Looking for Opayo, you're in the right place. View Opayo products
All card brands – sunset of 3-DS 2.1
All card schemes have confirmed the sunsetting of support for EMV 3-DS 2.1 from September 2024.
Key Dates
24 September 2024 |
Support for EMV 3-DS 2.1 in transaction processing ends |
---|
24 September 2024
Support for EMV 3-DS 2.1 in transaction processing ends
After 24 September 2024, no transactions authenticated using EMV 3-DS 2.1 can be processed.
In addition, Mastercard has announced a requirement to support additional EMV 3-DS features:
- All ecommerce businesses must support and perform authentication app re-direction through the merchant app, the 3-DS SDK and EMV 3-DS v2.2 transactions if the cardholder authentication method is OOB (out of band).
- 3RI payments are optional. However, they offer you the option to system-generate a payment transaction when the cardholder is not in session. These transactions are used for cases where there is an initial purchase transaction while the cardholder is in session, called consumer-initiated transaction (CIT), followed by subsequent transactions that are 3RI MIT (merchant-initiated transaction). With 3RI payments, you can provide evidence, using the DS Transaction ID field, that SCA has been performed where the customer was involved and maintain your fraud liability protection for the full amount that has been authenticated.
What you need to do:
To avoid potential non-compliance penalties, you should contact your gateway support team to make sure they are correctly supporting EMV 3-DS 2.2 in line with the above requirements, and that they are aware of the recently announced sunset dates for EMV 3-DS 2.1.
Mastercard – new check for latest version of 3-DS
Mastercard has introduced a new check to monitor adoption of the latest version of EMV 3-DS.
This check monitors 3-DS authentications to ensure that the transactions are being authenticated with the minimum required version of EMV 3-DS (currently EMV 3-DS 2.2) or higher.
For example: where the version used is lower than EMV 3-DS 2.2, but the issuer supports 2.2 or higher, a transaction will be considered non-performing. Where the issuer does not support EMV 3-DS 2.2, you may use a lower version to complete the transaction and this is still considered compliant.
What you need to do:
You should contact your gateway support team to make sure that transactions are being processed using the highest version of EMV 3-DS.
Mastercard – PSD2 optimisation programme for soft declines
Under PSD2, most ecommerce transactions require Strong Customer Authentication (SCA) unless an exemption or exclusion (like merchant-initiated transactions, or MITs) is applied.
To satisfy these PSD2 SCA requirements, customers are required to use EMV 3-DS, an appropriate exemption or any other SCA-compliant method to avoid issuer SCA soft declines. A SCA soft decline is a declined authorisation where the issuer requests SCA to make it successful. In the event you receive a soft decline, you should re-submit the authorisation after successfully authenticating your customer with 3-DS.
Mastercard launched the PSD2 optimisation program to monitor transactions to check if EMV 3-DS was used after a SCA soft decline. Where a customer is identified as failing this check, under this programme, non-compliance penalties could apply.
What you need to do:
You should contact your gateway support team to make sure that when transactions are soft declined, the transaction is retried with EMV 3-DS.