No, there is no change to existing customers. This change only affects new user acquisition requirements.
Original Message:
Sent: 08-15-2024 19:05
From: George Huang
Subject: Visa Secure Payer Authentication Update for 3DS Authentication (due August 12th, 2024)
Just to be sure, if we added the phone number requirement on our hosted payment page and with this Visa change, this won't affect existing customer that already has the card added to their account's payment method right?
Just want to make sure that we won't need to require information from existing customer before we can re-charge them
------------------------------
George Huang
Original Message:
Sent: 07-25-2024 10:18
From: Tyler Schemmel
Subject: Visa Secure Payer Authentication Update for 3DS Authentication (due August 12th, 2024)
Overview
Visa has revised their guidelines for 3D Secure (3DS) authentication with a deadline of August 12, 2024. These changes have reduced the total number of required fields from 12 to 5 from their previous announcement in February 2024, but this is still an increase from the previous requirements meaning there will be required updates.
VISA's reasoning
3DS was implemented with the purpose of authenticating users at the time of transaction in the hopes of reducing fraudulent behavior by proving that the user behind the card is the owner of the card. This has worked, but it has had tangible impacts to friction in sign up flows leading Visa to tweak their requirements. They anticipate the below metrics following the adoption of these new fields:
Increase merchant authorization rates by 4%.
Increase merchant authentication rates by 6%
Increase fraud detection rates at the issuing bank level by >50%.
Requirements
Several fields are now mandatory during the 3DS authentication flow and all of Zuora's integrations will be updated before the August 12th, 2024 deadline to support these fields. Below is a table describing which actions Zuora will handle for you and which may require an update for our customers.
Priority Data Fields | Requirement Status | Action Required |
Browser IP Address | Mandatory (Browser) | None. Zuora collects this information automatically in its hosted page solutions. |
Browser Screen Height | Mandatory (Browser) | None. Zuora collects this information automatically in its hosted page solutions. |
Browser Screen Width | Mandatory (Browser) | None. Zuora collects this information automatically in its hosted page solutions. |
Cardholder Billing Address City | Recommended | None. Customers can choose to add this field to their hosted page solution. |
Cardholder Billing Address Country | Recommended | None. Customers can choose to add this field to their hosted page solution. |
Cardholder Billing Address Line | Recommended | None. Customers can choose to add this field to their hosted page solution. |
Cardholder Billing Address Postal Code | Recommended | None. Customers can choose to add this field to their hosted page solution. |
Cardholder Billing Address State | Recommended | None. Customers can choose to add this field to their hosted page solution. |
Cardholder Name | Mandatory (Browser / In-App) | Customers must add this field to their hosted page solution. |
Cardholder Email Address | Mandatory - if Cardholder Phone Number not present (Browser / In-App) | Customers must add Email Address to their hosted page solution or Contact Phone Number. |
Cardholder Phone Number (Work / Home / Mobile) | Mandatory - if Cardholder Email Address not present (Browser / In-App) | Customers must add Contact Phone Number to their hosted page solution or Email Address. |
Common Device Identification Parameters (Device IP Address) | Mandatory (In-App) | None. Zuora does not provide any standalone applications. |
Zuora will first be enhancing its Hosted Payment Pages 2.0 followed later by its Payment Forms and Payment Links to capture all required fields listed as mandatory for the Browser listed fields in tandem with how our gateway partners support this data collection on the latest versions of our integrations with them. If our partners do not have a stated path for support, Zuora cannot implement a solution. If you are on a legacy version of an integration, we suggest that you migrate to a version that does support these new fields to remain compliant.
Zuora does not offer any in-application experiences so Device IP Address does not apply to us.
For those customers who do not use Zuora's Hosted Pages or Payment Forms, such as DirectPOST users, they are responsible for the inclusion of the parameters expected for their gateway integration(s).
Additionally, those customers using the below gateways will be required to collect and submit the Cardholder Email Address as there are current compatibility issues between Zuora and the gateways' required country codes formats. In order to prevent issues with the transaction, we will temporarily halt submission of the phone number to these gateways. To remain compliant, we recommend that you collect the Cardholder Email Address instead:
- Adyen v2
- Chase Orbital
- Checkout.com
Timeline Unknown
Zuora is currently working with Chase to understand the requirements for the Chase Paymentech Orbital Gateway integration and will make the appropriate changes once it is ready. We do not currently have a timeline for delivery.
Deadline extensions
Below are the gateways which have been granted a deadline extension by Visa.
Gateway | Extension Date |
Access WorldPay | August 12, 2025 |
WorldPay 1.4 | August 12, 2025 |
Chase Mobility | February 2025 |
------------------------------
Tyler Schemmel
Zuora
------------------------------