In effect since the beginning of 2018, the second Payment Services Directive (PSD2) redefines security standards for online payments. Given the strong growth of e-commerce in Europe, it aims to increase security during payment processing, while fighting more actively against fraud attempts.
To view the relevant legislation, click here.
This is the goal of the PSD2: to strengthen and increase e-shoppers’ trust
With the enforcement of the Regulatory Technical Standards (RTS) arising from the PSD2 since September 14, 2019, new requirements in terms of strong authentication must be applied to all transactions carried out over the Internet for a better protection of customers.
Therefore, you must comply with 3-D Secure v2, the new version of the protocol developed by EMVCo (organization bringing together representatives from the main card networks and leaders in the payment industry) which standardizes the process of strong authentication for online payments.
Please note: The 3-D Secure standard only applies to card payments (Visa, Mastercard, CB, American Express) and not to payments made with alternative or local payment methods (Klarna, iDEAL, Bancontact…).
As a payment service provider, HiPay is here to guide you and facilitate your transition to these new authentication methods.
What changes as from September 14, 2019
Today, merchants or their payment service providers decide to use strong authentication on transactions based on their fraud management policy by triggering 3-D Secure 1.0. End customers are then redirected to a page from their bank, where they must enter, to prove their identity, a one-time code, generally received by SMS.
As from September 14, 2019, the decision to apply strong authentication will be made by the issuer, the cardholder’s bank (end customer). The issuer will make this decision according to the numerous criteria set in the PSD2 (limits, exemptions, fraud rate management…) and based on the analysis of more than 150 data collected during each purchasing process.
Therefore, to comply with the new PSD2 requirements and improve user experience, the 3-D Secure v2 protocol has been developed to benefit from a more dynamic and more secure authentication, that integrates innovative authentication methods, such as biometric authentication solutions.
More importantly, version 2 of the protocol will enable merchants to offer purchasing processes more integrated to their environment.
When the issuers will deem that the data sent make it possible to identify the cardholder, or when transactions will meet certain eligibility criteria, the authentication process will be completely transparent for the end users.
However, when the analyzed data will not allow the cardholder to be identified, a strong customer authentication will be required.
In both cases, responsibility will be transferred to the issuer.
Understanding Strong Customer Authentication
This new requirement imposes strong authentication on customers when they finalize their purchases, by combining two independent authentication factors.
These authentication factors can be:
something known by the end customer (e.g.: password, secret question, secret code, etc.),
something owned by the end customer (e.g.: smartphone, connected device, token, chip card, etc.),
something inherent to the end customer (e.g.: fingerprint, facial or vocal recognition, iris recognition, etc.).
The technical answer to these new requirements relating to strong authentication involves the implementation of 3-D Secure v2.
To comply with this new regulation, it is thus necessary to:
- integrate the fields required for the smooth functioning of 3-D Secure v2,
- evaluate the scope of your transactions that could be exempt from strong authentication.
Transactions outside of the scope of PSD2 and exempt from strong authentication
Certain transactions may be exempt from strong authentication, others are outside of the scope of PSD2.
Thanks to HiPay’s anti-fraud tools, our teams will work together with merchants for optimal implementation of exemptions, with the goal of maximizing the fluidity of the customer journey, while actively fighting fraud.
For more information on possible exemptions, please refer to our web page dedicated to PSD2.
HiPay is here for you to comply with PSD2
To meet PSD2 requirements, HiPay will provide you with guidance and support regarding the evolution of your technical integration.
Thus, HiPay makes it easier for you to implement 3-D Secure v2 by minimizing the constraints of integration on your end.
Implementing the new protocol does not modify the current architecture between the merchant and HiPay.
However, in order to maximize the success of your transactions and simplify your customer journey, it is strongly recommended to collect the new types of data described below and provide them to HiPay.
We invite you to review the new fields to integrate, described in the following table.
New fields to integrate into existing /order and /hpayment APIs
Please note: all the fields that are not required are strongly recommended.
account_info [customer]
account_info [purchase]
account_info [payment]
account_info [shipping]
JSON example:
"account_info": {
"customer": {
"account_change": 20180507,
"opening_account_date": 20180507,
"password_change": 20180507
},
"purchase": {
"count": 2,
"card_stored_24h": 0,
"payment_attempts_24h": 0,
"payment_attempts_1y": 0
},
"payment": {
"enrollment_date": 20180507,
},
"shipping": {
"shipping_used_date": 20180507,
"name_indicator": 1,
"suspicious_activity": 1
}
}
device_channel
browser_info
If your integration uses the Hosted Fields / Hosted Payments methods, the browser_info data will be returned to you in the getPaymentData method response (in JSON format).
If you use a CMS, the browser_info data will be retrieved and sent to HiPay automatically.
If you neither use a CMS nor use the Hosted Fields / Hosted Payments methods, but use the HiPay JavaScript SDK, you can call the getBrowserInfo method to retrieve the browser_info data.
In any other case, you must directly retrieve the browser_info data in order to provide them to us.
browser_info [java_enabled]
browser_info [javascript_enabled]
browser_info [language]
browser_info [color_depth]
browser_info [screen_height]
browser_info [screen_width]
browser_info [timezone]
browser_info [ipaddr]
browser_info [http_accept]
browser_info [http_user_agent]
JSON example for the whole browser_info section:
"browser_info": {
"java_enabled": true,
"javascript_enabled": true,
"ipaddr": "127.0.0.1",
"http_accept": "*/*",
"http_user_agent": "Mozilla/4.0",
"language": "fr-FR",
"color_depth": 1,
"screen_height": 1080,
"screen_width": 1920,
"timezone": "300"
}
merchant_risk_statement [email_delivery_address]
merchant_risk_statement [delivery_time_frame]
merchant_risk_statement [purchase_indicator]
merchant_risk_statement [pre_order_date]
merchant_risk_statement [reorder_indicator]
merchant_risk_statement [shipping_indicator]
merchant_risk_statement [gift_card]
JSON example:
"merchant_risk_statement": {
"email_delivery_address": "jane.doe@test.com",
"delivery_time_frame": 1,
"purchase_indicator": 1,
"pre_order_date": 20190925,
"reorder_indicator": 1,
"shipping_indicator": 1,
"gift_card": {
"amount": 15,
"count": 1,
"currency": "EUR"
}
}
recurring_info [expiration_date]
recurring_info [frequency]
JSON example:
"recurring_info:" {
"expiration_date": 20200318,
"frequency": 31
}
Full PHP example:
$data = array(
// Order information
"orderid"=> "hipay-test-12345678910",
"description"=> "test product 01",
"long_description"=> "full description of test product 01",
"payment_product"=> "mastercard",
"cardtoken"=> "daaf85868bcaee8klniazereiuop7b0ce133e88d",
"eci"=> "7",
"authentication_indicator"=> "1",
"operation"=> "authorization",
"currency"=> "EUR",
"amount"=> 100,
"shipping"=> 1,
"tax"=> 1,
"tax_rate"=> 1,
"custom_data" =>
'{
"shipping_method":"click and collect",
"first_order":"0",
"products_list": "First product, Second product",
"_reporting_data_1":"my custom data 1",
"_reporting_data_2":"my custom data 2",
"_reporting_data_3":"my custom data 3",
"_reporting_data_4":"my custom data 4",
"_reporting_data_5":"my custom data 5"
}',
// Customer information
"email"=> "jane.doe@test.com",
"phone"=> "01234567890",
"birthdate"=> "19890525",
"gender"=> "f",
"firstname"=> "Jane",
"lastname"=> "Doe",
"country"=> "FR",
"streetaddress"=> "10 rue de la facturation",
"streetaddress2"=> "",
"city"=> "Paris",
"zipcode"=> "75012",
"shipto_firstname"=> "Jane",
"shipto_lastname"=> "Doe",
"shipto_streetaddress"=> "20 rue de la livraison",
"shipto_streetaddress2"=> "",
"shipto_city"=> "Paris",
"shipto_zipcode"=> "75012",
"shipto_country"=> "FR",
"cid"=> "123456",
"ipaddr"=> "xxx.xx.xxx.xx",
"accept_url"=> "",
"decline_url"=> "",
"pending_url"=> "",
"exception_url"=> "",
"cancel_url"=> "",
// PSD2 information
"account_info"=> "{
'customer': {
'account_change': 20180507,
'opening_account_date': 20180507,
'password_change': 20180507,
},
'purchase': {
'count': 2,
'card_stored_24h': 0,
'payment_attempts_24h': 0,
'payment_attempts_1y': 0
},
'payment': {
'enrollment_date': 20180507
},
'shipping': {
'shipping_used_date': 20180507,
'name_indicator': 1,
'suspicious_activity': 1
}
}",
"device_channel"=> 2,
"browser_info"=> "{
'java_enabled': true,
'javascript_enabled': true,
'ipaddr': '127.0.0.1',
'http_accept': '*/*',
'http_user_agent': 'Mozilla/4.0',
'language': 'fr-FR',
'color_depth': 1,
'screen_height': 0,
'screen_width': 0,
'timezone': '300'
}",
"merchant_risk_statement"=> "{
'email_delivery_address': 'jane.doe@test.com',
'delivery_time_frame': 1,
'purchase_indicator': 1,
'pre_order_date': 20190925,
'reorder_indicator': 1,
'shipping_indicator': 1,
'gift_card': {
'amount': 15,
'count': 1,
'currency': 'EUR' }
}",
"recurring_info"=> "{
'expiration_date': 20200318,
'frequency': 31
}"
);
Please note: all the fields that are not required are strongly recommended.
account_info [customer]
account_info [purchase]
account_info [payment]
account_info [shipping]
JSON example:
"account_info": {
"customer": {
"account_change": 20180507,
"opening_account_date": 20180507,
"password_change": 20180507
},
"purchase": {
"count": 2,
"card_stored_24h": 0,
"payment_attempts_24h": 0,
"payment_attempts_1y": 0
},
"payment": {
"enrollment_date": 20180507,
},
"shipping": {
"shipping_used_date": 20180507,
"name_indicator": 1,
"suspicious_activity": 1
}
}
device_channel
merchant_risk_statement [email_delivery_address]
merchant_risk_statement [delivery_time_frame]
merchant_risk_statement [purchase_indicator]
merchant_risk_statement [pre_order_date]
merchant_risk_statement [reorder_indicator]
merchant_risk_statement [shipping_indicator]
merchant_risk_statement [gift_card]
JSON example:
"merchant_risk_statement": {
"email_delivery_address": "jane.doe@test.com",
"delivery_time_frame": 1,
"purchase_indicator": 1,
"pre_order_date": 20190925,
"reorder_indicator": 1,
"shipping_indicator": 1,
"gift_card": {
"amount": 15,
"count": 1,
"currency": "EUR"
}
}
recurring_info [expiration_date]
recurring_info [frequency]
JSON example:
"recurring_info:" {
"expiration_date": 20200318,
"frequency": 31
}
Full PHP example:
$data = array(
// Design and configuration of the payment page
"template" =>"basic-js",
"time_to_limit_to_pay" =>"",
"css" =>"",
"language" =>"fr_FR",
"merchant_display_name" =>"My company name",
"display_selector"=>"1",
// Order information
"orderid"=> "hipay-test-12345678910",
"description"=> "test product 01",
"long_description"=> "full description of test product 01",
"payment_product"=> "mastercard",
"cardtoken"=> "daaf85868bcaee8klniazereiuop7b0ce133e88d",
"eci"=> "7",
"authentication_indicator"=> "1",
"operation"=> "authorization",
"currency"=> "EUR",
"amount"=> 100,
"shipping"=> 1,
"tax"=> 1,
"tax_rate"=> 1,
"custom_data"=>
'{
"shipping_method":"click and collect",
"first_order":"0",
"products_list": "First product, Second product",
"_reporting_data_1":"my custom data 1",
"_reporting_data_2":"my custom data 2",
"_reporting_data_3":"my custom data 3",
"_reporting_data_4":"my custom data 4",
"_reporting_data_5":"my custom data 5"
}',
"accept_url"=> "",
"decline_url"=> "",
"pending_url"=> "",
"exception_url"=> "",
"cancel_url"=> "",
// Customer information
"email"=> "jane.doe@test.com",
"phone"=> "01234567890",
"birthdate"=> "19890525",
"gender"=> "f",
"firstname"=> "Jane",
"lastname"=> "Doe",
"country"=> "FR",
"streetaddress"=> "10 rue de la facturation",
"streetaddress2"=> "",
"city"=> "Paris",
"zipcode"=> "75012",
"shipto_firstname"=> "Jane",
"shipto_lastname"=> "Doe",
"shipto_streetaddress"=> "20 rue de la livraison",
"shipto_streetaddress2"=> "",
"shipto_city"=> "Paris",
"shipto_zipcode"=> "75012",
"shipto_country"=> "FR",
"cid"=> "123456",
"ipaddr"=> "xxx.xx.xxx.xx",
// PSD2 information
"account_info"=>
"{
'customer':
{
'account_change': 20180507,
'opening_account_date': 20180507,
'password_change': 20180507,
},
'purchase':
{
'count': 2,
'card_stored_24h': 0,
'payment_attempts_24h': 0,
'payment_attempts_1y': 0
},
'payment':
{
'enrollment_date': 20180507
},
'shipping':
{
'shipping_used_date': 20180507,
'name_indicator': 1,
'suspicious_activity': 1
}
}",
"device_channel"=> 2,
"merchant_risk_statement"=>
"{
'email_delivery_address': 'jane.doe@test.com',
'delivery_time_frame': 1,
'purchase_indicator': 1,
'pre_order_date': 20190925,
'reorder_indicator': 1,
'shipping_indicator': 1,
'gift_card':
{
'amount': 15,
'count': 1,
'currency': 'EUR'
}
}",
"recurring_info"=>
"{
'expiration_date': 20200318,
'frequency': 31
}"
);
Testing
To test in HiPay's stage platform the format of all PSD2 fields, you must:
- Send a transaction in EUR currency;
- Send a total order amount between €100 and €200;
- Use a payment method affected by PSD2.
In the event of missing or invalid parameters, the error returned is of the form:
The following DSP2 fields are invalid or missing: browser_info.java_enabled, device_channelThe associated reason code is 1010201 (invalid parameter).
Important dates
- September 11, 2019:
The Banque de France has authorized an 18-month migration plan for online electronic payments to comply with PSD2 (for more information, please read the press release).
- April 1, 2020:
Strong authentication mandatory for all transactions above €500
- April 1, 2021:
Strong authentication mandatory for all e-commerce transactions
SDKs and modules available and updated to PSD2
- JavaScript SDK
https://developer.hipay.com/online-payments/sdk-reference/sdk-js - PHP SDK
https://developer.hipay.com/online-payments/sdk-reference/sdk-php - PrestaShop 1.6 - 1.7 module
https://developer.hipay.com/cms-modules/prestashop/prestashop-enterprise - Magento 1 module
https://developer.hipay.com/cms-modules/magento/magento-1-enterprise - Magento 2 module
https://developer.hipay.com/cms-modules/magento/magento-2-enterprise - Android SDK
https://developer.hipay.com/mobile-payments/android/android-sdk-configuration - WooCommerce module
https://developer.hipay.com/cms-modules/woocommerce/woocommerce-enterprise - iOS SDK
https://developer.hipay.com/mobile-payments/ios/ios-sdk-configuration
