3DS Activation Guide
1. What is changing?
The newly introduced regulation – the revised Payment Services Directive (PSD2) - requires EEA & UK eCommerce card transactions to be routed via 3D Secure, unless they can be considered exempt. This is not applicable to Mail/Telephone Orders (MOTO). As a result, we will be activating 3D Secure (3DS) on all ePDQ accounts by the end of May 2021. This is to ensure all ePDQ accounts are enabled to implement 3DS on all EEA & UK ecommerce transactions ahead of the PSD2 deadline, 14 September 2021.
We are activating this now to ensure you are prepared for these changes. It is worth noting that card issuers may begin to request Strong Customer Authentication (SCA) ahead of these dates, and you may see a gradual increase in declined transactions from 1st June if you are not using 3D Secure.
Initially we will be activating 3D Secure Version 1 (3DSv1) on all our ePDQ customer’s accounts. This will be closely followed by activation of 3D Secure Version 2 (3DSv2), in line with scheme mandates as part of the overarching PSD2 regulatory requirements.
2. What do I need to do?
This will primarily be determined based on the integration method you have used. Please refer to the section “How do I know which integration method I am using” for details on how you can determine this.
If you are unsure whether you are currently using 3D Secure or not, please refer to the section “How do I know if I am currently using 3D Secure?”
If you already have 3D Secure enabled and are actively using it
You do not need to do anything immediately, although we would recommend reviewing your existing ePDQ integration to ensure it is ready for 3DSv2. Further details on potential integration changes can be located below.
If 3D Secure is enabled on your account but you are not actively using it
You will need to update your integration to ensure 3D Secure is used on ecommerce transactions. This update will depend on the type of integration you use. Further details on this can be located below.
If you do not have 3D Secure enabled
You will currently not be invoking 3D Secure as part of your online transaction process. Once 3D Secure has been enabled on your account you can update your integration accordingly. We would recommend ensuring you consider the updates necessary for 3DS v1 and v2 whilst carrying out any integration work.
Even if you are currently enabled for 3D Secure, and are using it, we would recommend reviewing your integration to ensure that it has been implemented correctly. Your current integration may be working correctly even if you are passing invalid values in certain parameters. For example, your current ePDQ integration may be passing a value of UK for the parameter OWNERCTY (cardholder’s country). For a full list of values, please refer to the Parameter Cookbook document, available via the Support link in your ePDQ Back Office
If you exclusively process mail or telephone order payments (MOTO), either via the ePDQ Virtual Terminal or via an integration, this regulation does not currently apply to these transaction types. Please review your integration to ensure your transactions are correctly flagged to avoid being mistaken for ecommerce transactions by card issuers. For details of the correct values for transaction flagging (parameter name = ECI), please refer to the Parameter Cookbook document, available via the Support link in your ePDQ Back Office.
3. How do I know if I am currently using 3D Secure?
There are a number of ways of checking this. The most direct method is to login to your ePDQ Back Office (https://payments.epdq.co.uk/Ncol/Prod/Backoffice/login/index) using the Operations > View Transactions report and check whether there is a ‘Rating’ column visible on those reports.
If the Rating column shows a tick (green or blue) this indicates you are enabled for 3D Secure and invoking it for your ecommerce transactions. Please note, if you process a combination of ecommerce and mail/telephone order transactions then this tick will only show for your ecommerce transactions
4. What do I need to do if I am not using 3D Secure?
If you are using the Hosted Payment Page (HPP) integration method, 3D Secure will be automatically invoked as part of the transaction process once we have enabled 3D Secure on your ePDQ account.
Whilst you do not need to do anything in order for 3D Secure to work, we would always recommend reviewing your integration anyway. As more and more card issuers start to enforce Strong Customer Authentication, cardholders may experience more ‘friction’ in the transaction process. To mitigate for this, it is advised that you provide as much cardholder data as possible. The following links should be helpful:
HPP Integration Guide
HPP Additional Data
If you are using the Flex Checkout or Direct Link integration method, and are not currently invoking 3D Secure as part of your transaction process, you will need to perform a number of integration updates. This will involve you invoking 3D Secure, ensuring you are passing as much data as possible to be ready for 3DSv2, and being able to handle the redirection to the card-issuing bank if the cardholder requires authenticating. It should also be noted that the cardholder’s journey back to your website, as well as the return of transaction statuses, will operate differently if the cardholder is redirected to their issuing bank. Full instructions can be found here:
Flex Checkout Integration Guide
Direct Link Integration Guide
3DSv2 Additional Parameters guides
If you are using the CPI Integration Method, we will be in touch with you separately.
5. How do I know which integration method I am using?
You can determine which integration method you are using by checking which payment page appears as part of the transaction process on your website.
If your payment page looks like this:
And/or the URL of the payment page looks like this:
This would indicate you are using the CPI emulator integration method. We will be in touch with you separately as there is a requirement to move customers away from this legacy integration method, as it is not complaint with the requirements of 3D Secure version 2.
If your payment page looks like this:
And/or the URL of the payment page looks like this:
This would indicate you are using the Hosted Payment Page (ecommerce) integration method.
If the URL of your payment page looks like this:
This would indicate you are using the Flex Checkout integration method. We cannot provide a screenshot of this payment page as you will have customised the page according to your own branding requirements.
If the URL of your payment page is the same address/domain as your website, this would indicate you are using the Direct Link integration method. We cannot provide a screenshot of this payment page as you will have be hosting the relevant webpages within your own domain.
If you believe you process mail or telephone orders, but are unsure, you can check for this in the Transaction details visible on the reporting screens in the ePDQ Back Office
When you drill down into the individual detail of a transaction you can see if it was flagged as Mail/Telephone Order – this should look similar to the below:
If you are still uncertain, please speak to your web developer, or whoever looks after the integration of your website/shopping system and ePDQ.
Can I deactivate 3D Secure once it has been enabled?
It is possible to deactivate 3D Secure via your ePDQ Back Office. We would recommend you do not do this unless absolutely necessary, and remind you that 3D Secure will be mandatory for ecommerce transactions from September 2021. Please ensure that if you do deactivate 3D Secure, you re-enable it no later than the 14 September regulatory deadline for your ecommerce transactions
3D Secure can be activated/deactivated via the Fraud settings in your ePDQ Back Office.
Log in and navigate to Advanced > Fraud Detection:
Scroll down to locate the 3DS settings and click on the ‘Edit’ button alongside the Credit Card type:
Change the “Activate/deactivate 3D-Secure for all cards” setting to ‘deactivate’, and click Submit:
Repeat this for each Credit Card type you wish to deactivate 3D Secure for.
Please note that by deactivating 3D Secure you will be accepting all liability for any transactions that are charged back, may incur non-secure charges, and may experience high levels of declined transactions. This update should only be carried out if you understand and accept the risks of doing so.
6. Are there any other things to consider?
Please review any fraud rule settings that relate to 3D Secure to ensure these match your transaction processing requirements. These may be found in the ePDQ Back Office via the Advanced > Fraud Detection > 3D-Secure menu options. You may also have your own rules which you apply to 3D Secure via your integration.
3D Secure may initially cause some changes for your customers, and you may see some changes in basket abandonment. However as Issuers educate consumers on this new check-out experience introduced by the new law, the abandonment may be improved. Therefore we provide you with the option to deactivate before 14 September 2021. For the best customer journey, please explore how exemptions can help. Visit our website to find out more: https://www.barclaycard.co.uk/business/accepting-payments/corporate-payment-solutions/transact