November 20, 2020 Update
We highly recommend that you begin implementing and testing immediately to meet the January 1st, 2021 deadline. Delaying any further may result in increased decline rates if 3DS2 is not enabled or working properly by that date and you are operating in the EEA.
Please contact both Zuora support and your Gateway Rep (or Gateway support) in order to ensure that you are enabled for 3DS2.
As of today, the following gateways are supported in Zuoras sandbox environment and production environments:
The EBA has announced that it will not be granting further widespread delays to enforcement regardless of the pandemic due to the length of its previous extension. If you are operating in the EEA, please review this list of impacted countries for a detailed breakdown of enforcement by country. Previous requests for delays by country that extended beyond the January 1st deadline are still in effect.
If a local regulator has not announced a delay, the assumption should still be that they plan to enforce SCA on January 1st, 2021. If you have any issues after January 1st, please contact Zuora Global Support AND contact your gateway directly.
Additional documentation for PSD2 and SCA can be found on our Knowledge Center.
September 3rd, 2019 Update
The EEA countries are all publishing updates to their timelines of PSD2 enforcement as delays have been announced. To help navigate the complexity of the enforcement, Braintree has published a cheatsheet outlining EEA countries that will be delaying their enforcement of PSD2 and SCA. Click here to learn more.
Zuora is continuing to roll out integrations with payment gateways for PSD2. A detailed list will be provided in an update later this week.
In the meantime, to enable this feature for your Zuora tenant, please contact Zuora Global Support AND contact your gateway directly to ensure they have this feature turned on as well.
Additional documentation for PSD2 and SCA is now available on our Knowledge Center.
August 15th, 2019 Update
In light of the EBA's decision to grant individual countries the ability to request an extension to the September 14 deadline for SCA compliance, Zuora is continuing to develop integrations to the gateways as discussed in the July 2019 update. It is Zuora's plan to meet the September 14 deadline.
As of today, CyberSource's 3DS2 solution is in Zuora's production environment and Adyen's is in Zuora's sandbox environment. If you want to enable this feature for your Zuora tenant, contact Zuora Global Support.
Additional documentation for PSD2 and SCA is now available on our Knowledge Center.
July 2019 Update
This community post will help our customers understand the new PSD2 regulation, how it impacts them, and what they need to do to prepare.
What is PSD2 and when does it go into effect?
PSD2 is an extensive revision of the European Unions Payment Services Directive regulations. PSD2 will be going into effect on September 14, 2019. It applies to online transactions where both the issuing and acquiring banks are located in the European Economic Area (EEA).
PSD2 objectives are the following:
- Standardize regulations and integrate the market for payment services across EU countries
- Ensure fair competition and transparency
- Open payment services ecosystem and reduce bank monopoly on providing services by mandating that, upon account holder consent, they make account data available by API to third-party service providers
What is SCA and why is it important?
SCA stands for Strong Customer Authentication and is one of the mandates of PSD2 that is most applicable to Zuora customers in the European Union. The SCA regulations are designed to protect consumers. While many tools exist to reduce fraud, one of the most effective is authentication validating a customers identify before they pay online.
With SCA, all electronic transactions will need authentication, using at least two of three possible methods:
- Knowledge: something only the user knows, such as a password
- Possession: something only the user possesses, such as a token or mobile phone
- Inherence: something the user is, such as a biometric (e.g. fingerprint recognition)
Zuora recommends using 3DS2 (3DS v2) to provide your customers with SCA for European customers. 3DS stands for 3D Secure, an open standard used by major credit card brands to authenticate cardholders. 3DS can dramatically reduce fraud and increase authorisation approvals and is one of the ways for Payment Services Providers to comply with the SCA mandate. Starting September 14, 2019, issuing banks can decline certain payments that require SCA, but have not gone through authentication.
If your merchant account provider is based in the EEA - and you transact with customers in the EEA - you will need to do some work to prepare for this change. If you do not know who your merchant account provider is or where they are located, check with your gateway. For subscription businesses, merchants only have to present the 3DS flow on the initial purchase. Subsequent recurring subscription purchases are generally considered exempt from PSD2 and SCA unless the issuing bank declines the exemption.
3DS vs 3DS2 - whats the difference and why is it important?
3DS (3DS v1)
|
3DS2 (3DS v2)
|
Why is it important?
|
For payment cards only
|
Also supports mobile and digital wallets
|
Greater flexibility and support for mobile e-commerce
|
Designed for web desktop
|
Streamlined for mobile interaction models/devices
|
3DS2 adoption expected to be greater because it is easier to use
|
Higher false declines
|
Modified authentication flow
reduces false declines
|
Customers likelier to abandon transaction or use a different
payment method
|
No merchant opt-out or exceptions
|
Lower-value transactions exempted from validation, depending on the merchant's fraud rate
|
Greater flexibility and alignment of the protocol to the risk of a particular transaction
|
10 data points captured
|
Up to 150 data points captured
|
Issuer can make better decisions about the validity of the transaction with more data, preventing both fraudulent transactions as well as false positives
|
How Zuora is helping you comply with PSD2
Zuora provides seamless integration with your payment gateways, simplifying and automating collections. Zuora plans to integrate to each gateways 3DS2 capabilities. If your gateway is compliant and is providing a 3DS2 solution, Zuora intends to integrate to their solution by the September deadline.
Specific Payment Gateway Support for PSD2
Zuora is currently planning to enhance payment gateway integrations that support SCA through 3DS2 in advance of the September 14, 2019, PSD2 deadline. As of July 29, 2019 the following Gateways have provided us with their 3DS2 solution and Zuora is actively developing the integrations:
*These payment gateways may require a version update, migration or an additional feature to enable 3DS2 functionality; we recommend speaking directly with your gateway contacts as soon as possible.
Zuora is currently not planning to enhance support for the following payment gateways, because they either do not transact in the EEA or they have informed Zuora that they are not applicable to PSD2 (if these gateways do become applicable to PSD2 requirements and they provide Zuora with their 3DS2 integration, Zuora currently plans to provide support for these integrations at a later time):
- Allpago
- Authorize.net (migration to Cybersource required)
- Bambora
- CardConnect
- FirstData
- FIS Worldpay (Vantiv and Litle)
- GlobalCollect (will require credit cards to be processed through Ingenico ePayments)
- GMO
- GoCardless
- Merchant eSolutions
- Moneris
- NMI
- PayPal Adaptive
- PayPal EC1
- SIA
- Slimpay
- Softbank
- Sony
As part of your comprehensive PSD2-compliant solution, Zuora currently intends to provide the following:
- SCA-compliant implementation of 3DS2 with your 3D Secure gateway
- Hosted Payment Pages updated to support 3DS2, where applicable. Our HPM will redirect to the gateways 3D Secure URL, which that service will determine if a challenge question is required. If challenge question fails, payment method will not be stored in Zuora, if it passes, payment method with CAVV and XID to be included with payment request.
- If using direct POST, customer will work with MPI of choice and pass the Network Transaction ID (NTI) and other required fields via API to Zuora to store with payment method.
What will I have to change in my tenant?
- Update your HPM page configurations
- Note: We will support 3DS2 via embedded iFrame as long as the gateway the customer is using is 3D Secure compliant and is in the list referenced above.
- If you use direct POST support, merchant will need to work with their MPI provider of choice and pass the necessary IDs down to Zuora via API. Zuora will store these and pass it to the gateway via our integration.
- Update your gateway configurations to use a version that supports 3DS2.
- Note: Some integrations may support 3DS2 without requiring an update.
Additional documention for PSD2 and SCA is now available on our Knowledge Center.
For existing recurring transactions, we will align to the gateway specifications. Details will be provided by the gateways, and Zuora currently plans to provide guidance on any changes required within your tenant. For questions, please post in the comment section below or reach out to your gateway provider directly.
#Announcement#Product Updates