Do your transactions need to be PSD2 SCA compliant? If yes, you need to implement 3D Secure.
After you have implemented 3D Secure with Adyen, choose one of the compliance options on this page to comply with PSD2 SCA.
Requirements
Before you begin, take into account the following requirements:
| Requirement | Description |
|---|---|
| Integration type | An online payments integration with 3D Secure. |
Guidelines for compliance
PSD2 mandates strong customer authentication for online payments and online banking transactions. This means that before issuing banks authenticate a transaction, the shopper is required to provide two out of three factors:
- Something only the shopper knows.
- Something only the shopper possesses.
- Something the shopper is.
For example, before an issuing bank authenticates and authorizes a payment, a shopper is required to supply an account password (something the shopper knows) and a one-time authentication code (something the shopper possesses).
Along with 3D Secure, you can ensure your transactions meet SCA requirements by using local payment methods and international wallets. Depending on your market and use case, using these may result in significantly higher conversion rates. See our payment method overview page for all payment method options.
Regardless of the option you choose, note that the general rule for chargeback liability shift applies:
- If you, Adyen on your behalf, or your acquirer requests an exemption and the request is accepted by the issuer, the liability stays with you.
- If the exemption is applied by the issuer, the liability shifts to the issuer.
SCA requirements for online payments
One-off payments
SCA can be required for one-off payments depending on regulations and scheme rules.
| Payment request parameter | Initial payment | Later payment |
|---|---|---|
recurringProcessingModel |
CardOnFile | CardOnFile |
shopperInteraction |
Ecommerce | ContAuth |
Subscriptions
SCA is required for the initial payment of a subscription.
| Payment request parameter | Initial payment | Later payment |
|---|---|---|
recurringProcessingModel |
Subscription | Subscription |
shopperInteraction |
Ecommerce | ContAuth |
Automatic top-ups and other non-fixed schedule contracts
SCA is required for the initial payment of automatic top-ups and other non-fixed schedule contracts.
| Payment request parameter | Initial payment | Later payment |
|---|---|---|
recurringProcessingModel |
UnscheduledCardOnFile | UnscheduledCardOnFile |
shopperInteraction |
Ecommerce | ContAuth |
SCA is also required for subscriptions and non-fixed schedule contracts when the initial payment takes place at the point of sale. The physical card plus PIN authenticates the cardholder.
Compliance options with Adyen
Adyen offers the following methods for complying with PSD2 SCA:
- Let Adyen handle PSD2 compliance by default.
- Configure rules using Dynamic 3D Secure.
- Submit your preference for each transaction in your API request.
Option 1: Default compliance
With this option, you let Adyen handle PSD2 compliance by default.
Our Authentication Engine will handle PSD2 SCA compliance for you. We will not trigger 3D Secure for out-of-scope transactions or if the issuing bank does not enforce 3D Secure. Our Authentication Engine will also handle requesting an exemption whenever applicable.
Option 2: Dynamic 3DS
With this option you use Dynamic 3D Secure to define additional conditions for transactions that you want to apply 3D Secure authentication on. For example, you can set conditions to use 3D Secure for transactions that you deem as high risk.
| Scenarios | Action from Adyen |
|---|---|
| Transaction meets condition with a Use 3DS: Always rule | We will request the issuer to perform 3D Secure 1 or 2 depending on the version supported by the issuer. |
| Transaction meets condition with a Use 3DS: Prefer no rule | We will not request 3D Secure authentication unless the issuing bank requires it to complete the authorization. |
| Transaction does not meet any of your configured rules | Our Authentication Engine will automatically trigger 3D Secure (1 or 2) if a transaction is in scope of PSD2 and SCA is mandated. We expect issuers to soft decline unauthenticated transactions more as the transition period continues in 2020 and 2021. If an exemption is applicable for a transaction, we will manage the exemption request. For more information on how different countries/regions and issuers plan to handle PSD2 SCA compliance, refer to our Support guide. |
See Dynamic 3D Secure to learn how you can configure rules.
Option 3: Specify your preference in the API request
With this option, you specify your preference in the API request.
This option overrides our default PSD2 compliance handling logic, including checking if the transaction is out of scope, determining the most suitable exemption type, and evaluating whether to send the exemption in the authentication or authorization request. We recommend you use the API fields only if you have an extensive knowledge of PSD2 SCA regulations and the 3D Secure protocol.
We support the following scenarios using the API request: