1. Introduction

Fraud Export Scoring is your answer to reduce any fraud risk. Our advanced technology provides you with a complete set of tools to overcome fraudulent activities.

Fraud Export Scoring uses technology from Fraud Expert Checklist and takes it a step further by allowing you to create extensive rule combinations that are uniquely adapted to fulfil your business needs. We do this by using a scoring system to assess the risk associated with a transaction. Based the score, you can automatically decide to block or accept a transaction. You can even add another round of detailed review for the same transaction through another automated procedure that determines whether you will ultimately block or accept it! If you are not sure how to handle particular transactions, our fraud experts can even assess and process for you. Thanks to our years of expertise, we will always be able to predict malicious behavior patterns and beat fraudsters before they strike.

This guide covers the functionalities that we offer our Fraud Export Scoring 

(FDMAs) solution. 

2. Before we begin

Fraud Export Scoring is also sometimes referred to as Fraud Detection Module Advanced Scoring (FDMAs). 

To get started, make sure Fraud Detection Module Advanced Scoring (ID: CAP 2) has been activated. You can do this by going to Configuration > Account > Your options in your account.

3. Manage 3DS settings

3-D Secure (3DS) is an anti-fraud protocol designed to enhance security for both you and your customers. Learn more about 3DS in our FAQ

Define 3DS settings

Once your fraud subscription is active, you can now configure your 3DS settings. Go to Advanced > Fraud Detection. 3DS has to be configured individually for each payment method. Under 3-D Secure, select a payment method by clicking on EDIT.

3DSecure

You will see a list of actions that you can choose from.

3DS Check

The table below provides an overview on actions listed on the page and what they mean.

Action Explanation

You can either continue or interrupt the transaction if a technical problem prevents connection to the respective acquirer during the 3D-Secure registration check.

You may want to do configure this option in case Paypage cannot connect to the 3DS directory of the related scheme/card brand. 

You can either continue or interrupt the transaction if the cardholder identification service is temporarily unavailable.

You may want to configure this option in case the 3DS verification URL is not working.

You can either activate or deactivate 3D-Secure for all cards.

 

If you decide to deactivate 3DS, it will not be rolled out at all.

You can process 3D-Secure depending on the Global Fraud Score.

3DS will be processed based on your fraud settings and Paypage's Fraud Expert assessment if it has been activated.

4. Set conditions for Merchant Fraud lists

Merchant Fraud lists are lists that allow you to set conditions for your payments. For example, you may want to block illegitimate transactions based on their IP addresses or even the card’s country of issue. In this chapter, you will learn how to manage these lists.

There are three types of lists.

  • Whitelists allow you set conditions for when a transaction should be accepted.
  • Blacklists allow you to set conditions for when a transaction should be blocked.
  • Greylists allow you to set conditions for when a transaction should be reviewed or undergo another process.
The individual effect of a match in any of these lists is defined by Merchant Fraud Rules. This means that you will have to manage both

Only then will your settings take effect

View lists 

View these lists by going to Advanced > Fraud Detection in the your account. Under Blacklist / Greylist / Whitelist, select an item that you would like to configure and click EDIT

All Lists

Manage whitelists 

You can use whitelist to set conditions for when transactions should be accepted. Whitelists overrides blocking (blacklist) and review (greylist) settings if a match has been detected.

Depending on the action that you choose to take, you might need to send some parameters with the transaction to our platform. Below is an overview of the list types (i.e the conditions you can set), what they mean and parameters that would need to be sent.

List type Explanation Parameter to be sent

IP address whitelist

Our system will accept both specific IPs or IP ranges according to the formatting a.b.c-d.0-255 or a.b.c-d.* or a.b.c.d-e.

REMOTE_ADDR

Unique customer identifier whitelist

Customer Unique Identifier is an identifier allocated to your customer such as their name, client number, email address.

CUID

Email whitelist

Add a range of email addresses or if you need to add all email addresses from the same domain (Example: john@abc.com), add an asterisk ‘*’ symbol in front of the @ sign. (Example: *@abc.com) 

EMAIL

Manage blacklists 

Blacklists apply blocking or review if a match is detected.

Depending on the action that you choose to take, you might need to send some parameters with the transaction to our platform. Below is an overview of the list types (i.e the conditions you can set), what they mean and parameters that would need to be sent.

List type Explanation Parameter to be sent

Card Blacklist

to add items you will need the full credit card / bank account (For Direct debits) number.

CARDNO

BIN blacklist

A Bank Identification Number (BIN) consists of the first six digits of a credit card linked to an issuer in a specific country. This allows you to block all credit cards that share the same BIN.

CARDNO

IP blacklist

Our system will accept both specific IPs or IP ranges according to the formatting a.b.c-d.0-255 or a.b.c-d.* or a.b.c.d-e.

REMOTE_ADDR

E-mail blacklist

Add a range of email addresses or if you need to add all email addresses from the same domain (Example: john@abc.com), add an asterisk ‘*’ symbol in front of the @ sign. (Example: *@abc.com) 

EMAIL

Name blacklist

Generates two versions of the name: the “Cleaned name” and the “Partial match”

CN

Phone blacklist

Generates two versions of the name: the “Cleaned number” and the “Partial match”

OWNERTELNO

Generic blacklist

Personalise this list with any data that is desirable

GENERIC_BL

Manage greylists

Greylists allow you to set conditions for when a transaction should be reviewed if a match is detected.

Depending on the action that you choose to take, you might need to send some parameters with the transaction to our platform. Below is an overview of the list types (i.e the conditions you can set), what they mean and parameters that would need to be sent.

List type Explanation Parameter to be sent

Card greylist

to add items you will need the full credit card / bank account (For Direct debits) number.

CARDNO

BIN greylist

A Bank Identification Number (BIN) consists of the first six digits of a credit card linked to an issuer in a specific country. This allows you to block all credit cards that share the same BIN

CARDNO

IP greylist

Our system will accept both specific IPs or IP ranges according to the formatting a.b.c-d.0-255 or a.b.c-d.* or a.b.c.d-e.

REMOTE_ADDR

E-mail greylist

Add a range of email addresses or if you need to add all email addresses from the same domain (Example: john@abc.com), add an asterisk ‘*’ symbol in front of the @ sign. (Example: *@abc.com) 

EMAIL

Name greylist

Generates two versions of the name: the “Cleaned name” and the “Partial match”

CN

Phone greylist

Generates two versions of the name: the “Cleaned number” and the “Partial match”

OWNERTELNO

Generic greylist

Personalise this list with any data that is desirable

GENERIC_BL

Add new items to a list

If you would like to add items to one of the list types above, select the respective list type and click EDIT.

Greylist

To add items to a list,

  1. Enter data in the Enter the item
  2. Select either Actual Fraud / Commercial Dispute / Suspicion of Fraud.
  3. Optional: Add some information in the Comment field if you have any.

Manage existing list items 

Managelists

If you would like to manage items in a list, you can either:

  • Delete: Remove one or more items by flagging All
  • Fraud type: Modify the original entry to FRA (Actual Fraud) / COM (Commercial Dispute) / SOF (Suspicion of Fraud). 
  • Comment:Delete or change the original comment of your item by clicking on "..."

Our platform also allows you to put already processed transactions to this list. To do so, follow these steps:

  1. Log in to the Back Office. Go to Operations > View transactions and look up the transaction
  2. In the table displaying all maintenance operations for this transaction, click on any Pay ID button
    fdm-dispute-1.png

  3. On the maintenance operation overview page, click on the “DISPUTE” button
  4. In the table, select either “Add to the blacklist” / “Add to the greylist” for any of the selectable transaction parameters. Flag then transaction as either "Actual fraud” / “Commercial dispute" / "Suspicion of fraud". Confirm your selection by clicking on the "Save" button
    fdm-dispute-2.png

4.1 Whitelist

Whitelists apply lowering score / override blocking if a match is detected.

List typeRemarksParameter(s) to be sent with the transaction
IP address whitelist Our system will accept both specific IPs or IP ranges according to the formatting a.b.c-d.0-255 or a.b.c-d.* or a.b.c.d-e. REMOTE_ADDR
Unique customer identifier whitelist Customer Unique Identifier is an identifier allocated to your customer, i.e. name, client number, email address CUID
Email whitelist Can be a fixed address or a whole range of addresses (domain) using an asterisk (‘*’) before the "@" sign EMAIL

4.2 Blacklist

Blacklists apply raising scores / blocking if a match is detected.

List type

Remarks

Parameter(s) to be sent with the transaction

Card blacklist

to add items you will need the full credit card / bank account (For Direct debits) number.

CARDNO

BIN blacklist

A Bank Identification Number consists of the first six digits of a credit card linked to an issuer in a specific country. This allows you to block all credit cards that share the same BIN

CARDNO

IP blacklist

Our system will accept both specific IPs or IP ranges according to the formatting a.b.c-d.0-255 or a.b.c-d.* or a.b.c.d-e.

REMOTE_ADDR

E-mail blacklist

Can be a fixed address or a whole range of addresses (domain) using an asterisk (‘*’) before the "@" sign

EMAIL

Name blacklist

Generates two versions of the name: the “Cleaned name” and the “Partial match”

CN

Phone blacklist

Generates two versions of the name: the “Cleaned number” and the “Partial match”

OWNERTELNO

Generic blacklist

Fully personalized list with any data desirable

GENERIC_BL

5. Manage fraud scoring

This chapter will teach you how you can set and manage fraud scoring.

The principle of fraud scoring is to allocated a score for each transaction based on various parameters that their respective weighting that you have set! The final score will be categorised:

  • Green: Transactions with a green score are considered to have low fraud risk. They are considered to be safe and will be accepted, provided that the acquirer/issuer will not reject it for any other reason.
  • Orange: Transactions with an orange score are considered to have medium fraud risk. This means that some rules have been triggered and it might be suspicious. We recommend that you verify transactions that fall under this status before dispatching your goods/services. 
  • Red: Transactions with a red score are considered to have high fraud risk and will be blocked.

Configure your fraud scoring by going to Advanced > Fraud Detection your account. Under Fraud detection activation and configure, select a payment method that you would like to configure and click EDIT

You can define a transaction as low, medium or high risk by setting a score for medium transactions at the bottom of the table.

Scoring categories

Define the scoring 

On same page, you will see criteria that you can define freely.  Each criterion requires you to define one or more of the following settings: 

  • None (the criteria is ignored and no assessment will be made)
  • Review (a 3-D Secure check will be performed if Selective 3DS is active)
  • Override blocking / review
  • Block
  • Whitelist / greylist / blacklist management
  • Edit usage limit

Depending on the criteria that you wish to define, you might need to send some parameters with the transaction to us. Below is an overview of the most important criteria, their respective parameters and our possible settings to define to effectively optimise your fraud protection.

Category Criteria Possible settings Parameter(s) to be sen

Trusted data / whitelists

3-DS Secure identification OK

·       Block / Review /
Override blocking & review except card blacklist rule

·       Edit whitelist: CUI

·       Edit whitelist: E-mail

-

CUI whitelist identification

CUID

E-mail on whitelist

EMAIL

Card data

Card country high / medium risk

·       Review
Configure Card country groups

CARDNO

Max amount / card high / medium threshold

·       Block / Review

·       Edit usage limits
> Maximum utilization per card, per period x day(s)
> Total amount of transactions per card
> Number of transactions per card

CARDNO

IP data

IP country high / medium risk

·       Configure IP country groups

·       Block / Review

REMOTE_ADDR

Anonymous proxy

Block / Review

REMOTE_ADDR

IP cty differs from CC cty

Block / Review

REMOTE_ADDR / CARDNO

Unauthorised card country / IP country combination high / medium risk

·       Edit IP/CC country pairs

·       Block / Review

REMOTE_ADDR

Max utilisation / IP

·       Block / Review

·       Edit usage limits
> Maximum utilisation per IP address, per period x day(s)
> Number of successful transactions per IP address
> Number of transactions (accepted or refused) per IP address

REMOTE_ADDR

Contact data

Max e-mail utilisation

·       Block / Review

·       Edit usage limits
> Maximum utilisation per e-mail address, per period of x day(s)
> number of utilisations for the e-mail address

REMORE_ADDR

Address data

Invoicing address different to delivery address

Review

ADDMATCH

Miscellaneous data

Number of different countries

Block / Review

-

Amount lower / higher than range

·       Edit min max amount

·       Block / Review

AMOUNT

Time of order high - / medium risk period

·       Review

·       Edit risky periods

-

Data in generic blacklist / greylist

·       Block / Review

·       Edit blacklist / greylist: generic data

GENERIC_BL

Shipping Method high / medium / low risk

·       Block / Review

·       Edit risky Shipping Methods

ECOMSHIPMETHODTYPE

Shipping Method Details High / medium / low risk

·       Block / Review

·       Edit risky Shipping Method Details

ECOMSHIPMETHODDETAILS

Product Category High / medium / low risk 

·       Block / Review

·       Edit risky Product Categories

ITEMFDMPRODUCTCATEGx
ITEMIDx
ITEMNAMEx
ITEMPRICEx
ITEMQUANTx

Time to Delivery

·       Strictly less than X hours

·       Block / Review

ECOM_SHIPMETHODSPEED

Automatic address verification by the acquirer

result OK / KO
ZIP KO, Address OK
ZIP OK, Address KO
Result not received or unknown

Block (Review if in Direct Sale) / Review

OWNERZIP
OWNERADDRESS

Card verification code check

result OK / KO

Block (Review if in Direct Sale) / Review

CVC

Configure travel data (for airline industry only)

If your business model involves handling airline data, you will also need to send the following parameters need to be sent to us along with the transaction to be taken into consideration.

Parameters to be sent

AIPASNAME

AIEXTRAPASNAME*XX*

AIORCITY*XX*

AIORCITYL*XX*

AIDESTCITY*XX*

AIDESTCITYL*XX*

AISTOPOV*XX*

AIFLDATE*XX*

For more information on these parameters, you can refer to our Parameter Cookbook in your account. Go to Support > Integration and User Manuals > Technical Guides to access it!

Parameter Cookbook

Apply list items as Merchant Fraud Rules

Once you have managed items in your white/grey/black lists, you need to instruct our platform once a match occurs.

To do so, follow these steps:

  1. Log in to the Back Office. Go to Advanced > Fraud Detection. Select the payment method for which you want to configure Merchant Fraud Rules via "Fraud detection activation and configuration"
  2. Select any of the settings in column "Action" to define how a match should impact the scoring of the transaction in question
  3. You may edit the list corresponding to the setting by selecting the option "Edit list xxx" on the right hand-side of the setting

Identify fraud with Device Fingerprinting 

Device Fingerprinting is a technology that enables us to uniquely identify a device used during a transaction. This means that if fraudsters use the same device for different transactions, our system will be able to detect this and block the transaction immediately. We use the parameter tag, DEVICEID to identify the device used for each transaction.

Depending on your integration with us, there are some actions that you can take to activate Device Fingerprinting.

  • If you are using our eCommerce integration, this data will be captured on our payment page. Thus, this is done automatically for you.
  • If you are using our DirectLink or FlexCheckout integration, you will need to add a tracking code to your integration. The code will need to be added into the header of one of your webpages which will be loaded when the cardholder’s device visits the site. We recommend adding it to your payment page. The code is in HTML and consists of CSS, Javascript and Flash:

    <script type="text/javascript" asycn ="true" src ="https://elistva.c om/api/script.js?  aid=10376&sid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"></script>  <noscript><p style="background:url(//elistva.c om/api/assets/c lear.png?  aid=10376&sid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)"></p></noscript>  <object type="application/x-shockwave-flash" data="//elistva.c om/api/udid.swf?  aid=10376&sid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" width="1" height="1">  <param name="movie" value="//elistva.c om/api/udid.swf?  aid=10376&sid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />  </object> 

You will need to update the XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX in the code snippet with a unique user session identifier in MD5 format. 

This HTML code is associated with a unique temporary and random session identifier (SID), which is generated by you as described in the table below.

Parameter(s) to be sent Explanation Format
sid

SID is the unique identifier of a user session.

The c concatenation of the values of respectively the 

PSPID and ORDERID are calculated in the MD5 format,

resulting a 32-digit hexadecimal hash string. 

Série de dièses hexadécimale à 32 chiffres 
Example :
ec 4dfe7e880e374071e2728c 

3711c 3a8

aid The ID of Tracker Application Account Valeur fixe : 10376

Note: This feature will only work when a Fraud Expert Scoring category (Green, Orange, or Red) is successfully returned by Fraud Expert. Learn more about Fraud Expert below.

6. Manage Fraud Expert settings

Fraud Expert is a machine learning system that provides you with a second expert opinion through an additional layer of security. It uses the pooled data of historical transactions from all of our customers across various industries and sectors. The data is then used to create accurate fraud predictions and evaluate the legitimacy of every transaction that passes through your webshop with these predictions.This means that transactions will not only be verified with the rules that you have manually set, but it will also go through an additional barrier of protection. Fraud Expert is responsive. As new customer transactions are made, Fraud Expert continuously adapts its predictions and responds to new threats in the payment ecosystem.

It can:

  • Detect fraud at an earlier stage and ensure that your business is protected from complex fraud attacks from the get go!
  • Remove human error and prevent the rejection of valid orders.
  • Outsource the manual review of dubious transactions as well as freeze dubious transactions that you want to review yourself.

This chapter will teach you how you can activate and configure Fraud Expert settings.

Define activity sector and review modes 

Firstly, you will need to define your activity sector. Based on your activity sector, our Fraud Expert tool will formulate predefined scoring rules and criteria that is for your industry. Go to Advanced > Fraud Detection > Your Activity Sector. Click EDIT.

On the same page, you can also decide if you want to automate or manually review your transactions. You can do so for all your payment methods. This means that if you select

  • Automatic: Transactions that go through your webshop will either be released or blocked automatically.
  • Manual Review: Transactions that go through your webshop will be manually reviewed by experts at Paypage.

Define Fraud Expert behavior 

Once you have defined your activity sector, we can now define what actions can be taken with Fraud Expert. Transactions that go through your webshop will be defined by a Global Fraud Score.

A Global Fraud Score is a score (either green, orange or red) made up of the combination of your own configuration (also known as FDMA checklist) that you have set in Chapter 4 and the Fraud Expert. By taking these two factors into consideration, a Global Fraud Score is created for each transaction that passes through your webshop.

  • Green: Transactions with a green score are considered to have low fraud risk. They are considered to be safe and will be accepted, provided that the acquirer/issuer will not reject it for any other reason.
  • Orange: Transactions with an orange score are considered to have medium fraud risk. This means that some rules were triggered and the transaction might be suspicious. We recommend that you verify them once more before dispatching your services/goods to the customer.
  • Red: Transactions with a red score are considered to have high fraud risk and will be blocked.

To start, go Advanced > Fraud Detection. Select a payment method that you want to configure, and click EDIT.

Once a payment method has been selected, you will see two tabs on the top of the screen. Select the Fraud Expert tab.

On the page, you will see your Global Fraud Score matrix. You can define what action or behavior that you would you like to do, based on the Global Fraud Score of your transactions.

For instance, a transaction may receive a green score (low fraud risk) based on your FDMA settings (as you had defined in Chapter 4). However, our Fraud Expert system may score the same transaction as red (high fraud risk). You can then decide what action you want to take if such a scoring is denoted on a transaction.

Manage orange transactions

As we had stated earlier, transactions that have an orange score are considered to have medium fraud risk. With the Global Fraud Score matrix, you can “freeze” orange transactions for manual review. This means that you have the opportunity to review the transactions yourself before making a final decision.

Recommendation: We recommend that you do not wait to take a decision. If no action is made after the freeze period is over, the payment will automatically be processed!

Transaction Freeze

You can decide the length of your freeze period by going to the Fraud Expert tab of each payment method.

Once you have decided on a freeze period, you can view all impacted orange transactions by going to  Operations > View Transactions. Select ADVANCED SEARCH CRITERIA. Look up the transactions with the filter Risk Category and Fraud Expert Manual Review.

Advanced Selection Criteria

In the list of transactions displayed, you will see symbols under the Global Fraud Score column.

  • Hand symbol: Click on this symbol to either release or block transactions.

  • Hourglass symbol: Transactions with this symbol are awaiting to be released or blocked based on the results of our Fraud Expert review.

FAQs

From 1st January 2020 for Europe and from 14th September 2021 for UK, Strong Customer Authentication (SCA) rules will come into effect for all digital payments in Europe. Right now, banks, payment service providers and card networks are all working on technical solutions that will comply with the requirements for PSD2. To accept payments after January 1st you will have to make sure that these technical solutions will work with your online store.

Accepting payments from the world’s largest card networks, Visa, Mastercard and Amex, will require that you have implemented the security solution 3D Secure for your online store. 3D Secure has been used since 2001 to improve the security for online card transaction but now a new version has been developed that will facilitate the PSD2 Strong Customer Authentication requirements.

We recommend you to use 3-D Secure, since it helps prevent fraud and also protects you from liability in case of any fraud. From January 1st 2020 it will also be a requirement for accepting the payments from major cards.

The EU’s Second Payment Services Directive (2015/2366 PSD2) entered into force in January 2018, aiming to ensure consumer protection across all payment types, promoting an even more open, competitive payments landscape. Acting as a payment service provider, we pride ourselves on being confirmed PSD2 compliant since 29 May 2018.

One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the EU from 1st January 2021 for Europe and from 14th September 2021 for UK. SCA will require cardholders to authenticate themselves with at least TWO out of the following three methods:

  • Something they know (PIN, password, …)
  • Something they possess (card reader, mobile. …)
  • Something they are (voice recognition, fingerprint, …

This means your customers, in practice, will no longer be able to make a card payment online by using only the information on their cards. Instead they will have to, for example, verify their identity on a bank app that is connected to their phone and requires a password or fingerprint to approve the purchase.

More information about PSD2 can be found here: https://www.europeanpaymentscouncil.eu/sites/default/files/infographic/2018-04/EPC_Infographic_PSD2_April%202018.pdf

3DSv2 is inviting merchants to send additional information (mandatory / recommended ... ). All you need to know as a merchant can be found here:

COF in a nutshell: Customer initiates a first transaction with a merchant with a 3D-S (CIT). From this first transaction experience, the merchant has the possibility to do recurring transactions (subscription or with customer approval -> tokenization), flagged as MIT transactions.

MIT are one of the exemptions foreseen within the 3DSv2., if they fulfill the following cumulative conditions:

  • subsequent transactions of an initial CIT 
  • CIT was done with a mandatory authentication
  • A dynamic ID linking is made between initial CIT and the subsequent MITs

After initial authentication, exemptions/exclusions can apply:

  • Either because of legal recurring exemptions which apply to subscriptions with a fixed amount and periodicity (merchants are indeed advised to authenticate for full amount + provide details about number of agreed payments with card holders)
  • Either because other type of transactions are excluded from SCA scope... at merchant sole risk in case of chargeback (protection limited to authenticated amount) AND need for issuer to accept that risk to be taken:
    • Unscheduled COF: principle of subsequent transactions is agreed with card holder, but amount and/or periodicity is not fixed
    • Industry practices: incremental, no show, etc...

For the transitional period, schemes have defined default ID to be used for subsequent MITs created before introduction of 3DS v2.

As issuers have not provided us with reliable data yet, we don't have information on that. MasterCard is currently running surveys in Europe, but results may vary drastically depending on the country.  The status will continue to evolve until September. In January 2019, only 2/3 of issuers completed the EMVCo v2.1 certification and within this list of issuers, support of exemptions fluctuated from 80% (Recurring) to 50% (White Listing).

If you use our eCommerce page, Paypage will take care of all mandatory fields.

If you are integrated in DirectLink, meaning that you have your own payment page, we have a Javascript example available on the support page to collect the mandatory data.

For the optional information collection, refer to our support page on how to integrate with Paypage.

Unless the authentication is an obligatory step (i.e. in case of a card registration or an initial transaction of a series of recurring transactions), issuers can decide to pass on the authentication. In such a scenario the issuer will be liable in case of a charge back.
Add Card value refers to the case when a wallet provider uses 3DS protocol to add a card to their wallet. This will be implemented by the respective wallet provider.

Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

One of the core differences in version 2 is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge).

Separately the Strong Customer Authentication (SCA) required from 1st January 2021 for Europe and from 14th September 2021 for UK, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible. In short 3-D Secure version 2 means:

  • You will need to implement 3-D Secure before January 1st, 2021 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
  • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
  • A much better user experience for your consumers

The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the cardholder compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

This situation is only possible if you are integrated via DirectLink only (Merchant own page / FlexCheckOut), as in Paypage hosted payment page page, Paypage is collecting the mandatory data.

First of all, Paypage will identifiy the flow to be directed to v1 or v2 based on the card numbers.

If the card is enrolled V2, there are the following possible scenarios:

Mandatory data:

  • If the wrong data is passed, transaction is blocked
  • If some data is missing, Paypage will direct your transaction to v1 flow
  • If no data is passed, transaction is NOT blocked but diverted to flow v1

Recommended or optional data:

  • if no data is passed, transaction is NOT blocked, but cannot benefit from exemption. 

As this is defined by the acquirers' readiness, the availability of 3DSv2 depends on the individual acquirer. 

Most of the French acquirers will support Strong Customer Authentication by September 14th 2019, but not exemptions. The introduction of exemptions will be made available by the individual acquirers between October 2019 and March 2020.

To make things easier for both merchants and consumers, PSD2 allows for some exemptions from strong customer authentication. What’s important to note is that all transactions that qualify for an exemption won’t be automatically exempted. In the case of card transactions, for example, it’s the card issuing bank that decides if an exemption is approved or not. So, even if a transaction qualifies for an exemption the customer might still have to make a strong customer authentication, if the card issuing bank chooses to demand it.

Our test platform is ready for you to start testing. A simulator will support all different scenarios.

Testing cards have been provided and can be found on the support site, as well as in the TEST environment (Configuration > Technical Information > Test info).

Please contact us should you wish to start using 3-D Secure version 2 (3DSv2) in production. 

Your PCI certificate is valid for a year and is compliant for any acquirer.

We are in a process of certification for v2.2 and it will be in production in Q4 2020.

Along with the platform release in July we have enhanced our transaction overview details. Individual transactions accessible now contain detailed information on which flow (legacy 3DS v1  or 3Dsv2) was applied. More information can be found in our notes for Release 04.133 in the Backoffice via Support > Platform Releases > Release 04.133

In addition to that we have added the new parameter VERSION_3DS to our electronic reporting tool.

The possible values for VERSION_3DS are

V1  (for 3DS v1)
V2C (for 3DS v2 challenge flow)
V2F (for 3DS v2 frictionless flow) 

To add this parameter to your transaction file downloads, follow the instructions as shown in this video:


Exclusions are transactions that are OUT of scope for PSD2 SCA regulations:

  • Mail order/telephone order
  • One leg journey - Payee's PSP (aka Merchant's acquirer) or Payer's PSP (aka Buyer's payment method issuer) is outside of EEA zone
  • Anonymous prepaid cards up to 150€ (article 63)
  • MIT - merchant initiated transactions

Exemptions are transactions that are IN the scope of PSD2 SCA regulations:

  • Low value transactions
  • Subscriptions
  • Risk analysis
  • Whitelisting

In a case like this, Paypage will automatically manage a fallback to 3-D Secure v1.

The EBA (European Banking Authority) and national banks in each affected country agreed on a grace period (until at least March 2020). This will give every player in the eCommerce business the opportunity to clarify all details related to this new regulation. However, we still strongly recommend to activate 3DS in your account(s) as soon as possible.

Since our TEST environment is ready, we advise you to start testing your integration as soon as possible.

If the issuer is applying new PSD2 ruleset and 3DS is not active in the merchant's account, the transaction will be rejected with a new error code - soft decline. Therefore, please make sure to have 3DS active for each brand in your account(s). If you are integrated with DirectLink (Server to Server), you will need to implement the soft decline mechanism.

As 3DSv2 introduces frictionless authentication, the time for processing a transaction may be reduced. Conversely, if Strong Customer Authentication is requested, the processing time may be longer.