3DS2 Mandate: What Is It and How Does It Affect My Business?
Jump to a section
The 3DS2 Mandate (a mandate to reduce and protect from card fraud) is coming into effect in Australia and New Zealand on 15th October this year as part of the new Visa Secure program.
The mandate is an initiative from Visa that is being rolled out worldwide to help provide extra security for your business and your clients when accepting and processing payments.
As part of the mandate, all 3rd party service providers and merchants will need to enable, and be using, Visa Secure with EMV 3DS2 to continue processing electronic transactions.
EMV 3DS2 is an authentication protocol that was designed to reduce fraud, increase customer security and reduce merchant liability to chargebacks. The new 3D Secure 2 (3DS2) protocol has been developed to meet the requirements of the modern remote payments environment, including the mobile checkout experience, and is also the solution for European businesses to the upcoming Strong Customer Authentication (SCA) regulations.
Effective 15 October 2022 In the AP Region [Australia and New Zealand]: An Electronic Commerce Merchant must implement and actively use one or more Visa-approved measures to reduce Enumeration Attacks.– PSR: Visa Secure Updates and Introduction of Enumeration Attack Reduction Requirements (Australia and New Zealand)
When Visa refers to an Enumeration Attack, they are describing a fraudulent attack.
This is a fraud attack in which a criminal ‘systematically submits transactions with enumerated values for the primary account number (PAN), Card Verification Value 2 (CVV2), expiration date and postal code to derive legitimate payment account details. This type of attack is commonly referred to as a brute force attack,’ Visa describes in their Australia 2021 Security Roadmap Launch.
The Asia-Pacific rollout is occurring at the end of this year. As of 15 October 2022, all electronic merchants must have Visa Secure enabled with 3DS2 to process transactions with Visa. If not enabled, the merchant will be subject to the High Risk MCC timeline.
Visa have released a product roadmap and information detailing the changes to EMV 3DS2. Click the button below to download a copy.
What is EMV 3DS2?
3DS2 is a more secure way to process payments and provides a better checkout experience for shoppers. Rather than requiring a multi-step verification process, including a one-time password, 3DS2 collates online activity, and analyses previous shopping behaviour to verify a transaction. Implementing 3DS2 has been shown to increase payment approval rates and decrease successful fraudulent transactions.
For more information on 3DS2, click here.
According to Visa, businesses who implement 3DS2 are already seeing positive results:
As Visa issuers in Australia have enabled Visa Secure [with 3DS2], the benefits of the additional data available to authenticate an online transaction have been realised. Domestic transactions have experienced an uplift in approval rates and a reduction in fraud. In addition, the Non-Payment Authentication feature to authenticate a Visa cardholder outside of the transaction has proven useful in cases such as ride hailing and fuel dispensing where the transaction occurs after the goods or services are provided.– Visa Security Roadmap, 2021-2023
Information Specific to Your Setup With Us
What The Mandate Means For Integrated Partners
For Payrix partners, the 3DS2 mandate requires you to have EMV 3DS2 enabled in line with the timelines outlined by Visa. By activating 3DS2 with Payrix, all of your electronic card transactions, including Visa, Mastercard and Amex will be protected.
Depending on your relationship with us and the type of integration you have set up, you may need to plan ahead to allow for time to implement the required changes.
If you are integrated with Payrix via REST API, you can view our API documentation here for the required steps to enable 3DS2:
Key items to action include building the additional input fields required, handling verification redirect, and handling the callback.
This is an example of a Hosted Payment Page.
If you are using one of our Hosted Payment Pages, you will not need to do any development or coding work on your side to have 3DS2 enabled. Payrix will turn 3DS2 on before the date outlined by Visa, and the payer will see 3ds as part of the checkout flow moving forward.
If you are using a SOAP integration, we recommend you contact us to speak through the required steps, as they will be different depending on your setup with us. You can use the contact form below, or get in touch with your account manager at Payrix via your usual channels.
At a high level, clients with a SOAP integration will need to replace their current card capture and transaction generation calls from SOAP, move to REST Tokenisation and Transaction Processing and then process 3DS as per the 3DS sub section: https://docs.rest.paymentsapi.io/#faff43cd-5e44-471c-ad23-64a1fd28f90f.
We encourage you to contact us to work through these items so we can assist you with the required development.