3DS Activation Guide
1. What is changing?
The revised Payment Services Directive (PSD2) sets out the requirement for EEA & UK eCommerce transactions to be routed via 3D Secure, unless they can be considered exempt. 3D Secure is not applicable to Mail/Telephone Orders (MOTO).
As a result, 3D Secure version 2 (3DSv2) was introduced on all ePDQ accounts prior to the PSD2 deadline, 14th March 2022. For additional information on PSD2 / SCA please see our PSD2 guide.
The main card schemes will now deprecate 3D Secure version 1 on the below dates, at which point 3DSv1 will become obsolete:
- 14 October 2022 for online transactions using Visa
- 17 October 2022 for online transactions using Mastercard
- 14 October 2022 for online transactions using Discover/ Diners
- 14 October 2022 for online transactions using American Express (except India)
You must ensure all your transactions route via 3DS v2 before these dates as any transactions processed on 3DS v1 after these dates will be declined, resulting in a loss of sales.
2. What do I need to do?
This will primarily be determined by the integration method you use. Please refer to the section "How do I know which integration method I am using" for details on how you can determine this.
You will need to ensure that you are sending the required parameters with the appropriate values in order to facilitate 3D Secure version 2. If you are unsure which version of 3D Secure you are currently using, please refer to the section "Monitor progress of 3DSv2 implementation" of the "3D Secure v2 parameters guide".
If you have already integrated 3D Secure version 2 and are actively using it
You do not need to do anything at present, although we would recommend monitoring your ePDQ integration to ensure transactions continue to be successfully approved.
If you are not actively using 3D Secure version 2 for eCommerce transactions
You will need to update your integration to ensure 3D Secure version 2 is used on ecommerce transactions. This update will depend on the type of integration you use. Please refer to the applicable integration guide and the 3D Secure V2 parameters guide for further guidance.
Why are my transactions falling back from 3DSv2 to 3DSv1?
The most common reasons for your ePDQ transactions to fall back to 3D Secure v1 are:
- Not passing parameters and values documented as ‘mandatory’ for 3DSv2 (this may include including updated parameters that have replaced ‘legacy’ parameters for 3DS, such as HTTP_ACCEPT being replaced with browserAcceptHeader)
- Passing invalid values for any parameters you send to ePDQ (for example, you may not be passing the valid ISO value for country codes)
- The card issuing bank does not yet support 3DSv2 (after 15th October, any card issuer not supporting 3DSv2 will be expected to handle the transaction accordingly, and not reject it on the basis that 3DSv2 has not been applied).
- Your account information includes invalid data (e.g. your website address is incorrectly configured in the Configuration > Account > Your Administrative Details screen). If so, please contact our support team to have this corrected
These possible causes will all apply regardless of which integration method you use for ePDQ.
We would recommend you perform your own checks to determine whether your transactions are falling back to 3DSv1. You can configure your ePDQ reports to display the version of 3D Secure used for your transactions. For a full list of values, please refer to the relevant integration guide, the 3D Secure V2 parameters guide, and the Parameter Cookbook, available via the Support site.
If you exclusively process mail or telephone order payments (MOTO), either via the ePDQ Virtual Terminal or via an integration, this regulation does not currently apply to these transaction types. Please review your integration to ensure your transactions are correctly flagged to avoid being mistaken for ecommerce transactions by card issuers. For details of the correct values for transaction flagging (parameter name = ECI), please refer to the Parameter Cookbook, available via the Support site.
3. How do I know if I am currently using 3D Secure?
There are a number of ways of checking this. The most direct method is to login to your ePDQ Back Office (https://payments.epdq.co.uk/Ncol/Prod/Backoffice/login/index) using the Operations > View Transactions report and check whether there is a ‘Rating’ column visible on those reports.
If the Rating column shows a tick (green or blue) this indicates you are enabled for 3D Secure, but does not confirm which version of 3D Secure was used. Please note, if you process a combination of ecommerce and mail/telephone order transactions then this tick will only show for your ecommerce transactions.
Please see our PSD2 guide for more information on SCA exemptions.
For the best customer journey, please explore how exemptions can help by visiting the Barclaycard website: https://www.barclaycard.co.uk/business/accepting-payments/corporate-payment-solutions/transact
5. One Leg Out transactions
If you accept transactions from cardholders outside of EEA & UK areas, which are often referred to as ‘one leg out’, then you must attempt to authenticate via 3DSv2 on a ‘best efforts’ basis. Please note that in this scenario non EEA & UK issuers may still choose to authorise a transaction without any form of authentication.
6. Are there any other things to consider?
Please review any fraud rule settings that relate to 3D Secure to ensure these match your transaction processing requirements. These may be found in the ePDQ Back Office via the Advanced > Fraud Detection > 3D-Secure menu options. You may also have your own rules which you apply to 3D Secure via your integration.