PLEASE NOTE: The information in this article is our understanding of PSD2 and 3D Secure 2 - but there is still a lot of confusion over this implementation so please check directly with your credit card provider with all your questions about whether you (the Merchant) are responsible for fraudulent orders or not.
Our understanding is that the new PSD2 regulation results in the banks taking responsibility for fraudulent transactions from 14th Sept. As part of this, all transactions need to go through 3D Secure 2. 3D Secure has become a lot more usable from the days where the user had to enter a 2nd password to complete their orders (with many not knowing their password as they could not remember it since the last time they used it - so could not complete their orders).
And we would see the PSD2 implementation bringing more security to the internet with people becoming less afraid of their credit card details being used for fraudulent purposes, and more confident in using their credit card on websites that they are less familiar with.
Historically, 3D Secure has reduced the percentage of website users that complete their order, but maybe the improvement in consumer confidence with improved internet security may counter this with an increase too.
How it works
On AB Commerce, you need to ensure that your credit card provider (either Authipay or Global Payments/Realex) has your account switched on for 3D Secure 2. Once this is done, AB Commerce will send them all your customer information with a "preference for the customer not to be challenged" if possible. The customer information includes their shipping and billing details, and whether the user has ordered from the website before.
This information is passed on to your Issuing Bank (the 2 main issuing banks in Ireland are AIB and Elavon - Elavon are Bank of Ireland) who then decide if they will let the order through - or whether they want to "challenge" the customer and ask them to enter a pin number that they send to their phone.
Once the order goes through, it is claimed that the bank are responsible if this is a fraudulent order - and not the retailer.
Customers who are not enrolled for 3D Secure
Some credit card users may have an older credit card which is not enrolled for 3D Secure, which means they can't be challenged (e.g. the bank does not have their mobile number to text the pin to), so their orders always go through. Our understanding is that if there are fraudulent orders with these credit cards, the Merchant is still not liable and the issue needs to be resolved between the customer and the bank.
As of July 2019, our understanding is that all American Express credit cards are not enrolled for 3D Secure yet.
- 14th Sept 2019 - This is the date that all merchants need to be ready to switch over to 3D Secure 2 or else all transactions will be rejected. However, merchants cant switch over until that date (even though all the required fields can be sent through before that date) so there is no full end-to-end testing available before that date (which is one of the reasons why there is confusion around this deadline).
- Central Bank of Ireland Deadline Push - The Central Bank in Ireland made an announcement around the 9th Aug 2019 that they will allow this deadline to be pushed out - and we are awaiting further information as to what this means (in the UK, the Central Bank pushed out the deadline by 18 months).