SCA - Strong Customer Authentication

The overall description of timeline, requirements and risk is described here.

Strong customer authentication

What is required from Merchants?

Activate 3D Secure on your payments
Review your subscription payments to ensure they are setup correctly

Note: Any version of 3D Secure is compliant with SCA requirements. We will publish information on the update from 3D Secure version 1 to version 2 (EMV 3DS) soon.

How to know which transactions require SCA or not?

In general, all transactions which involve the cardholder requires SCA. These are called Cardholder Initiated Transactions (CITs). This applies to both transactions without stored cards and those with. The below decision tree identifies which transactions need SCA and those which don’t:

How to correctly mark transactions according to use cases 1-5

Use Case #1 Registering a card

I’m using Nets hosted payment window or WebService in which customers register their cards to store the card in the webshop for easier check-out. I use the subscribe webservice for processing easy checkout for returning customers. What do I need to do?

Make sure 3D Secure is activated by Nets.
Use recurringType=initialStored for registering a card

Use Case #2 Setting up a merchant initiated transaction (MIT)

I am using the Nets hosted payment window or WebService in which I want to set up a Merchant Initiated Transaction agreement with my Customer.

Make sure 3D Secure is activated by Nets, so that it can be used to Authenticate your customer before the MIT can be confirmed.
Use recurringType for registrering a card

The next step is dependent on the type of agreement I have with my customer:

If it is an agreement that I will charge on a fixed interval, then I will register the card with “recurringType=initialRecurring”
If it is an agreement that I will charge at a changeable date every week or month, then I will register the card with “recurringType=initialStored”

Remember. The value of an MIT charge can change from one payment to the next, as long as the customer is aware of this and their rights, when they sign-up to this agreement.

Use Case #3 - Normal one-off payment

I am using the Nets hosted payment window or WebService in which I want to accept one-off payments with customers who are not registered with my webshop.
All I need to do is make sure 3D Secure is activated by Nets.

Use Case #4 - Subsequent Merchant Initiated Transactions

I want to charge a Customer for a subscription they already agreed and setup with SCA (Use Case #2) – on a Recurring or Unscheduled basis. I’m using subscribe to process subsequent transactions.

Note: when processing a subsequent MIT transaction, it must be according to agreed agreement with the Customer, either fixed internal of changeable interval.
Note: subscribe can in the future only be used for processing MIT transactions.

Normal one-off payment – using an existing stored card (Scenario 5)

Call payment window or WebService with ticket parameter

This is done by sending the ‘verifyID’ to the Payment Window.
Note: The verifyID is returned from the initial payment
A masked version of the creditcard will be displayed together with the expiry date.
The customer must enter CVC and click “Complete” to proceed and will be presented for SCA authentication.
See link for description of ‘verifyID’ parameter.

Note: Currently the CVC is required. This will be changed later, ie. The requirement for CVC will be removed and customers will be forwarded to SCA authentication directly.

Note: Next update will include use cases related to storing a card with a purchase and store a card without purchase amount.