FAQs and Webinar Recording for 'EMV 3-D SECURE 2.0 - Enhancing Security and User Experience in E-Commerce'
Vinicus Mesquita recently hosted a webinar on the above topic and here are all the questions that were asked during the webinar. If you missed it, or simply want to view it again, access the video recording here!
As you've mentioned, there will be more data available via 3DS 2.0 about the user. How does this comply with GDPR standards? Can this data be used?
Following the best practices and GDPR rules, this information needs to be shared with Consumers and explain how this information will be processed.
This question relates to EMVCo 3DS 2.0 certification slot: we have a vendor ready for certification, but we are not able to understand how to start this process.
The registration process follow two steps:
(1) Product Providers need to be enrolled directly with EMVCo (via EMVCo website) to get a Reference Number.
(2) Product Providers need to be enrolled with UL (via UL 3DS Self Test Platform).
Following that, the vendor needs to use the Self Test platform and achieve a 'pass' in all available test cases for the 3DS component being tested. Once that is accomplished, the vendor can proceed to request for UL's Approval Services in Compliance. After the results are reviewed, a report will be sent to EMVCo and they will issue the final approval and TAS or LOA.
Who drives the decision for whether a transaction is exempt from SCA? What happens if the acquirer has a higher limit than the issuer?
This is defined under PSD2 directive and therefore by EBA.
Do we already know the price policy in the labs and which labs will be working on it?
If 3DS is brand neutral, is 3DS available as a standard to schemes that are non-EMVCo members? E.g. Star, NYCE in USA, PagoBancomat in Italy, CarteBancaire in France, etc.
It As the EMV 3DS Specification is a public specification, any player can leverage on this technology . However, if they are to use this technology, they will need to pass the certification process before use.
Whose responsibility is it to "worry" about 3D Secure 2.0 implementation the most; the e-commerce provider, the card issuer, the retailer of the integrator? In short, who need to do the most work and development?
In my personal view, the 'Merchant domain' has more work to be done. However, the Issuer side will need to look at more than just the ACS component: Risk based engine, Authentication Strategy and Customer Education, just to name a few.
In EMV 3DS 2.0, there are about 100 data points which will need to be transmitted from the merchant to the issuer. Who in this transition will be able to view the data elements?
Merchants will send these data fields and , as the message is encrypted, only the issuer will be able to use this information.
If you would like to learn more aboutUL 3DS Self-Test Platformor to enroll,please click here.