Helping you prepare for Strong Customer Authentication

From 14 September 2019, Strong Customer Authentication (SCA), a requirement related to the Second Payments Services Directive (PSD2) comes into force and applies to all electronic payments within the European Economic Area1. The SCA requires that all applicable payments comply with specific authentication requirements, including 3-D Secure (3DS).

To assist with SCA and to help prevent transactions from unnecessary declines, we will be upgrading your Authorize.Net account to CyberSource, which will allow you to use 3DS and provide access to a host of new products and services that can help your business continue to grow.

PSD2 SCA Timeline Update

The European Banking Authority (EBA) recently issued an Opinion on Strong Customer Authentication (SCA) recognising the challenge for the industry to meet the deadline and accepting that on an exceptional basis, local regulators may decide to work with stakeholders to provide additional time to migrate to SCA-compliant solutions.

The UK’s Financial Conduct Authority (FCA) also recently agreed to an 18-month plan to implement SCA with the ecommerce industry. The FCA will not take any enforcement action against businesses if they do not meet the relevant requirements for SCA, where there is evidence that they have taken the necessary steps to comply with the plan. 

What This Means

Though the legal deadline remains 14 September 2019, local regulators, such as the FCA, may agree to some flexibility in exceptional circumstances. The FCA’s plan gives the industry time to implement SCA to ensure that customers and merchants continue to enjoy secure and seamless ecommerce.

This means we will not be closing your Authorize.Net account in the near term to allow more time for you to fully transition to your new CyberSource account. We still highl encourage you to upgrade to CyberSource as soon as possible, in order to take advantage of all the benefits your new account offers and to ensure you meet the SCA requirement ahead of any possible enforcement. We also recommend contacting your shopping cart or web developer to build out a transition plan and timeline.

What is PSD2?

The PSD2 replaces the First Payment Services Directive from 2009. PSD2 is a European directive that regulates payment services in Europe and focuses on improving security and minimising overall fraud potential. While the directive regulates payment service providers, it will have implications for e-commerce businesses.

What is SCA?

SCA requires the use of two or more different forms of authentication along with the transaction. There are three types of acceptable forms of customer authentication:

Knowledge: Something only the customer knows
Example: A password

Possession: Something only the customer has
Example: A pre-registered mobile phone, card reader or key generation device

Inherence: Something the customer is
Example: A biometric (facial recognition, fingerprint, voice recognition, behavioural biometric – provided it complies with the relevant SCA requirements)

To perform SCA, the customer must submit two or more of the above authentication forms with their applicable transactions.

Adding SCA will add a step to a customer’s checkout experience, but 3DS is designed to reduce that friction. See our FAQs for more information on how the checkout process will change.

What is 3DS?

3DS is an authentication tool designed to support SCA and is currently used by the card schemes to verify a customer. 3DS is available through CyberSource, many shopping carts, and various other third-party authentication services.

Who is CyberSource and how are they connected to Authorize.Net?

Like Authorize.Net, CyberSource is a leading provider of payment management solutions, with a focus on global-scale businesses. Authorize.Net and CyberSource have both been a part of Visa since 2010.

CyberSource provides a variety of products and services to support your business, including accepting payments in 190+ countries/territories and 40+ currencies, global tax tools, currency conversion, alternative payments, and more.    

FAQs

How does PSD2, SCA, 3DS, and CyberSource all fit together?

CyberSource allows you to use 3DS to perform SCA, which is designed to support PSD2.

How will performing SCA affect a customer’s checkout experience?

Using 3DS to support SCA will add an extra step to your customer’s checkout experience that allows them to provide their two forms of authentication. 3DS authenticates the information on the back end. Once authentication is confirmed, the customer has completed their payment.

Example Customer Checkout Today

Example Customer Checkout with SCA

Will I need to update my website or payment solution to use my new CyberSource account?

Authorize.Net Hosted Payment Form Solutions

If you are using a solution that utilises the Authorize.Net-hosted payment form, you will need to update your website or payment solution to use one compatible with CyberSource.

There are three options available to you:

  1. Use CyberSource’s Secure Acceptance – This solution closely mirrors the one you are using with Authorize.Net, as your customers will enter their payment information on a form hosted by CyberSource.
  2. Create a custom solution using one of the CyberSource APIs  – This solution will allow you to customize your payment solution however you’d like.
  3. Use a CyberSource compatible shopping cart – Contact your current shopping cart provider to find out if it supports CyberSource and 3DS. You can refer them to partners@authorize.net for assistance.

Be sure to check with your developer/shopping cart provider for help determining which option you should choose.

3DS Reminder

Whichever payment solution you utilise, you must enable and use its 3DS functionality, as this is the authentication tool that will assist you with SCA. CyberSource’s 3DS solution is called Payer Authentication and it can be used with Secure Acceptance or any CyberSource API.

All Other Authorize.Net Payment Solutions and Shopping Carts

We are creating a solution that will allow you to keep your current integration or shopping cart provider. In short, we are creating a connection that will pass the information you collect via your current Authorize.Net payment solution to your new CyberSource gateway account. However, to satisfy SCA, you must still implement 3DS, either through CyberSource or another provider. To start using 3DS, you will have to do some integration work. The new 3DS fields collected will be processed using your new CyberSource account. 

As a result, we highly recommend moving to a CyberSource API or a CyberSource compatible shopping cart, to ensure you enjoy all of the benefits that your CyberSource account has to offer.

To start using a CyberSource compatible integration, there are three options available to you:

  1. Use CyberSource’s Secure Acceptance  – This solution allows your customers to enter payment information on a form hosted by CyberSource.
  2. Create a custom solution using one of the CyberSource APIs  – This solution will allow you to customize your payment solution however you’d like.
  3. Use a CyberSource compatible shopping cart – Contact your current shopping cart provider to find out if it supports CyberSource and 3DS. You can refer them to partners@authorize.net for assistance.

Be sure to check with your developer/shopping cart provider for help determining which option you should choose.

3DS Reminder

Whichever payment solution you utilise, you must enable and use its 3DS functionality, as this is the authentication tool that will assist you with SCA. CyberSource’s 3DS solution is called Payer Authentication and it can be used with Secure Acceptance or any CyberSource API. If you choose to keep your Authorize.Net integration, you must still implement Payer Authentication or another 3DS solution to satisfy SCA.

Will my payment gateway pricing change?

Your new CyberSource account will keep the same payment gateway, transaction, and any additional service fees you are currently paying on your Authorize.Net account. However, 3DS is a separate service and has its own service fees. Fee information will be available and communicated to you soon.

When should applicable transactions be SCA ready?

By 14 September 2019.

What happens if I don’t use 3DS or require SCA for my online transactions?

If your applicable transactions do not have the appropriate level of SCA upon submission, then they may be declined.

Next Steps

We expect to have your new CyberSource account set up in the next few months. Once created, we will email you with more information on activating the account, how to familiarise yourself with your new account interface, and the timeline for accessing your new and old gateway accounts.

When the UK is no longer part of the EU, will PSD2 SCA still apply to businesses in the UK?

PSD2 SCA applies to businesses throughout Europe, not just the European Union, specifically in cases where both the issuer and acquirer
are located in the EEA (European Economic Area). So PSD2 SCA will still apply to most businesses in the UK.

Account Upgrade Info

Account Access Timeline

After registering your CyberSource account, you will be able to access both your Authorize.Net and CyberSource gateway accounts. This will allow you to continue using your Authorize.Net account while you configure your new CyberSource account settings and familiarise yourself with the new interface. Later this year, we will place your Authorize.Net account in Test Mode to allow read-only access, and you will no longer be able to process payments through it.

Once you register your CyberSource account, you can access it via the CyberSource Business Center, which is the equivalent of the Authorize.Net Merchant Interface. We highly recommend logging in to see the differences and to get accustomed to the new look and feel. 

To help you get used to the new interface, we highly recommend reviewing the Business Center merchant video tutorials here.

Account Setup Information

When you receive your registration email, you will notice there are two registration links. One to set up a username and password for a “merchant admin” and one for an “account admin.” You will need to set up both for your new CyberSource account.

CyberSource provides the ability to have multiple merchant IDs per master account, therefore, we’ll create a new master account for you that includes two merchant IDs: one for your new gateway account, which you will use for processing payments, and one that will display your transaction data from your old Authorize.Net account. Your master account allows you to manage both merchant IDs, as well as add additional ones later.

  • The first link in the email for “merchant admin” is to create the username and password for accessing your new gateway account only. This is the main gateway account/merchant ID where you will process payments going forward.
  • The second link in the email for “account admin” is to create a username and password for your master CyberSource account that manages both your new gateway account and your old Authorize.Net history.

Review our registration tutorial for step-by-step instructions on registering your new CyberSource account.

Note: Once you register your account, it will be “live,” meaning you can process transactions through the interface or API using your new CyberSource API credentials. However, you will only continue to be billed for your current Authorize.Net account fees—you will not be billed for two separate accounts.

Account Upgrade Resources

To help with your account upgrade, we have several resources available to you:

  • Account Comparison Guide – this guide lists the features and API services available on Authorize.Net and
    their correlating services on CyberSource
  • Account Upgrade Checklist – this checklist provides all of the necessary steps to take before, during, and
    after your account upgrade
  • Account Upgrade Webinar – watch the replay of account upgrade webinar where we walk through the registration process, start to finish

Account Upgrade Checklist

Are you ready for your new CyberSource account?

We recommend reviewing and taking the following steps before, during, and after your account upgrade to help prepare for your new CyberSource account:

Before Account Upgrade

□    Read an overview of the Second Payments Services Directive (PSD2), Strong Customer Authentication (SCA), and your upcoming
account changes here.

□    Learn more about PSD2 and how it impacts you by watching our PSD2 webinar: Webinar Replay

□    Upgrade your website or payment solution (contact your web developer for help determining which option applies to you):

        □    If you are using Accept.js or a hosted payment solution, such as the Server Integration Method (SIM), Simple Checkout, Direct
Post Method (DPM) or Accept UI/Accept Hosted, you must update your integration to use one compatible with CyberSource. Review your three options here.

        □    If you are using a non-hosted payment solution, such as the Advanced Integration Method (AIM) or ANET API (XML, JSON), your integration will continue to work, but we highly recommend moving to a CyberSource API or a CyberSource compatible shopping cart to take advantage of updates and newer integrations. Find more information here.

□    If you are using a third party technology provider or shopping cart, contact them to verify that they will support 3-D Secure (3DS) and CyberSource.

□    Review the Account Comparison Guide to see the features and API services available on Authorize.Net and their corresponding services on CyberSource

□    Watch the Account Upgrade Webinar replay to see the account upgrade and registration process, start to finish. Watch the Account
Upgrade Webinar
.

During Account Upgrade

□    Register your new account using the links from your CyberSource Account Registration email. The email will come from “CyberSource Customer Support” at donotreply@support.cybersource.com. Please find a step-by-step registration guide here

□    Bookmark your new CyberSource login page: https://ebc2.cybersource.com/ebc2/

□    Continue upgrading your website or payment solution (contact your web developer for help determining which option applies to you):

        □    If you are using Accept.js or a hosted payment solution, such as the Server Integration Method (SIM), Simple Checkout, Direct Post Method (DPM) or Accept UI/Accept Hosted, you must update your integration to use one compatible with CyberSource. Review your three options here.

        □    If you are using a non-hosted payment solution, such as the Advanced Integration Method (AIM) or ANET API (XML, JSON), your integration will continue to work, but we highly recommend moving to a CyberSource API or a CyberSource compatible shopping cart to take advantage of updates and newer integrations. Find more information here.

□    Ensure you are using Payer Authentication or another 3-D Secure integration.

□    Watch a merchant tutorial on how to use the CyberSource Business Center here and save a copy of the Business Center User Guide.

□    Create new users for your account. Please note that your current Authorize.Net users will not automatically transfer over and will need to be recreated. This is a good time to clean out old users or reset permissions. Watch a video here.

□    Get to know reporting in the Business Center – watch part 1 here and part 2 here.

□    Review and update your new account settings. Find more information here.

After Account Upgrade

□    Log into your old Authorize.Net account and download your transaction history. Find more information here.

□    Invoicing: If you are currently using the invoicing service with Authorize.Net, we will not be transferring any history or open/unpaid invoices from your Authorize.Net account to CyberSource. We recommend completing/closing out any open or unpaid invoices from customers in your Authorize.Net account, or canceling them and recreating the invoices from your new CyberSource account. You can then re-send the payment requests to your customers.

□    Remove the code for your Authorize.Net Verified Merchant Seal. The seal has been deprecated and does not work with your yberSource account.

□    Ensure you are using 3DS by 14 September 2019. You must enable and use 3DS functionality, as this is the authentication tool that will assist you with SCA.

If you have any questions, please call support at +44 (0) 203 564 4844

Resources

Account Comparison Guide – this guide lists the features and API services available on Authorize.Net and their correlating services on CyberSource.

Account Upgrade Checklist – this checklist provides all of the necessary steps to take before, during, and after your account upgrade.

Account Upgrade Webinar – watch the replay of our account upgrade webinar where we walk through the registration process, start to finish.

PSD2 SCA Webinar – learn more about PSD2 SCA and find out how to deliver a best in class digital experience in an SCA world. Register now to watch the replay.

The regulation impacts certain electronic payments where both the issuer and acquirer are located in the EEA (European Economic Area).