Frequently Asked Questions

What is 3D Secure?

Designed to prevent card fraud during online transaction, 3D Secure is a security protocol that authenticates cardholders during Card-Not-Present (CNP) transactions. The “3D” refers to the three operational domains of the protocol: the issuer, the acquirer, and the interoperability domain. EMVCo, an organisation jointly owned by Visa, Mastercard, American Express, Discover, JCB, and UnionPay, provide updates to the protocol to help mitigate fraud.

3D Secure is a security protocol designed to provide an additional layer of security for online credit and debit card transactions. It adds an extra layer of protection to online shopping by enabling two-step authentication on every online purchase. The first domain is the card issuer, the second is the retailer receiving the payment, and the third is the 3DS infrastructure platform that acts as a secure go-between for the consumer and the retailer. 

Why create a new specification even though 3D Secure is already adopted in the industry?

After the introduction of 3D Secure around 17 years ago, this authentication method was adopted by the payments industries in most countries, although uptake varied from region to region. However, it was recognised that to keep up with the changing trends in the marketplace and support payment authentication using mobile devices and digital wallets, a new version of the 3D Secure was required. The 3D Secure 2 (3DS2) specification was developed to account for these new payment channels, to provide enhanced security and performance, and a more frictionless payment process in order to improve the user experience and reduce the higher cart abandonment rates with 3D Secure 1.

What are the main changes in 3D Secure 2?

3D Secure 2 employs dynamic authentication methods such as biometrics and token-based authentication instead of static passwords.

Supporting authentication based on enriched data elements shared through the protocol makes the risk-based analysis credible for determining whether to authenticate a transaction. The user experience can be refined and enhanced by eliminating the initial sign-up procedure and requiring cardholders to use static passwords. Subsequently, merchants can anticipate a reduced amount of cart abandonment from customers.

Additionally, the message interface and challenge flows have been optimised for mobile platforms (i.e. in-app, mobile, and digital wallet).

What are the benefits of 3D secure 2?

3D Secure 2 can provide a faster, more unified, and less intrusive authentication solution by eliminating 3D Secure 1's previous shortcomings.

For merchants, cart abandonment rates will decrease. Previously, 3D Secure 1 always required a manual password entry from cardholders. Since many cardholders forget their static password, it was felt that the additional effort was not worth it, causing many cardholders to abandon the purchase altogether. By eliminating this additional manual step, Frictionless Flow increases the likelihood that cardholders will complete their transactions.

From the perspective of the issuer, it is their responsibility to determine whether a transaction is presumably fraudulent. With 3D Secure 2, a comprehensive set of cardholder and transaction information is collected and sent to the issuer. This indicates whether issuers can make riskier decisions than they were previously able to. By enabling issuers to make informed decisions, the incidence of chargebacks from cardholders will fall, thereby reducing the time and resources required to resolve such disputes.

And for the end consumer (or "cardholder"), 3D Secure provides security that their credit card is not being used for fraudulent purposes. Compared to 3D Secure 1, 3D Secure 2 offers a much faster, more accurate, and natural method of authentication in order to achieve frictionless authentication.

What is frictionless flow, and how is it achieved?

After the introduction of 3D Secure around 17 years ago, this authentication method was adopted by the payments industries in most countries, although uptake varied from region to region. Frictionless Flow is one of 3D Secure 2's two authentication flows. The alternative is a Challenge Flow.

Frictionless Flow enables issuers to authorise a transaction without requiring the cardholder's manual input. This is accomplished through Risk Based Authentication (RBA). RBA works by collecting a set of cardholder data during the transaction and transmits it to the issuing bank and their Access Control Server (ACS), which then compares the data collected with the cardholder's historical transaction data to generate a fraud risk value for the new transaction. If the fraud risk value is less than a specified threshold, frictionless flow applies. Therefore, if the risk of fraud is low enough, the issuing bank will not request additional verification from the cardholder and will consider the cardholder for the specified transaction genuine. This eliminates the previously required manual verification step for cardholders in 3D Secure 1.

Challenge Flow applies if the fraud risk value of a transaction exceeds the predetermined threshold. For further information about Challenge Flow, including how it functions and how this has changed between 3DS1 and 3DS2, please contact us.

Do all e-commerce sites use 3D Secure?

No, it is the responsibility of each merchant to implement 3D Secure. However, in nations such as India and South Africa, 3D Secure is mandatory.

What is the liability shift rule in 3D Secure 2?

Currently, liability shift is given to all merchants who attempt 3D Secure 1 authentication. This is true even if the card's issuing bank does not endorse 3D Secure 1 or if the cardholder has not registered in the protocol. This is a major advantage of 3D Secure 1, as merchants who merely attempt authentication can rid themselves of chargeback liability.

3D Secure 2 supports liability shift. As the updated protocol is gradually implemented, different card schemes determine their own liability shift implementation rules. Mastercard began supporting liability shift as of October 2018, whereas Visa activates liability shift based on the merchant's location. Various regions have had dates ranging from April 2019 through April 2020. Contact us via the form for more information on liability shift and how GPayments can help merchants benefit from liability shift.

Have I used 3D Secure before?

You may have encountered 3D Secure without realising it. If you have been prompted to enter the password for your credit card when online shopping, it is likely that the site uses 3D Secure. All major card brands implement 3D Secure and market their 3D Secure services under different brand names. Visa refers to it as "Verified by Visa," Mastercard refers to it as "Mastercard Identity Check," and American Express brands it as "American Express SafeKey" for their 3D Secure services. However, in the end, they all accomplish the same goal, the use of 3D Secure.

When is the sunset date for 3DSEcure 1.0.2? How can you transition to 3DSecure 2.0?

As of 17 October 2021, VISA will no longer guarantees merchants for transactions authorized with the 3D Secure v1 protocol and as of October 21, 2022, secure payments must use the 3D Secure V2 protocol. As of October 14, 2022, Mastercard will no longer accept new 3D Secure v1 enrolments. As of October 18, 2022, Mastercard will no longer process any 3D Secure V1 transactions for cardholder authentication. At GPayments we are committed to support the industry's transition from 3DS 1.0. 2 to EMV 3DS 2.0. EMV 3DS 2.0 delivers improved authentication that makes online payments more secure and lowers fraudulent transactions. It is mobile-friendly and has a more robust data flow and better flexibility. This enhances the user experience, stimulates higher sales with less friction, and provides a better platform. If you have any questions or concerns about the transition, please get in touch with our team.

What card schemes do you support on EMV 3DS?

GPayments supports all major global card schemes including Visa, Mastercard, American Express, Discover/Diners, JCB, eftpos and UPI, with more to come on our roadmap. Stay tuned or ask Gpayments team if you have questions about specific networks or regions.

What happens if merchants do not use 3-D Secure?

Outside of Europe (and other regulated jurisdictions), retailers may opt to use the liability protection features of 3-D Secure. This implies that when an issuer authenticates a digital transaction, they are certain that the transaction is valid, and if the transaction turns out to be fraudulent, they will assume responsibility for the fraud. This is a tremendous advantage for the merchant and a tremendous risk reduction tool. The issuer has a wealth of information on its cardholders, so if they validate a transaction, they are quite certain that the cardholder in question is their own.

In Europe, when SCA is implemented beginning in December 2020 (for most of the EEA and from September 2021 for the UK), if SCA is needed, 3DS isn't utilised, and an exemption isn't applied, a gentle decline signalling the transaction needs to be authenticated is expected. If the merchant resubmits the transaction without validating it, the transaction may be automatically denied, resulting in the loss of the sale.

As regulatory agencies begin enforcing the SCA requirements, our recommendation is to implement EMV 3DS immediately, as we expect the consequences of not having it to become more severe. Planning and implementing in advance allow businesses to get it up and running and maximise their 3DS performance without the pressure of a deadline. Contact our team for more information and how we can help you implementing EMV 3DS.

Why is EMV 3DS a helpful solution in Europe?

In regulated regions, such as the European Economic Area (EEA), where PSD2's Strong Customer Authentication (SCA) requirement is in place (albeit not implemented in most nations until late 2020 or early 2021), EMV 3DS facilitates the two-factor authentication need to address SCA.

Is EMV 3DS backward compatible? If a merchant installs EMV 3DS version 2.2 today, what degree of work will be required to implement future versions?

This is a crucial factor for retailers. When implementing 3DS, merchants should ensure that just one core implementation is required. Merchants that use GPayments today are approved for EMV 3DS versions 2.2 and 2.1 (the most recent versions in production) as well as 3DS version 1.0. If you are considering deploying now, ensure that your supplier is able to handle all current versions, including version 1.0, which will be utilised throughout the transition period.

When the next version of EMV 3DS is published, the merchant may need to take use of additional data points and fields for new functionality, but it is not necessary to replace the complete implementation every time the specification is updated.

What are Payment APIs?

An API, or Application Programming Interface, is a way for different software applications to communicate with each other. It acts as a set of rules and protocols that define how these applications can interact and exchange data. Payment APIs, also known as payment gateway APIs or payment processing APIs, are specific types of APIs that enable apps and eCommerce sites to accept payments and facilitate the purchase process.

What are Payment Gateways?

An online service that authorises the transfer of funds between sellers and buyers in an online marketplace. It encourages transactions by transferring data between payment portals, such as a website and a bank.

What is SSL/TLS encryption? 

SSL/TLS encryption is a security protocol that encrypts communications between a client and server, primarily web browsers and web sites/applications. SSL (Secure Sockets Layer) encryption, and its more modern and secure replacement, TLS (Transport Layer Security) encryption, protect data sent over the internet or a computer network. 

Is 3D Secure mandatory in Australia? 

3D Secure is not mandatory in Australia. While the AusPayNet regulations require all big Australian merchants to implement 3D Secure, it is not mandatory for all merchants operating in Australia and New Zealand to have 3DS2.0 enabled by 15 September 2022. 

What is PDS2? 

PSD2 (Payment Services Directive 2) is a European regulation for electronic payment services that seeks to make payments more secure in Europe, boost innovation, and help banking services adapt to new technologies.  

What are the main benefits of PSD2 for consumers? 

PSD2 ensures safer online transactions through strong security requirements like SCA, protecting consumers' financial data and privacy. It also promotes more choices and tailored solutions for consumers in the financial services market. 

What are the main benefits of PSD2 for businesses? 

PSD2 provides businesses with faster and more effective decision-making by accessing relevant customer information. It also offers more control over financial data and encourages innovation and competition in the market. 

What is the impact of artificial intelligence on risk management? 

Artificial intelligence (AI) is transforming risk management by providing faster, more accurate, and more reliable data-driven insights. AI and machine learning (ML) tools are increasingly being used in risk management for quicker and more efficient credit, investment, and business-related decision making. AI algorithms can identify patterns of behaviour related to past incidents and transpose them as risk predictors.  

What are chargebacks? 

A chargeback is a transaction where funds are transferred by an issuing bank from the merchant’s account to the customer’s account. Chargebacks occur when a customer disputes a card transaction. 

How can chargebacks be minimised in risk management?  

Implement multi-layered payment protocols: Utilise robust payment protocols to detect and prevent fraudulent transactions, reducing the risk of chargebacks. 

What is EMV and EMVCo?

EMV stands for Europay, Mastercard, and Visa, which are the three companies that created the EMV standard. It is a payment method based on a technical standard for smart payment cards and payment terminals. The EMV standard is a security technology used worldwide for payments made with credit, debit, and prepaid EMV smart cards.

EMVCo is a technical body that manages and promotes the EMV Specifications and programs. It is now a consortium of financial institutions, including American Express, Discover Financial, JCB International, Mastercard, China UnionPay, and Visa Inc. EMVCo's mission is to enable seamless and secure card-based payments for businesses and consumers worldwide.

What are the advantages of using EMV chip cards over traditional magnetic stripe cards?

EMV chip cards offer enhanced security, guaranteed authenticity, better information storage, reduced liability, and global acceptance compared to traditional magnetic stripe cards.

What are SDKs?

A software development kit (SDK) is a set of software tools and programs that help developers create applications for a specific platform, system, or programming language. An SDK typically includes an API, but it also includes other tools to build software for a particular platform. SDKs not only let developers create new tools efficiently, but also make the process easier because everything is
pre-built.

What are SDKs in online payment systems?

SDKs in online payment systems are sets of tools and resources that enable developers to integrate payment processing functionalities into their applications. They can include: Payment processing , Encryption & security, Alternative payment methods, Web payments and Mobile payments

What is the difference between a payment SDK and a payment API? While they are both tools used in online payment systems, they differ in several ways.

Payment SDKs:

Are sets of tools and resources that enable developers to build and enhance mobile applications for specific platforms.

Provide developers with the necessary resources to create mobile applications for specific platforms.

Are designed for specific platforms, such as Android or iOS, and provide platform-specific functionalities and features.

Payments APIs:

Are application programming interfaces that enable apps and eCommerce sites to accept payments by ensuring communication between all entities involved in that process.

Allow businesses to configure their payment processing infrastructure and create custom credit or debit card processing setups unique to their eCommerce business.

Provide encryption and security features to protect sensitive payment information, such as card numbers and personal data.

What is ActiveSDK?

ActiveSDK is a 3-D Secure 2 solution provided by GPayments Pty Ltd. It is a mobile SDK that facilitates the collection of data about the consumer to make an informed decision about the transaction's risk of being fraud. ActiveSDK can be deployed in various ways; it can be a standalone SDK for developers to connect to and use, or it can be wrapped inside another SDK for payment gateways to distribute as part of their own SDK. 

ActiveSDK was developed in accordance with the official EMVCo 3D Secure 2 specifications. This means ActiveSDK utilises a standard set of APIs and can be used with any other 3D Secure 2 component on the market. ActiveSDK simplifies the integration process for the end merchant and helps issuers achieve more accurate authentication results, which in turn helps secure the consumer's credit card from fraud.

What is Access Control Server?

An Access Control Server (ACS) is a tool used in various contexts to prevent fraudulent transactions and authenticate users. An example of an ACS is 3D Secure Protocol.

What is Merchant Plug-in (MPI)?

A Merchant Plug-in (MPI) is a software module designed to facilitate 3D-Secure verifications and prevent credit card fraud during online transactions. The MPI identifies the customer's card details and queries the servers of the card issuer (Visa, MasterCard, or JCB International) to determine if it is enrolled in a 3D-Secure program. If the card is enrolled, the MPI returns the web site address of the issuer access control server (ACS). The ACS is responsible for authenticating the cardholder by verifying their username and password. The MPI verifies the ACS signature and decides whether to proceed with the transaction. 

What is biometric authentication?

Verification of an individual's identity based on their unique biological characteristics, including facial recognition or voice identification. Biometric authentication systems compare captured biometric data with confirmed authentic database data. For authentication to be validated, both biometric data samples must match.

What is Card Not Present Fraud? 

Occurs when a customer manually enters credit card information during a transaction without physically presenting the card to the merchant, it is considered card-not-present (CNP) fraud. This type of fraud typically occurs online when the fraudulent party obtains the cardholder's information without their consent, such as their three-digit security code. Commonly, CNP fraud is committed via phishing.

What are Card Schemes?

Card schemes are payment networks that establish regulations and provide infrastructure to issue cards and process card-based transactions, such as debit and credit card transactions. Issuers (bank or financial institution) and acquirers (merchant or customer) must be part of the same network as the card for a payment to be processed.

What is a Directory Server?

A central repository for storing and operating data, including identity profiles. Directory Server can be used to authenticate and authorise users to ensure safe access to an organisation, internet services, and applications. Directory Server is expandable as it can be integrated within existing systems, and permits the integration of employee, customer, supplier, and associates data.

Define Risk-Based Authentication

An authentication and authorisation technology that uses a variety of user-provided factors. This includes evaluating the user's behaviour, devices, and other variables to determine if they pose a threat. If the user fails to meet a set standard, they will be urged to provide additional verification information. This could be the answer to a security question or a biometric element. Explore the topic of risk-based authentication.

Define Frictionless Flow

Instated through risk-based authentication performed in the ACS, this feature enables issuers to approve a payment without interacting with the cardholder. As the customer confirms an online purchase, all their shopping details, including device data, item purchased, and value, are sent to the ACS to verify the cardholder's identity using risk-based elements. Since this procedure occurs invisibly, it is considered frictionless.  Customers are guided to the order confirmation page without being informed that their transaction has been screened.

Define Liability Shift

When the liability for chargeback loss is transferred back to the bank from the merchant. This typically occurs during eCommerce transactions in which the cardholder denies making a purchase, as well as fraudulent transactions.

What is a Non-Payment User authentication

A category of 3DS messages that can be used to verify identity outside of the payment ecosystem, allowing wallet providers and issuers to streamline the provisioning and activation of cardholders in a secure manner. Discover more about 3DS2 non-payment authentication.

Define One-Time-Passwords

One-time passwords are a system that provides a mechanism for logging on to a network or service with a password that is unique and valid for only one login session or transaction. This protects online bank accounts, enterprise networks, and other systems that contain sensitive information, from certain types of identity fraud by making sure that a stored username and password cannot be used more than once.

What is Two Factor Authentication (2FA)?

A type of multi-factor authentication that verifies the claimed identities of users.

The method authenticates the transaction using two of the three factors:

1. Information the user knows, such as a password or PIN

2. Something the user owns, such as a card or mobile phone

3. Something the user is, such as fingerprints or facial recognition

Define Out-Of-Band Authentication

Out of band (OOB) authentication is the protection authentication mechanism that requires two distinct signals from two distinct separate channels or networks. In a business environment, an OOB satisfies security requirements by generating a request for secondary verification.

What is Strong Customer Authentication (SCA)?

Using biometrics to validate card-not-present digital transactions is a new European legal mandate designed to make online payments more secure. With the PSD2 (Revised Payment Service Directive) regulations, the user will be required to provide more information than just the card number and CVC verification code at the time of payment.

SCA uses three distinct types of information to confirm user identities:

1. Information the user knows, such as a password or PIN

2. Something the user owns, such as a card or mobile phone

3. Something the user is, such as fingerprints or facial recognition

Define Transaction/Cart Abandonment

The act of a potential eCommerce customer abandoning their purchases/shopping cart during the payment phase of the checkout process. This typically occurs when a customer forgets the additional 3-D Secure verification requirement or when the page does not display correctly on a mobile device.

What are false declines?

False declines are legitimate credit card transactions that are incorrectly declined by the credit card issuer or merchant as suspected fraud attempts. They are also known as false positives. False declines occur when a legitimate transaction is flagged as fraudulent and rejected, causing frustration for the customer and lost revenue for the merchant.

What are causes for false declines?

Filters for the location of the shopper
Delivery address not matching the card’s billing address
Incorrect credit card information entered by the customer
High-risk transactions
Suspicious activity on the customer's account

Technical issues with the payment processing system
Overly strict fraud detection criteria

What are authentication channels?

Authentication channels are communication channels that are used to verify the identity of users or devices accessing a system or application.

Examples of authentication channels include:

Standard authentication
Encrypted authentication
Omni-channel authentication

Verification channels
Channel authentication records

Do all e-Commerce sites use 3D Secure?

No, it is the responsibility of each merchant to implement 3D Secure. However, in nations such as India and South Africa, 3D Secure is mandatory.

What is the difference between 3D Secure 1.0 and 3D Secure 2.0?

Authentication:

3DS 1.0: Used static passwords or OTPs, often inconvenient and less secure.
3DS 2.0: Employs dynamic, user-friendly methods like biometrics and device fingerprinting, enhancing security.

Frictionless Experience:

3DS 1.0: Typically involved user intervention for every transaction.
3DS 2.0: Offers a smoother, "behind-the-scenes" authentication process for low-risk transactions, reducing cart abandonment.

Risk Assessment:

3DS 1.0: Had limited risk assessment capabilities.
3DS 2.0: Utilises real-time data sharing for better risk evaluation.

Mobile Optimisation:

3DS 1.0: Not mobile-friendly.

3DS 2.0: Designed for mobile devices, improving the user experience.

Merchant Benefits:

3DS 1.0: Merchants had less control and faced potential sales loss.
3DS 2.0: Offers customisation options and enhanced liability protection for merchants.

What are the recent updates or changes in the regulations regarding 3D Secure in Australia or other regions?

AusPayNet regulations require all big Australian merchants to implement 3D Secure.

Visa has withdrawn the proposed 3DS2 mandate, so it is no longer mandatory for merchants operating in Australia and New Zealand to have 3DS2.0 enabled by 15 October 2022 to continue transacting with Visa. However, it is still strongly recommended to have 3DS2 as an additional protection against fraud.

Mastercard has increased the price of 3DS1 authentication in the APAC region, including Australia, Hong Kong, Malaysia, New Zealand, and Singapore\

Strong Customer Authentication regulation as part of PSD2 in Europe and similar regulations in the UK, India, and Australia may require the use of 3DS for card authentication.

3DS2 awareness and adoption lag in Australia ahead of an October 2022 implementation target set by card issuers, and some retailers.

How does EMVCo contribute to enhancing the security of card-based payments worldwide?

EMVCo enhances card-based payment security worldwide by setting global standards for EMV chip technology, 3D Secure, tokenisation, and security assessments. It ensures interoperability, certifies compliance, and educates stakeholders, making card transactions more secure and resilient against fraud.

What are some real-world applications of biometric authentication in the payment industry?

Real-world applications of biometric authentication in the payment industry include fingerprint and facial recognition for unlocking mobile wallets, authorising transactions, and accessing banking apps, enhancing security and user convenience.

What factors contribute to a liability shift in eCommerce transactions?

A liability shift in eCommerce transactions typically occurs when the party that does not support EMV chip or 3D Secure authentication bears responsibility for fraud losses. This shift is influenced by factors such as card network rules, compliance, and adoption of secure payment technologies.

How can GPayments' ActiveSDK be integrated into different payment systems, and what benefits does it offer to issuers and merchants?

GPayments' ActiveSDK can be integrated into various payment systems using its APIs and libraries. It offers benefits like 3D Secure 2.0 compliance, improved security, fraud reduction, and enhanced user experience for issuers and merchants in online card transactions.

How do Merchant Plug-ins (MPIs) contribute to preventing credit card fraud during online transactions in more detail?

Merchant Plug-ins (MPIs) contribute to preventing credit card fraud during online transactions by facilitating the authentication process for cardholders. They enable the use of 3D Secure protocols, which add an extra layer of security through user authentication. MPIs help verify the identity of cardholders through methods like one-time passwords, reducing the risk of fraudulent transactions and providing liability protection for merchants.

How can risk-based authentication improve the user experience in online payments?

Risk-based authentication can improve the user experience in online payments by reducing unnecessary authentication steps. It assesses the risk of a transaction and, for low-risk ones, allows seamless, "behind-the-scenes" processing without user intervention. This reduces friction, making online payments faster and more user-friendly.

What are some practical examples of frictionless flow in online payment processes?

Practical examples of frictionless flow in online payments include one-click purchases, biometric authentication (e.g., fingerprint or facial recognition), and risk-based authentication, where low-risk transactions are processed without requiring users to enter additional verification. These streamline the payment process, enhancing user convenience.

Provide more information on the use cases of Non-Payment User authentication in 3DS2?

Non-Payment User Authentication in 3DS2 extends authentication beyond payments. It's used for various online activities like accessing accounts, changing settings, or performing high-risk actions. This adds security without disrupting user experience in non-payment scenarios, such as account login, password reset, or device management.

How do One-Time Passwords (OTPs) enhance security in online banking and transactions?

One-Time Passwords (OTPs) enhance security in online banking and transactions by providing a dynamic and time-sensitive code that users must enter for verification. They offer an additional layer of security, as these codes are generated for each transaction or login attempt and are valid only for a short time. This makes it significantly harder for attackers to gain unauthorised access or conduct fraudulent transactions, improving overall security.

What are some common examples of Two-Factor Authentication (2FA) implementations in the payment industry?

Common examples of Two-Factor Authentication (2FA) in the payment industry include:

OTP via SMS: Users receive a one-time password via text message to verify their identity during transactions.
Biometric Authentication: Users authenticate using fingerprints, facial recognition, or other biometric data.
Hardware Tokens: Users carry physical devices that generate OTPs for authentication.
Mobile Authenticator Apps: Users employ smartphone apps like Google or Microsoft Authenticator to generate OTPs.

How does Out-Of-Band Authentication enhance security in multi-factor authentication?

Out-of-Band Authentication enhances security in multi-factor authentication by using separate communication channels for verification. For example, if a user logs in on a computer, the authentication code is sent to their mobile device via SMS. This prevents attackers from intercepting both the login request and the verification code in a single channel, making it more difficult for them to compromise the authentication process.

Explain how Strong Customer Authentication (SCA) impacts online payment security and compliance with PSD2?

Strong Customer Authentication (SCA) enhances online payment security and ensures compliance with PSD2 by requiring two or more authentication factors for electronic transactions. This includes something the customer knows (e.g., a password), something the customer has (e.g., a mobile device), or something the customer is (e.g., biometric data). SCA reduces the risk of fraud and unauthorised access, protecting both consumers and businesses, and aligns with PSD2 regulations to make electronic payments more secure and trustworthy.

What strategies can businesses employ to reduce transaction/cart abandonment during the checkout process?

To reduce transaction/cart abandonment during checkout, businesses can employ strategies such as:

Streamlined Checkout: Simplify the checkout process with as few steps and form fields as possible.

Guest Checkout: Allow users to check out without creating an account for a faster experience.
Transparency: Clearly display shipping costs, taxes, and any additional fees upfront.
Multiple Payment Options: Offer a variety of payment methods to accommodate user preferences.
Mobile Optimisation: Ensure a seamless mobile experience with responsive design and mobile-friendly payment options.
Trust Signals: Display security icons, customer reviews, and trust badges to build confidence.

Remarketing: Use email reminders or retargeting ads to bring back abandoned carts.
Exit-Intent Popups: Show popups with special offers or incentives when users try to leave the checkout page.
Progress Indicators: Show users where they are in the checkout process with progress bars.
Error Handling: Provide clear error messages and guidance if users encounter issues.

How can false declines negatively impact a merchant's revenue and customer experience?

False declines can negatively impact a merchant's revenue and customer experience by rejecting legitimate transactions. This frustrates customers, leads to lost sales, and damages the merchant's reputation. Customers may seek alternatives, and merchants lose revenue opportunities, hurting their bottom line and customer relationships.

What proactive measures can businesses take to minimise false declines?

Proactive measures to minimise false declines include:

Advanced Fraud Detection: Implement robust fraud detection systems.
Machine Learning: Use AI and machine learning to improve fraud detection accuracy.
Customer Profiling: Analyse customer behaviour for abnormal patterns.
Dynamic Rules: Adjust fraud rules based on real-time data.

Behavioural Analytics: Monitor user behaviour for signs of fraud.
Risk-Based Authentication: Use risk assessment to trigger authentication when needed.
Transparent Communication: Educate customers about security measures to prevent false alarms.
Transaction Analysis: Carefully examine transactions before declining.
Review Systems: Employ manual review processes for borderline cases.

Feedback Loop: Continuously improve fraud prevention based on insights.

Are there specific authentication channels that are recommended for use in securing online payment transactions?

Authentication channels recommended for securing online payment transactions include:

EMV Chip: For card-present transactions, EMV chip technology is highly recommended due to its strong security features.

3D Secure 2.0: A risk-based authentication method for card-not-present transactions, offering improved security and user experience.
Biometric Authentication: Utilising fingerprints, facial recognition, or other biometric data for added security.
Tokenisation: Replacing sensitive card data with tokens to protect against data breaches.
Out-of-Band Authentication: Using separate channels (e.g., SMS or mobile apps) for verification to enhance security.
Multi-Factor Authentication (MFA): Combining two or more authentication factors (e.g., something you know, have, or are) for stronger security.

What factors should merchants consider when deciding whether to implement 3D Secure on their e-commerce sites?

Merchants should consider factors like transaction volumes, fraud risk, customer experience, and regulatory requirements when deciding whether to implement 3D Secure on their e-commerce sites. Assessing the balance between security and user convenience is key.

How does GPayments ensure the compatibility of its solutions with various payment gateway providers?

GPayments ensures compatibility with payment gateway providers through rigorous testing and adherence to industry standards and protocols, allowing their solutions to seamlessly integrate with a wide range of payment gateway services.

Elaborate on the role of the Payment Services Directive (PSD2) in reshaping the European payment landscape?

The Payment Services Directive (PSD2) reshapes the European payment landscape by promoting competition, enhancing security through Strong Customer Authentication (SCA), and fostering innovation. It opens up access to payment data and services for third-party providers, leading to new payment methods and improved consumer protection in online transactions.

How does GPayments assist businesses in implementing risk-based authentication for online transactions?

GPayments assists businesses in implementing risk-based authentication for online transactions by offering solutions that assess transaction risk in real-time. Their technology adapts authentication requirements based on the risk level, ensuring a secure and user-friendly experience while mitigating fraud.

What is the role of tokenisation in payment processing?

Tokenisation replaces sensitive card data (such as credit card numbers) with a unique token. This token is valueless to attackers and can be safely used for payment processing, reducing the risk of data breaches and fraud. It enhances security, facilitates recurring payments, and supports various payment methods across different channels.

How do payment processors handle cross-border transactions?

Payment processors handle cross-border transactions by:

Currency Conversion: Converting payment amounts to the local currency.
Compliance: Ensuring adherence to international regulations.
Risk Management: Assessing and managing the unique risks of cross-border transactions.

Multi-Currency Support: Offering the ability to accept and settle payments in multiple currencies.
Fraud Detection: Employing advanced fraud detection systems to safeguard transactions.
Global Reach: Partnering with international banks and networks to facilitate transactions worldwide.
Language Support: Providing multilingual customer support and documentation.

This enables merchants to accept payments from customers around the world while navigating the complexities of international commerce.

What counties have a 3D Secure mandate?

Here is a list of countries where 3D Secure is mandated or required by regulations:

India
South Africa

Nigeria
Singapore
Bangladesh
Malaysia

Here is a list of countries where 3D Secure is not necessarily mandated but is encouraged for customer security:

Europe (all countries in Europe are complied with the PSD2, which makes 3DS compulsory to them all)
USA
Australia
China
Vietnam

What is India's mandate for 3D Secure?

India introduced a mandatory 2-factor authentication for cards in 2014, which means that 3D Secure is effectively mandated on all online payment transactions in India. However, there have been some reports that international payment gateways may not always require 3D Secure for Indian credit cards. Starting July 28, 2021, all international card payments made to new Indian Stripe accounts created after this date will go through 3D Secure (3DS). Other sources also confirm that India is one of the countries where 3D Secure is mandatory.

How does the 3D Secure mandate affect merchants in India

The 3D Secure mandate in India affects merchants in the following ways:

Higher mandate for customer verification: The 3D Secure mandate effectively places a higher mandate on merchants to ensure they are only dealing with real, trustworthy customers. This means merchants will have to implement additional measures to verify the identity of their customers.
Compliance with regulations: Merchants in India are required to comply with the 3D Secure mandate to ensure the security of online payment transactions and protect against fraud. Failure to comply with the mandate may result in penalties or fines.
Impact on acceptance rates: Implementing 3D Secure may result in lower acceptance rates for some merchants. However, India have mandated 3D Secure, which means that merchants in these countries may not have a choice but to implement it.
Improved security: Implementing 3D Secure can help merchants improve the security of online payment transactions and protect against fraud. This can help to build trust with customers and improve the overall customer experience.

Additional costs: Implementing 3D Secure may require additional costs for merchants, such as upgrading their payment systems or implementing new security measures. However, the cost of non-compliance may be higher in the long run.

What are some unique challenges and solutions related to payment security in the mobile app ecosystem?

Challenges related to payment security in the mobile app ecosystem include:

Device Diversity: Numerous devices and operating systems pose compatibility and security challenges.

Data Storage: Protecting sensitive payment data stored on mobile devices.
App Store Security: Ensuring app stores are free from malicious apps.
Authentication: Balancing security and user convenience in authentication methods.

What are the advantages of using GPayments' ActiveSDK over other 3D Secure 2 solutions in the market?

GPayments' ActiveSDK has several advantages over other 3D Secure 2 solutions in the market, including:

Frictionless authentication process: ActiveSDK enables customers to checkout faster through the frictionless authentication process of 3D Secure 2. Customers won't notice a thing, and merchants can create a clean and unified app interface, allowing authentication to occur natively inside the app.
More accurate authentication results: ActiveSDK facilitates the data collection process by gathering information about the customer's mobile device. In turn, authentication results can be more accurate than ever before.
Reduced liability and potential chargebacks: The primary benefit of 3D Secure Authentication for merchants is reduced liability and potential chargebacks. If a fraudulent transaction occurs, the card issuer may take responsibility instead of the merchant.

Improved customer experience: With improved security measures, customers will feel more secure making purchases from a business. This can result in increased customer satisfaction and loyalty.
Lower processing fees: Card issuers often offer lower processing fees for transactions made with 3D Secure 2.

How does GPayments ensure the security and privacy of user data when providing authentication solutions?

GPayments takes the security and privacy of user data seriously when providing authentication solutions. Here are some ways they ensure security and privacy:

Controlled and secure environment: GPayments secures the personally identifiable information provided by users on computer servers in a controlled and secure environment, protected from unauthorised access, use, or disclosure.
Robust fraud prevention solutions: GPayments offers robust fraud prevention solutions for eCommerce and mCommerce transactions, which can prevent chargebacks and false declines with their comprehensive range of integrated solutions.
Stronger fraud protection: GPayments' 3D Secure 2 solutions separate payments and mCommerce purchases using eWallets to reduce risk and enable an extra layer of security. This provides stronger fraud protection for users.
Compliance with regulations: GPayments complies with relevant regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR).
Informative and enjoyable discussions: GPayments' Product, Sales, and Engineering teams engage in informative and enjoyable discussions with partners to ensure that their solutions meet the partners' needs.

What are some key considerations for businesses when selecting a Merchant Plug-in (MPI) for 3D Secure verifications?

Key considerations for businesses when selecting a Merchant Plug-in (MPI) for 3D Secure verifications include:

Compatibility: Ensure the MPI is compatible with your payment gateway and technology stack.
Authentication Methods: Choose an MPI that supports various authentication methods (e.g., OTP, biometrics) to enhance user experience.

Scalability: Ensure the MPI can handle your transaction volume and scale as your business grows.
Compliance: Verify that the MPI complies with relevant 3D Secure standards and regulations.
Customisation: Look for customisation options to tailor the user experience and authentication flow to your specific needs.
Security: Prioritise MPIs with robust security features to protect against fraud.
Vendor Reputation: Select a reputable MPI provider with a track record of reliability and customer support.

Costs: Consider the pricing model and fees associated with the MPI, ensuring it aligns with your budget.
User Experience: Focus on MPIs that offer a seamless and user-friendly authentication process to minimise cart abandonment.
Integration: Assess how easily the MPI integrates with your existing systems and processes.

How can GPayments assist businesses in adapting to evolving payment technologies and customer preferences?

Providing access to accurate and coherent payments data, allowing businesses to make informed decisions when adapting to evolving payment technologies and customer preference.
Offering robust fraud prevention solutions for eCommerce and mCommerce transactions, which can prevent chargebacks and false declines with their comprehensive range of integrated solutions.
Providing 3D Secure 2 solutions, which separate payments and mCommerce purchases using eWallets to reduce risk and enable an extra layer of security. This provides stronger fraud protection for businesses and their customers.
Engaging in informative and enjoyable discussions with partners to ensure that their solutions meet the partners' needs.
Integrating with RESTful API, making it easier for businesses to implement GPayments’ solutions quickly and easily without disrupting their existing operations.

What are the key differences between risk-based authentication and traditional authentication methods in online payments?

User Experience:

Risk-Based: Offers a more seamless and user-friendly experience by selectively applying authentication based on risk.

Traditional: Often requires the same level of authentication for all transactions, potentially causing friction.

Risk Assessment:

Risk-Based: Uses real-time data and analytics to assess transaction risk and applies authentication accordingly.

Traditional: Typically relies on fixed, predefined authentication methods.

‍

Adaptability:

Risk-Based: Adapts to changing risk levels, allowing for frictionless processing of low-risk transactions.

Traditional: Applies the same authentication regardless of transaction risk.

‍

Security vs. Convenience:

Risk-Based: Balances security and user convenience by applying stronger authentication when needed.

Traditional: May prioritise security at the expense of user convenience.

‍

Fraud Prevention:

Risk-Based: Effective at detecting and preventing fraud by focusing authentication efforts where they are most needed.

Traditional: Provides a consistent but potentially less nuanced approach to fraud prevention.

‍

Transaction Volume:

Risk-Based: Scales efficiently to handle varying transaction volumes and types.

Traditional: May lead to bottlenecks and delays during high-volume periods.

‍

Regulatory Compliance:

Risk-Based: Aligns with evolving regulations and standards, such as PSD2 in Europe.

Traditional: May require adjustments to comply with new regulations.

‍

Cost Efficiency:

Risk-Based: Can lead to cost savings by reducing the need for authentication in low-risk scenarios.

Traditional: May involve higher authentication costs for all transactions.

What are the considerations for businesses when choosing between in-house development and outsourcing for their payment authentication solutions?

Expertise: Evaluate your in-house team's expertise in authentication technologies and compliance.
Cost: Compare the costs of in-house development, including staffing, infrastructure, and ongoing maintenance, with outsourcing.

Time-to-Market: Assess how quickly you need the solution and whether in-house development can meet deadlines.
Compliance: Ensure the solution aligns with industry regulations and standards, and whether outsourced providers have compliance expertise.
Scalability: Consider the scalability of both options to handle future growth and evolving needs.
Security: Evaluate the security measures and practices of both in-house and outsourced solutions.
Customisation: Determine whether your requirements necessitate a highly customised solution that may be better suited to in-house development.

Vendor Reputation: Research the reputation, track record, and client reviews of potential outsourcing partners.
Support and Maintenance: Consider ongoing support, updates, and maintenance requirements for the chosen solution.
Resource Allocation: Evaluate how in-house development or outsourcing aligns with your organisation's resource allocation and strategic goals.

What are the potential consequences for businesses that do not implement 3D Secure or risk-based authentication in regions where it's not mandatory?

Businesses that do not implement 3D Secure or risk-based authentication in regions where it's not mandatory may face potential consequences such as:

Increased risk of fraud: Without 3D Secure or risk-based authentication, businesses are more vulnerable to fraudulent transactions. This can lead to financial losses and damage to the business's reputation.
Increased chargebacks: Without 3D Secure or risk-based authentication, businesses may be held liable for chargebacks resulting from fraudulent transactions. This can lead to financial losses and increased processing fees.
Negative impact on customer experience: Without 3D Secure or risk-based authentication, customers may be hesitant to make purchases from the business due to concerns about security. This can lead to a negative impact on the customer experience and reduced customer loyalty.
Abandoned transactions: Without 3D Secure or risk-based authentication, customers may abandon transactions due to concerns about security or a cumbersome authentication process. This can lead to a loss of revenue for the business.

‍

What are some key performance indicators (KPIs) that businesses can track to evaluate the effectiveness of their risk management strategies?

Risk Exposure: Measure changes in the organisation's risk exposure over time.
Incident Rate: Track the frequency and severity of security incidents.
Loss Reduction: Assess the reduction in financial losses due to risk mitigation efforts.
Compliance Adherence: Monitor compliance with industry regulations and standards.
Incident Response Time: Measure how quickly the organisation responds to and resolves security incidents.
False Positive Rate: Evaluate the accuracy of risk detection by assessing false alarms.
Customer Satisfaction: Collect feedback from customers on the security and privacy of their data.
Employee Training: Assess the effectiveness of employee training in risk awareness and mitigation.
Vendor Risk Management: Evaluate the performance of third-party vendors in adhering to security standards.
Business Continuity: Measure the organisation's ability to maintain operations during and after a risk event.

What is the Payment Card Industry Data Security Standard (PCI DSS)?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards and requirements designed to protect payment card data and ensure secure handling, processing, and storage of this data by organisations that accept, store, or transmit credit card information. It aims to prevent data breaches and fraud related to payment cards.

How does the Payment Card Industry Data Security Standard (PCI DSS) impact businesses involved in online payment processing, and what steps should they take to comply?

Assess Risk: Identify and assess potential security risks and vulnerabilities in their payment processing systems.
Implement Controls: Implement security controls and measures to protect cardholder data, including encryption, access controls, and network security.
Regular Audits: Conduct regular security assessments and audits to ensure compliance.
Network Segmentation: Isolate cardholder data from other networks and restrict access.
Secure Software: Develop and maintain secure software applications used in payment processing.
Training: Train employees on security best practices and the importance of safeguarding cardholder data.
Incident Response: Develop an incident response plan to address and mitigate security breaches.
Vendor Compliance: Ensure that third-party vendors and service providers also comply with PCI DSS.
Compliance Validation: Validate compliance through self-assessment questionnaires or third-party assessments, depending on the business's size and volume of transactions.
Documentation: Maintain records of compliance efforts and security policies and procedures.

What is General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a European Union regulation that governs the protection of personal data and privacy of individuals. It establishes rules for the collection, processing, and storage of personal data and gives individuals greater control over their data. GDPR applies to organisations that handle the data of EU citizens, regardless of where the organisation is located, imposing strict requirements and potential fines for non-compliance.

What are the penalties for non-compliance with GDPR?

Penalties for non-compliance with GDPR can be substantial and include:

Fines: Violators can face fines of up to €20 million or 4% of the company's global annual revenue, whichever is higher.

Warnings and Reprimands: Regulatory authorities can issue warnings and reprimands for less severe violations.
Data Processing Suspension: Authorities may order the suspension of data processing activities in cases of serious non-compliance.
Data Breach Notifications: Failure to report data breaches within the mandated timeframe can result in penalties.
Lawsuits: Individuals can bring private lawsuits against organisations for GDPR violations, potentially leading to additional financial liabilities.

What is tokenisation?

Tokenisation is a security technique that replaces sensitive data, such as credit card numbers, with a unique token. These tokens are valueless to attackers and can be safely used for transactions, reducing the risk of data exposure and fraud.

How does tokenisation differ from encryption?

Tokenisation differs from encryption in that:

Data Transformation: Tokenisation replaces data with tokens, while encryption transforms data into a scrambled, unreadable format.
Decryption Requirement: Encryption requires decryption to recover the original data, whereas tokens cannot be reversed to reveal the original data.
Security Focus: Tokenisation is primarily focused on protecting sensitive data during storage and transmission, whereas encryption secures data in transit and at rest.
Token Value: Tokens have no intrinsic value or meaning, whereas encrypted data can be decrypted to its original form.
Use Cases: Tokenisation is often used for payment card data and identity information, while encryption is more versatile and can be applied to various types of data.

What are open banking APIs?

Open banking APIs are software interfaces that allow third-party developers to access and interact with a bank's financial data, services, and infrastructure securely. These APIs enable the sharing of customer-permitted financial information and the initiation of payments, fostering innovation in the financial services industry and promoting competition among financial institutions.