Menu

Mastercard PSD2 - A Simple And Secure Online Payment Solution For Merchants

Wednesday, 08 Jun, 2022

As more nations adopt the EMV chip, organized crime searches for new ways to profit from card theft, with internet commerce as their favorite avenue. Strong customer authentication (SCA), as defined by the Payment Services Directive (PSD2), is a significant step toward a more secure payments ecosystem. Mastercard's SCA mechanism is a tiered system. To protect your merchants from unforeseen frauds, integrate security measures, such as effective risk-scoring, alongside true verification. Let’s keep reading to learn more about the Mastercard PSD2 and SCA to have a better understanding of secure payment for your business.

Mastercard PSD2 - a simple and secure online payment for merchants.

Mastercard PSD2 - a simple and secure online payment for merchants.

1. Card-not-present transactions landscape and Mastercard's 3D-secure challenge

According to the report of Mastercard-Identity-Check-2019, Card-not-present (CNP) fraud now accounts for up to 73% of all fraud, and more transactions are moving to CNP channels every day. This shift poses a significant challenge for merchants and issuers attempting to avoid fraud while maintaining a positive consumer experience.

False decline rates are more concerning to many in the industry than fraud losses. False declines occur when the Issuer's or Merchant's fraud models incorrectly decline a good customer's transaction. False declines have a disproportionate impact on CNP channels, with the average decline rate for a CNP transaction staying around 15% to 20%, as opposed to 2% to 3% for card-present transactions.

When 3-D Secure (3DS) was established in 1999, the goal was to prevent fraud and improve consumer authentication during CNP transactions. While the protocol helped to reproduce the security of a physical payment and shift culpability for fraud losses away from businesses, it had certain flaws, such as failing to solve the issue of false declines, as seen above.

  • It added customer friction
  • It gave a bad customer experience with an inconsistent user interface
  • It was restricted to browser-based transactions

However, the global rollout of EMV® 3DS this year is projected to close all of the weaknesses in the prior protocol while also boosting the security of digital transactions.

Mastercard's 3D-secure landscape

Mastercard's 3D-secure landscape

2. What are Mastercard PSD2 and RTS, and Mastercard Strong customer authentication (SCA)?

What is PSD2?

The European Commission published the Second Payment Services Directive (PSD2) in December 2015, after the First Payment Services Directive (PSD1). The payments sector has changed dramatically since the launch of PSD1 in 2009. Growth in eCommerce increased usage of mobile devices for payments, and growing security concerns all contributed to the need for more regulation in the form of PSD2. One of PSD2's main goals is to reduce fraud. Strong customer authentication (SCA) is required for electronic payments under PSD2. Here are more details about PSD2 .

What is Strong customer authentication (SCA)?

Strong Customer Authentication is abbreviated as SCA. "Authentication," according to the Oxford Dictionary, is "the process or action of validating the identity of a user or procedure." SCA is a set of authentication requirements developed by the European Banking Authority (EBA) that adds an extra layer of security to payment transactions with the goal of minimizing fraud by making transactions safer. Here are more details about SCA .

Strong customer authentication (SCA) Mastercard

Strong customer authentication (SCA) Mastercard

What are Regulatory Technical Standards (RTS)?

The European Commission issued the Regulatory Technical Standards (RTS) on SCA and Common and Secure Communication on November 27, 2017. They spell down the SCA requirements. Regardless of device, the RTS applies to browser-based, in-app, and face-to-face payments.

The strong customer authentication mechanism used by Mastercard is tiered. Much higher security can be achieved by layering security measures, such as effective risk-scoring, alongside genuine authentication. This layered method (or defense in depth) protects all parties significantly better than relying on a single-layered technique, no matter how good that approach or authentication is.

2.1. What is Mastercard's European authentication strategy?

Mastercard, its customers, and all other actors in the payment ecosystem should focus on providing secure, simple, and seamless cardholder experiences that balance new standards with authentication friction.

Mastercard's goals are:

To increase the rate of e-commerce conversion and approval.

To increase the rate of e-commerce conversion and approval.

This can be accomplished with biometrics and a seamless authentication experience.

To improve safety.

To improve safety.

Effective risk-scoring, which gives a layered approach to security and enables one-click payments, can help achieve this.

Assist consumers in claiming exclusions.

Assist consumers in claiming exclusions.

This can be accomplished by changing our rules to make it easier to apply for exemptions..

2.2. What is SCA required Mastercard?

The European Banking Authority (EBA) has opened a public consultation on amending its Regulatory Technical Standards (RTS) on strong customer authentication and secure communication (SCA&CSC) under the Payment Services Directive (PSD2) in order to allow for a 90-day exemption from SCA for account access.

Insofar as there is a pre-existing agreement between the cardholder and the merchant to provide products or services, Mastercard considers that Merchant Initiated Transactions* (MITs) are exempt from the SCA requirements. The cardholder is technically unable to authenticate the payment and is not participating in the transaction's initialization.

Mastercard is in discussions with the EBA and national competent authorities to clarify why MITs are exempt from the SCA criteria.

On all devices, SCA is required for electronic payments, including card payments made through a browser or in-app payments. SCA should be used in the following situations:

  • Uses the internet to access their payment account;
  • Starts an electronic payment transaction;
  • Performs any action over a remote channel that could lead to money fraud or other abuses.

For the following transactions, SCA is always required:

  • Registering a card with a merchant (Card on File).
  • Establishing a recurring payment plan for fixed and variable amounts, including Merchant Initiated Payments.
  • White-Listing (or looking at/changing White-Lists).
  • Associating a gadget with a Cardholder

2.3. What are the types of PSD2 SCA?

Strong Customer Authentication (SCA) is a new European standard for online payments that took effect on September 14th, 2019. It necessitates the use of two separate sources of validation, i.e., two of these three features: knowledge, possession, and/or inherence, which is referred to as "two-factor authentication.

In summary, SCA means that internet shoppers in Europe may be required to complete additional layers of verification.

Customers are asked to provide two of the three types of authentication: something they know, something they own, and something they are.

The graphic below shows which types of information are contained in these categories.

Something you know

Something you know:

Something you own:

Something you own:

Something you are:

Something you are:

  • Password
  • Passphrase
  • Pin
  • Sequence
  • Secret fact
  • Mobile phone
  • Wearable device
  • Smart card
  • Token
  • Badge
  • Fingerprint
  • Facial features
  • Voice patterns
  • Iris format
  • DNA signature

2.4. The overview of SCA exemption

Even though a transaction is covered by the PSD2 RTS, there are a variety of exemptions that mean certain transactions are excluded from the SCA requirement. Identifying and optimizing the use of these exemptions will aid in providing a frictionless buying experience for consumers.

There are a variety of scenarios where no SCA is required to make life easier for consumers. The majority of these exclusions include low-value payments, recurring transactions (same amount), and transactions to trustworthy beneficiaries (white listing).

In the scope of the RTS for SCA Out of scope
Acquirer PSPs Issuer PSPs Anonymous prepaid card

Low-value transactions - LVP

≤30 EUR - with a counter limitation for issuers

Transaction risk analysis - TRA

If fraud ≤13 bps up to 100€

If fraud ≤6 bps up to 250€

If fraud ≤1 bps up to 500€

Mail Order/ Telephone Order - MOTO
‘One-leg’ transactions
Recurring transactions - same amount, same payee Merchant-initiated transactions -MIT

Whitelisting of trusted beneficiaries

Secure corporate payments

Low-value transactions - LVP

PSD2 RTS defines low-value payments (LVP) as being less than or equal to €30 or comparable to other currencies.

Even low-value payments, however, require authentication every sixth transaction or if the total amount since the last SCA exceeds €100.

Transaction Risk Analysis (TRA)

Because of the low fraud rate Available for transactions where the quantity and intensity of fraud do not exceed the RTS's pre-defined restrictions. The amount changes depending on the level of fraud (see figure below) and is unaffected by countermeasures.

Transaction size Provided that the acquirer’s fraud rate is no more than
Up to €500 0.01%
Up to €500 0.06%
Up to €500 0.13%

The fraud rate is calculated by dividing the total value of all remote card transactions by the total value of all illegal and fraudulent remote card transactions.

In practical terms, an Acquirer should consider employing a Transaction Risk Analysis (TRA) exemption when the Merchant is sure that the transaction is not fraudulent based on the consumer's transaction history and other known criteria.

Recurring Transactions

Recurring Transactions are available if the payee and the amount are both the same.

SCA is required, however, when making the initial recurring payment arrangement, which includes the correct setup of the amount, expiration date, and repetition frequency. When changing a recurring payment, it's also necessary. The initial agreement must be referenced in all subsequent recurring transactions.

White-listing of trusted beneficiaries

A Cardholder can ask their Issuer to white-list a Merchant, removing the need for SCA on subsequent transactions with that Merchant. 'Trusted beneficiaries' are merchants who have been listed by Cardholders. For the construction or updating of the white list, however, SCA is always necessary.

Issuers and Access Control Server (ACS) providers play a crucial role in allowing Cardholders to easily white-list merchants when shopping.

A Cardholder, for example, might be given the option of adding a Merchant to a white list.

  • white-listing prompt on authentication page, per Merchant, during payment
  • many Merchants – whitelisting via mobile bank
  • per Merchant, following payment – white listing promptly on separate page

Secure Corporate Payments

Secure Corporate Payments (SCP) or Business to Business (B2B) payments made through dedicated payment processes or protocols that are only available to payers who are not consumers are exempted if competent authorities are satisfied that those processes or protocols provide at least equivalent levels of security to SCA.

2.5. What is EMV® 3-D Secure (EMV 3DS)?

EMV® 3-D Secure (EMV 3DS) is a new global messaging protocol (data flow) that improves security and simplifies the user experience across all digital channels (browser-based, in-app, wallets). It enables consumers to authenticate themselves using their cards and allows for a smooth authentication journey.

Mastercard® Identity CheckTM is the brand name for the EMV 3DS technical standard. It uses the EMV 3DS protocol to allow Merchants and Issuers to exchange 10X more data, including new mobile capabilities. Mastercard Identity Check helps improve digital payments security and approvals while providing Cardholders with a frictionless payment experience wherever possible.

3. What are the benefits for merchants from the above Mastercard SCA solutions?

EMV 3DS is a new industry standard and protocol that allows Merchants to send data to Issuers during a CNP transaction to assist reduce CNP fraud and rectify erroneous declines while giving a better customer experience. EMV 3DS is applicable to all CNP transactions, including recurring and card-on-file transactions. EMV® 3-D Secure's rich data interchange is used to assess the risk of a transaction and adjust security measures accordingly.

The new EMV 3DS standards address many of the flaws in the previous version. Among the enhancements are:

The new EMV 3DS standards address many of the flaws in the previous version. Among the enhancements are:

The ability to exchange 10x more data than 3DS 1.0

The ability to exchange 10x more data than 3DS 1.0, allowing for better authentication and authorization decisions. Furthermore, they enable state-of-the-art authentication technologies, such as biometrics, for better two-factor authentication.

Improving end-to-end transaction processing time by restricting the authentication cycle to one

Improving end-to-end transaction processing time by restricting the authentication cycle to one. In addition, they use risk-based authentication or frictionless authentication to passively authenticate Cardholders.

Adapting to new payment requirements on any device, such as in-app and mobile payments

Adapting to new payment requirements on any device, such as in-app and mobile payments. Moreover, they add new use cases, such as cards on file, wallets, and tokenization. The new EMV 3DS standards also register customers is no longer required while shopping.

4. EMV® 3-D Secure vs Mastercard® Identity CheckTM

4.1. Mastercard® Identity CheckTM helps improve digital payments security and increase approvals – while providing a frictionless payment experience – as required by PSD2.

Mastercard® Identity CheckTM is now available.

  • Mastercard has designed a new solution called Mastercard Identity Check to replace Mastercard SecureCode, which governed the old protocol, with the implementation of EMV® 3-D Secure.
  • Mastercard Identity Check uses the new EMV 3-D Secure protocol to assist decrease fraud and incorrect declines of card-not-present transactions while also offering a frictionless checkout experience for Cardholders. This new solution will allow both Merchant and Issuer partners to benefit from the new standards and capabilities, making payments more simple and safe.
  • Mastercard Identity Check is a next-generation authentication system that provides increased security while still providing a user-friendly digital payment experience.
  • It helps to prevent fraud, false declines, and excessive friction while also meeting the PSD2 regulation's Strong Customer Authentication (SCA) criteria.
  • Mastercard Identity Check uses the new EMV® 3 - D Secure protocol, which allows merchants and issuers to communicate 10 times more data, including new mobile capabilities, raising the bar on authentication.

4.2. Mastercard® Identity CheckTM improves digital payment security and approvals while providing Cardholders with a frictionless payment experience

  • Mastercard Identity Check is a next-generation authentication solution that boosts security while maintaining a simple digital payment experience.
  • While addressing the PSD2 regulation's Strong Customer Authentication (SCA) criteria, it helps to reduce fraud, false declines, and undue friction.
  • The new EMV® 3 - D Secure protocol, which allows merchants and issuers to send 10 times more data, including new mobile capabilities, raises the bar on authentication.

Secure Code

(based on 3DS1 Standards)

Mastercard Identity Check (based on NEW EMV 3DS Standards, repaces Secure Code)

MasterCard

SecureCode

Mastercard

Mastercard

ID Check

Multiple authentication methods Biometric-based authentication (With SMS OTP +1 factor as back-up)
Fingerprint Fingerprint Face Face Voice Voice Eye Eye
  • Web-only
  • Limited data
  • Payments only
  • Multiple channels (web and mobile App)
  • Much more data and options (to better manage the risk)
  • Payments and beyond

Merchants and Issuers participate in EMV® 3DS via third party service providers with Mastercard as the connecting link

Merchants and Issuers participate in EMV® 3DS via third party service providers with Mastercard as the connecting link

4.3. Mastercard® Identity CheckTM seamlessly integrates into the transaction flow to deliver secure authentication.

With Identity Check & EMV® 3DS:

  • Consumers may now prove their identity quickly and easily using dynamic passwords or biometrics.
  • Merchants now have more opportunities to share data with issuers in order to improve risk models.
  • Issuers/ACS providers now have access to 10X more data to aid in making better decisions.

Mastercard® Identity CheckTM seamlessly integrates into the transaction flow to deliver secure authentication.

Mastercard® Identity CheckTM seamlessly integrates into the transaction flow to deliver secure authentication.

Frictionless Flow

Majority of transactions

Risk-Based Authentication (RBA)

Risk-Based Authentication (RBA)

Risk-Based Authentication utilizes the rich data exchange provided via EMV 3-D Secure to determine risk.

Transactions deemed low risk may be silently authenticated without unnecessary friction - while higher-risk transactions can be prompted for Cardholder authentication resulting in:

  • Vast majority of Cardholder experiences being seamless with no friction
  • “Silent” authentication happens in the background, without the consumer awareness of the process after they initiate payment.

Intelligent Friction

Minority of transactions

Biometrics Biometrics
  • The cardholder is prompted to authenticate on mobile devices.
  • Authenticates with pre-selected biometric method: fingerprint, face, voice, other
One-time Password (fallback solution) One-time Password (fallback solution)
  • Cardholder receives a one-time use code through the mobile banking app or via SMS text message from Issuer.
  • Enters code on the authentication page and is verified as correct.

5. Mastercard® Identity CheckTM satisfies the demand for simple and secure payments, allowing everyone to get benefits from the EMV® 3DS and PSD2 standards.

Consumers Consumers Merchants Merchants Financial
Institutions
Financial
  • Reduces disruptions by 50% (totally authenticated vs. 'Merchant only' transactions)
  • Eliminating the burden of keeping and remembering passwords
  • Provides excellent protection for financial data
  • When biometric identification is utilized, it can help generate revenue by minimizing cart abandonment by up to 70%.
  • A hassle-free authentication process can help merchants increase their market share.
  • Transactions that are authenticated have a 10 percent greater approval rate.
  • Reduces fraud by removing the threat of passwords.
  • Increases cardholder loyalty and engagement.
  • Lower customer service costs owing to fewer calls and password resets
  • Increases revenues through greater completed transactions

6. PAYCEC - A payment gateway of MasterCard PSD2

PayCEC is a 3d payment gateway provider with a focus on online card payments. Strong Customer Authentication (SCA), sometimes known as two-factor authentication, is a requirement of the Second Payment Services Directive (PSD2). SCA Mastercard is a payment method that requires cardholders to use at least two of the three ways during the payment process for transactions made online or when a card is not physically put into a Point of Sale machine.

PayCEC is the best Mastercard payment solution for merchants & consumers worldwide with a payment gateway for Mastercard that are built on. To ease online card transactions, merchants can integrate the credit card payment gateway into their website.

PayCEC also provides a Mastercard payment gateway to online client organizations, allowing them to accept all forms of online card payment methods. To learn more, go to PayCEC's site and use the live chat feature to contact the Customer Relationship staff.

We created a payment API to assist businesses and customers in receiving the best possible experience while also protecting them from scammers.

With the PayCEC payment gateway, merchants can quickly set up their online store and begin accepting online card payments from clients. To set up your payment platform, follow the instructions below:

Enter Information

Enter Information

Sign up with PayCEC team by click to button below

Sign Up

Enter Information

Document Submission

Prepare your company profile including:

  • - Company website
  • - Business information
  • - Business activities
Integration Support

Integration Support

Our Relationship Manager will contact you and support you in processing and integrate your merchant account

GO LIVE

GO LIVE

Use fully features of our payment service on Dashboard

PayCEC’s SCA secure payment gateway was established in response to the growing need of global online businesses to accept SCA secure online payments more quickly and easily. In the digital era, our payment flow has evolved to work seamlessly and effectively across all platforms and devices. We pride ourselves on combining superior technology with first-class customer service.

PayCEC’s SCA secure payment gateway for online businesses is a truly global payments platform that not only allows customers to get paid instantly and securely, but also withdraws funds to their business accounts in various currencies.

We have created an open and secure payments ecosystem that entrepreneurs and businesses choose to securely transact with each other online and on any device. We proudly maintain the highest level of client advocacy in the industry.

PayCEC Team

Frequently Asked Questions

The amended Payment Services Directive added a requirement for multi-factor authentication for e-commerce transactions in Europe in 2019. (PSD2). When buying online, Strong Customer Authentication (SCA) was implemented to strengthen the security of electronic payments by asking users to present two forms of identity.

The SCA mechanism used by Mastercard is a tiered structure. Integrate security techniques, such as effective risk-scoring, alongside real verification to protect your merchants against unforeseen frauds.

For more information about SCA compliance payment gateways, click here.

All of your card and personal information is encrypted by Mastercard and is never shared with third parties. 3DSecure technology is standard on all Mastercards.

The EMV 3DS technical standard is known as Mastercard® Identity CheckTM. It employs the EMV 3DS protocol to enable Merchants and Issuers to communicate 10 times more data, including new mobile capabilities. Mastercard Identity Check helps to strengthen the security and authorization of digital payments while also providing Cardholders with a frictionless payment experience.

The bank will send the customer to an authentication page on their bank's website, where they input a card password or a code texted to their phone. This process is easy and simple to carry out. Mastercard Identity Check is one of the card networks' brand names that have this easy authentication for the user.

If your need a 3D secure Mastercard payment gateway, PayCEC is the best choice for you.

How Can We Help?

How Can We Help?All information entered on this form will be kept strictly confidential and subject to our privacy policy once received by us. Your transaction will be secured using SSL/TLS encryption.

The Media

Finextra One IBC Yahoo Finance
About us

who we are

about us

We are honored to serve as your reliable business partner and financial service provider in the industry and other business-related services. With the help of our professional staff, to help merchants to achieve their goals for the development and expansion of the international business market.

Our payment flow has developed in the e-commerce world to perform seamlessly and effectively across all platforms and devices. We take pleasure in combining technology with customer service, to solve your concerns at the moment.

PayCEC is a fully worldwide payment network that not only allows merchants to be paid immediately and securely, but also allows them to withdraw money in multiple currencies to their company accounts.

We will contact you shortly.

Email Phone
Scroll top