3-D Secure 2.0 Merchant Overview 2020 2021

3-D Secure is a protocol providing an additional layer of security for eCommerce transactions prior to authorization. It enables the exchange of data between the merchant, card issuer and, when necessary, the consumer, to validate that the transaction is being initiated by the actual cardholder. Ecommerce transactions includes traditional shopping cart as well as any digital payment where the cardholder initiates and completes the payment process. For example, einvoicing or electronic bill presentment and payment are ecommerce transactions.

Each card network has a name for their product that uses 3-D secure, also referred to as 3D Secure, 3DS, 3-D Secure authentication or EMV 3-D Secure. Visa rebranded Verified by Visa to Visa Secure. MasterCard SecureCode (3DS 1.0) merchants are being encouraged to migrate to Mastercard Identity Check which uses EMV 3-D Secure 2.0. American Express SafeKey 2.0 is also available now. 3-D Secure 2.x helps reduce fraud and minimize the need for one-time passcodes, improving the user experience and reducing shopping cart abandonment.

What are merchant benefits for using 3-D Secure?

  • More authorization approvals. False declines are a significant source of lost revenue.
  • Some cards have reduced interchange rates when the authentication is invoked, which are usually over 90% of fees. American Express does reduce rates.
  • Less friction for customers at checkout.
  • Reduced risk of chargeback losses. Fraud liability for “it wasn’t me” automatically shifts to the issuer; Merchants do not have to defend those chargebacks, they never even see them.

How do merchants get started using 3-D Secure?

There are two elements- the payment gateway and the merchant account. Contact your payment gateway company to see if they support it and how to set it up. In most cases, this is simply a back office set up process. Merchants may also need to sign acceptance of pricing. The transaction fees are minimal and typically more than offset by the 11 to 20 basis point reduction in merchant fees on applicable cards.

Christine Speedy, Founder 3D Merchant Services, QIR certified, is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified by the PCI Council. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions.

How to add freight cost after credit card preauthorization

A preauthorization, or authorization hold, is a temporary hold on a customer’s credit card until final settlement. In this B2B transaction scenario, such as for distributors and manufacturers, the customer buys an item online, for example via Woocommerce or Shopify; the customer does not save their card on file or use a saved card on file, in which case different rules apply. Compliance with credit card processing rules improves authorization approvals, mitigates risk and reduces merchant fees.

On the merchant side for ecommerce sale described: request for authorization goes out and the issuer responds with an approval code if all goes well. By also using 3-D Secure, the merchant shifts fraud liability to the issuer, reduces chargeback risk and can potentially qualify for reduced merchant fees. An additional authorization is not required if the final settlement amount is not more than 15% of the original authorization. Note, this is based upon scenario described! However, depending on the card type, the qualified interchange rate may downgrade to the worst rate possible due to authorization and settlement mismatch; The same applies if the final settlement on the original authorization is less.

Some, but not all payment gateways and API’s have solutions to help merchants resolve the mismatch problem.

How can merchant maximize profits on this type of transaction? Here are some requirements:

  1. Settlement date must be within 2 days of the transaction date.
  2. Settlement date must be within 7 days of initial authorization for purchasing cards (non-gov)
  3. Obtain and pass 1 valid electronic authorization. Authorization and
    settlement MCC must match. One authorization reversal is allowed.
  4. Transaction date must equal shipping date and that date is no more than 7 days after authorization.
  5. Transaction must include order number and either customer service phone number, URL or email.
  6. Must have secured E-Commerce indicator of “5” or “6”. The POS Condition Code must be “59”. Must perform Cardholder Authentication Verification Value (CAVV) and AVS4 (zip code, except goverment cards).
  7. Must Pass Level II and Level III Data.

Failure to meet all requirements can increase merchant fees more to an additional 1% or more of the transaction amount.

References:

Visa Product and Services Rules, section 5.8.3.1

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and omnichannel technology. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions. Call Christine for payment gateway, cloud technology, merchant services and check processing needs.

Magento mandatory upgrade for PCI Compliance

Merchants must replace Magento version 2.1.x summer 2019. The Magento 2.1.18 software release marks the final supported software release for Magento version 2.1.x. As of June 30 2019, Magento 2.1.x will no longer receive security updates or product quality fixes now that its support window has expired.

PCI compliance requires the installation of critical software security patches within 30 days. When a software or related service provider no longer offers security patches, then merchants must replace or upgrade within 30 days. This is the same reason merchants using Microsoft Windows XP would not be PCI compliant.

I previously reported the Magento vulnerabilities and patch requirements in April 2019. Merchants should not rely on their business partners to automatically perform updates. Here’s a handy web site to check your Magento version now.

Now is a great time to also do a payment gateway checkup.

Call Christine Speedy, PCI Council QIR certified, to reduce merchant fees with new or existing merchant account at 954-942-0483, 9-5 ET.

Magento Security Alert requires action to maintain PCI Compliance

Magento 2.3.1, 2.2.8 and 2.1.17 Security Update

A SQL injection vulnerability has been identified in pre-2.3.1 Magento code. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.

RESOURCES

  • Magento Security Center
  • MAGENTO SECURITY ALERT, March 26, 2019
  • Christine Speedy, 3D Merchant Services, offers a Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate fraud and vulnerability risk. Special B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.

Christine Speedy on Ask the Expert Panel in Boca Raton

Christine Speedy will be on the BocaJS experts panel in Boca Raton, Florida. Christine’s background in ecommerce stems from when the internet first started. With skilled coding labor shortages, Christine learned html to help get stuff done for clients which included the Miami Dolphins, Blockbuster, the Florida Marlins and many others. While leaving serious work up to the coders and integrators today, her payment checkout insights are unparalleled for PCI Compliance and card network rules compliance. Get to know the industries best experts on everything from Development, Design, IT, DevOps, Recruiting, and Learning in Boca Raton, Florida.

Cendyn Spaces, in the Atrium

980 North Federal Highway · Boca Raton, FL

About The BocaJS group

The BocaJS group is here to represent the best that South Florida can bring to the world’s best Language (Javascript). And any else web related as well! In addition to vanilla java script, we’ll be looking at frameworks such as Node, AngularJS (1, 1.5 AND 2,4,5,6,…. 7 beta? ), Ember.js, jQuery, ReactJS and Ionic. Founded in September 2014 by Adam & Hector, and Run currently by Damian Montero and Jermbo Lawson this group continues to grow and thrive. Website: BocaJS.org (https://bocajs.org/)

About Christine Speedy

Christine Speedy is a Qualified Integrator and Reseller payments professional, certified by the Payment Card Industry Security Standards Council, and authorized CenPOS Reseller. Christine is a subject matter expert on PCI compliance and card network rules compliance, offering secure cloud payment technology to businesses, transforming the commerce and customer experience. South Florida Technology Alliance member.