but for your business too. It adds an extra layer of protection, increases consumer confidence, reduces chargebacks and allows for better risk management when taking payments online.

How can SuperControl help?

In line with the upcoming SCA requirements, the 3D secure payment requirement has been implemented across the guest booking process and payment page links throughout SuperControl, regardless of your chosen payment processor. While we can’t deter payment failures due to consumer error or the SCA process, we’re still here to support you and your business. If you require further information about payment security and what the upcoming legislation means, don’t hesitate to get in touch.