[Add-on] Global Payments HPP 3D Secure SCA

This is an add-on for a Global Payments extension for Magento 2. The extension provides 3D Secure 2 Strong Customer Authentication support for Hosted Payments Page integration.

Strong Customer Authentication is quickly becoming the standard for online businesses. Now 3D Secure 2 brings Strong Customer Authentication to the payment card industry.

It's designed to secure all the new ways in which we pay online as well as meeting the new regulatory requirements such as PSD2 (Revised Payment Service Directive) that have been brought in to help protect consumers.

What is Strong Customer Authentication (SCA)?

SCA is the method of authenticating an individual based on at least two discrete elements of the following three categories:

POSSESSION - Something only you have.For example, your mobile device registered with your issuing bank or a hardware token that has been issued to you.

INHERENCE - Something only you are.For example, your fingerprint, iris scan or other form of biometric that can uniquely identify you.

KNOWLEDGE - Something only you know.For example, a unique passphrase or identification number that is known only by you.

When deployed correctly, SCA offers an opportunity to keep user accounts safe, reducing the incidence of online identity theft or account takeover.

What is 3D Secure?

It's an authentication protocol that was designed to reduce fraud, increase customer security and reduce merchant liability to chargebacks. However, the original version of 3D Secure was designed for a ‘browser only’ ecommerce checkout experience and failed to consider the experience delivered via mobile browser and in-app payments that make up a significant proportion of ecommerce traffic today.

What is 3D Secure 2?

The 3D Secure 2 protocol was developed to meet the requirements of the modern remote payments environment, including the mobile checkout experience.

It introduces new authentication methods, such as biometrics, that better suit today’s customers. It also provides the possibility of a fully frictionless flow by using a more comprehensive data set to authenticate the customer without the need for their intervention. The standardised design of 3D Secure 2 across the major card schemes allows for a unified authentication solution for your ecommerce sales.

Frictionless

3D Secure 2 allows for a huge number of data points to be shared between your business and your customer’s card Issuer. Granting Issuers this vastly improved visibility of the customer and transaction details is often enough to allow them to passively authenticate and authorise payments without any impact to the customer experience.

Challenge

If the card Issuer decides that passive authentication is not sufficient, the authentication flow transitions seamlessly to a challenge flow and the cardholder must actively authenticate themselves. A common example would be a European transaction that is eligible for SCA under the PSD2 regulations and is not subject to a valid SCA exemption.

The details of the challenge required of the cardholder will be determined by their Issuer bank and could take the form of a One-Time Passcode (possession), Security Question (knowledge) or Fingerprint (inherence) scan.

The range of authentication options that an Issuer can make available, and the move away from static passwords will help combat drop-off while increasing security and user confidence.

Biometric Authentication

Out-of-Band authentication through an Issuer’s banking application to facilitate biometrics such as fingerprint scanning, facial recognition or voice identification.

OTP Authentication

A one-time passcode is sent by the Issuer to the customer's registered mobile number and is entered by the customer to demonstrate possession.

Knowledge-Based Authentication

Customers verify transactions by answering knowledge-based questions provided by the Issuer.

SCA in Europe (PSD2)

From 14th September 2019, a new regulatory requirement comes into effect that will impact the way payments take place within the European Economic Area (EEA).

After this date most ecommerce payments will have to undergo Strong Customer Authentication (SCA) to validate that the payer is who they say they are. This will make 3D Secure 2 adoption a necessity for almost all European ecommerce merchants as it supports all the requirements of the regulation including:

• The generation of a unique and secure authentication code for each transaction
• Dynamically linking of the amount and payee
• SCA comprising of two independent factors across the categories of Knowledge, Possession and Inherence
• Support for all SCA exemption categories including whitelisting, low risk and low value transactions

SCA in the Rest of the World

Without the regulatory restrictions that the European market will see, the ability to passively authenticate transactions via the frictionless flow will be much more widely available to your customers.

3D Secure 2 resolves all of the issues that had previously held it back from global success and offers you a way to increase your security, your authorisation success and your customers’ trust without impacting your existing payment experience.