Visa issuer mandate for 3D Secure v2.1 in place from 14 March 2020

Key points:

• From 14 March 2020 onwards, Visa expects all European issuers to have adopted 3D Secure (3DS) v2.1.
• Merchants will benefit from a liability shift even if the issuer is not enrolled.
• The UK’s Financial Conduct Authority (FCA) is also setting the same deadline for UK issuers.

There’s a lot going on in the economic news right now so in case you missed it, Visa’s mandate for issuers to be ready for 3DS 2.1 was last Saturday 14 March 2020.

Although there are no Visa requirements for merchants to be 3DS ready, the expectation would be that they must also be v2.1 ready to support any transactions which are stepped up by the issuer.

What does this mean for merchants?

3DS 2.1 is a huge improvement on version 1, so if issuers are prepared and want to use 3DS, it’s likely that they will use v2.1. For merchants. this could mean:

• Acceptance rates may increase due to v2.1 improvements.
• A greater proportion of transactions that fall under PSD2 scope may be sent to 3DS.

Alternatively, merchants may not see any changes, as it’s not yet mandatory for issuers to use 3DS, just to be ready for it. However, issuers do have the right to reject transactions without 3DS as they choose.

This will benefit merchants who are ready for 3DS 2.1, even if issuers are not. For example, if a merchant requests authentication through 3DS2, and the issuer is not enrolled in v2, the issuer will still take liability even though no authentication takes place.

What if a Visa issuer isn’t ready for 3DS 2.1?

It’s unclear what action will be taken if a Visa issuer is not ready for 3DS 2.1. Visa launched a new performance program for merchants and issuers that process transactions. Although the rules don't strictly relate to this new deadline of v2.1 adoption, they could use these to monitor overall performance by issuers.

As another example, we can look at the Mastercard 3DS 2.1 mandate for issuers (18th of October 2019). In the UK, as of 28 January 2020, there has been no enforcement action taken for Mastercard issuers not supporting 3DS 2.1.

What’s the next deadline?

• 1st July 2020: 3DS 2.1+ Mastercard mandate for issuers

2.1+ is a Mastercard version of 3DS in between 2.1 and 2.2. It adds some of the functionality available in 2.2 - most importantly exemptions.

• 14th September 2020: 3DS 2.2 Visa mandate for issuers

• October 2020: American Express - Issuers & acquirers must adopt 3DS v2.2

• 16th October 2020: Visa - Acquirers must be v2.2 ready

• 31st December 2020: Visa to end support for 3DS1

By September 2020, merchants should be prepared to support the highest 3DS version supported by the issuers - v2.2. This will allow merchants to benefit from exemptions to 3DS.

31st December 2020 is the current Strong Customer Authentication (SCA) deadline, from 1st January 2021, merchants should expect to see SCA on all payments unless the issuer grants an exemption.