Turn PSD2 compliance into better payments performance - how to make strong customer authentication work for your business

 
CONTINUE READING
Turn PSD2 compliance into better payments performance - how to make strong customer authentication work for your business
Turn PSD2 compliance
 into better payments
 performance
how to make strong customer
authentication work for your business

April 2020
Turn PSD2 compliance into better payments performance - how to make strong customer authentication work for your business
Contents

                                                                                 5    Introduction: It’s time to make PSD2 work for you

                                                                                 6    Fighting fraud with strong customer authentication

                                                                                 8    Delivering higher authorization rates for greater
                                                                                      customer satisfaction

                                                                                 10   Taking the next step with 3DS V2.2

                                                                                 16   Conclusion: You say regulation, we say innovation

                                                                                 18   Appendix: Data used to authenticate transactions
                                                                                      under the latest 3D Secure versions

2   Ingenico ePayments | Turn PSD2 compliance into better payments performance                  Turn PSD2 compliance into better payments performance | Ingenico ePayments   3
Introduction: It’s time to
                                                                                 make PSD2 work for you
                                                                                 With PSD2, most payment companies talk about what
                                                                                 is ‘required’ and a need to ‘comply’. This year, however,
                                                                                 merchants have an extraordinary opportunity to use PSD2
                                                                                 to better control the data that drives their businesses.
                                                                                 This means they can test new authentication processes
                                                                                 that will enable them to cut their fraud risk, while
                                                                                 continuing to improve the customer’s shopping experience.

                                                                                 EMV 3DS is a game changer for authenticating transactions. It makes it easier
                                                                                 for merchants to authenticate transactions, so they can benefit from transferring
                                                                                 the fraud risk to card issuers, while protecting the customer experience.
                                                                                 It also introduces exemptions that enable merchants to choose, in certain
                                                                                 circumstances, whether to authenticate the transaction.

                                                                                 EMV 3DS Version 2.1 (V2.1) is available today, and supersedes the original 3D
                                                                                 Secure 1.0. By the end of 2020, EMV 3DS V2.2 will have been introduced by
                                                                                 card issuers, bringing new enhancements and including exemptions that will
                                                                                 enable merchants to get the best out of EMV 3DS. Mastercard is also introducing
                                                                                 an intermediate version called EMV 3DS V2.1+, which introduces exemptions
                                                                                 earlier and gives issuers more time to get ready for EMV 3DS V2.2.

                                                                                 By the end of 2020, the second Payment Services Directive (PSD2) will come
                                                                                 into action and merchants will be required to authenticate all transactions,
                                                                                 except where exclusions or exemptions apply. By running pilot projects
                                                                                 now, merchants can gather the data they need to steer their authentication
                                                                                 strategy and optimize their conversion rates. EMV 3DS introduces a number
                                                                                 of opportunities for merchants to optimize their check-out process, including
                                                                                 seamless authentication and mobile app integration.

                                                                                 In this paper, we’ll outline these opportunities, and tell you how you can get
                                                                                 ready to implement and succeed with strong customer authentication, which all
                                                                                 payment card issuers will introduce by the end of 2020.

4   Ingenico ePayments | Turn PSD2 compliance into better payments performance                          Turn PSD2 compliance into better payments performance | Ingenico ePayments   5
Fighting fraud with strong
                                                                                                                                       Transactions will require strong
                                                                                                                                       authentication when the following apply:

           customer authentication                                                                                                     •   The acquirer (merchant’s bank) and card
                                                                                                                                           issuer (customer’s bank) are both in the
                                                                                                                                           European Economic Area. If only one
                                                                                                                                           party is in the EEA, they are expected
                                                                                                                                           to use their best efforts to apply strong
           The anonymity of online                                      Ultimately, if merchants are not able to
                                                                                                                                           customer authentication, but the other
           transactions has made ecommerce                              support strong authentication, card issuers
                                                                                                                                           party is not obliged to comply.
                                                                        will decline transactions.
           a target for cybercriminals.
                                                                                                                                       •   The payer initiates an electronic
                                                                        Transactions will need to be authenticated                         payment. Payments initiated by the
           According to Juniper Research, card-not-                     using two out of three of the following:                           merchant are excluded from strong
           present fraud is expected to cost retailers                                                                                     authentication, as long as the payment
           $130 billion between 2018 and 20231.                         •    Something the customer knows, such as                         isn’t taken in response to a specific
           It’s a complex problem, and the solution                          a password;                                                   customer action. Setting up the original
           will require the cooperation of merchants,                                                                                      payment agreement remotely would
                                                                        •    Something the customer has, such as a
           payment service providers (PSPs), card                                                                                          require authentication, though. Orders
                                                                             device or token; and
           schemes and card issuers.                                                                                                       placed using email, phone, fax or
                                                                        •    Something the customer is, which might                        interactive voice response (categorized
           During 2020, strong customer authen-                              be their fingerprint or voiceprint.                           as MOTO – Mail Order/Telephone
           tication (SCA) will become a requirement                                                                                        Orders) will ultimately use decoupled
           for most online transactions. There will be                  Figure 1 shows some examples of                                    authentication, but issuers are not
           a ripple effect, in which PSD2 will mandate                  authentication elements in each category.                          expecting to have this ready in 2020.
           that card issuers use strong authentication,                 The factors need to be independent of each                         MOTO transactions are therefore out of
           and they in turn will require merchants to                   other (as all of these are), so that breaching                     scope until further notice.
           support it.                                                  one factor does not compromise the
                                                                                                                                       •   The merchant does not request one of
                                                                        reliability of the other factor.
                                                                                                                                           the exemptions that are allowed under
                                                                                                                                           PSD2. Exemptions give merchants a
                                           Password                                                                                        powerful tool for optimizing conversion
                                           PIN                                                                                             rates, as we explain later in this paper.
                                           Knowledge-based challenge questions
                Knowledge                  Passphrase
                “what I know”              Memorised swiping path                                                                      Crucially, the approach is shifting from one
                                                                                                                                       where the merchant can decide whether

                                           Device evidenced by an OTP (generated or received) or by a
                                                                                                                                       to authenticate a transaction, to one where
                                           signature generated or through a QR code externally scanned                                 every transaction must be authenticated
                                                                                                                                       (unless exemptions or exclusions apply).
                                           App or browser with possession evidenced by device binding

                Possession                 Card evidenced by a card reader or by a dynamic card security
                                                                                                                                       In addition, strong authentication will be
                “what I have”              code or through a QR code externally scanned
                                                                                                                                       required when the customer accesses their
                                                                                                                                       payment account online, or carries out any
                                           Fingerprint scanning                 Retina and iris scanning                               other action online that might result in
                                           Voice recognition                    Keystroke dynamics                                     payment fraud, such as adding a payee to a
                                           Vein recognition                     Heart rate or other body movement pattern              whitelist, or setting up a payment agreement
                Inherence                                                                                                              with a merchant.
                                           Hand and face geometry               Angle at which the device is held
                “what I am”

           Figure 1: Examples of authentication elements that meet the requirements for PSD2

1 Press release: Retailers to Lose $130bn Globally in Card-Not-Present Fraud over the Next 5 Years, Juniper Research, 2 January 2019

6      Ingenico ePayments | Turn PSD2 compliance into better payments performance                                                                                            Turn PSD2 compliance into better payments performance | Ingenico ePayments   7
Delivering higher
       authorization rates for
       greater customer satisfaction

       The means through which                            An intermediate version, EMV 3DS V2.1+,

       the industry will meet the                         will be used by Mastercard to bring some of
                                                          the benefits and requirements of EMV 3DS
       requirements of PSD2 is
                                                          V2.2 to market earlier.
       the 3D Secure protocol for
                                                                                                                              Date      Event
       authentication. 3D Secure 1.0                      Figure 2 shows the current timetable,
       was originally created in 2001,                    following an extension of the PSD2 deadline           18th October 2019       Mastercard mandate of EMV 3DS V2.1 for card
       but was not widely adopted.                        to the end of 2020. We don’t expect these                                     issuers.
                                                                                                                                        Mastercard issuers must now support EMV
                                                          dates to slip, because through our work                                       3DS V2.1. Mastercard issuers can now reject
       3D Secure 1.0 required merchants to                with issuers and acquirers, we have seen                                      authorization without 3DS authentication.
       pass the customer over to the bank to              that they are all working to this timeline. All
                                                                                                                  14th March 2020       Visa mandate of EMV 3DS V2.1 for card issuers.
       authenticate the transaction during check-         merchants, including those using 3D Secure
                                                                                                                                        Visa card issuers must now support EMV
       out, and many merchants decided they               1.0, should begin migrating to EMV 3DS now.                                   3DS V2.1. Visa card issuers can now reject
       would rather keep the fraud liability than         The sooner merchants start incorporating                                      authorization without 3DS authentication.

       risk complicating the check-out process.           the latest secure authentication protocols
                                                                                                                     1st July 2020      Mastercard mandate of EMV 3DS V2.1+ for card
                                                          in their payment processes, the longer they                                   issuers
       Now, EMV 3DS V2.1 is available. It can             will have for testing, and the earlier they                                   Mastercard now supports exemptions, and
                                                                                                                                        Mastercard issuers must now support EMV 3DS
       authenticate most transactions in the              can start to reap the rewards. Ingenico
                                                                                                                                        V2.1+.
       background without interrupting the                recommends that merchants that have not
       customer, thanks to data provided by the           yet adopted 3D Secure skip version 1.0 and         14th September 2020        Visa mandate of EMV 3DS V2.2 for card issuers
       merchant. This approach helps to improve           go straight to EMV 3DS V2.1.                                                  Visa card issuers must now support EMV 3DS
                                                                                                                                        V2.2.
       conversion rates while also reducing
       the merchant’s exposure to fraud. When             We recommend that merchants support                 31st December 2020        Current deadline for compliance with PSD2
       the consumer is authenticated during a             the highest version of 3D Secure that the                                     All online transactions will need to use 3D
                                                          card issuers are using at any given time.                                     Secure unless exemptions or exclusions apply.
       transaction, card issuers will assume the
       liability for any fraudulent transactions          If merchants are not ready or willing to
                                                                                                                  14th March 2021       Mastercard mandate of EMV 3DS V2.2 for card
       that do slip through. Merchants can expect         incorporate secure authentication in their                                    issuers
       to experience fewer chargebacks and                normal payment workflow, they should be                                       Merchants now need to support EMV 3DS V2.2
                                                                                                                                        for Mastercard transactions.
       fraudulent payments, and a lower cost of           able to “step up” by resubmitting and using
       processing fraudulent transactions.                3D Secure to authorize transactions if they
                                                          are declined. Ingenico, as your payment
       This year, card issuers are gearing up to          service provider (PSP), can automatically do
                                                                                                            Figure 2: The timetable for introducing strong customer authentication
       introduce EMV 3DS V2.2. It will introduce          this resubmission for you when it detects
       decoupled authentication for channels              a soft decline of the transaction. Find out
       such as telephone and email, as well as            more about Ingenico’s product portfolio for
       exemptions that allow merchants to not             PSD2 here.
       authenticate certain transactions.                 customer segments.

8   Ingenico ePayments | Turn PSD2 compliance into better payments performance                                                            Turn PSD2 compliance into better payments performance | Ingenico ePayments   9
Taking the next step
                                                                                                           Information such as the IP address might
                                                                                                           be difficult for merchants to capture, but
                                                                                                           payment providers such as Ingenico can help

        with 3DS V2.2                                                                                      with this. Data points such as this can be used
                                                                                                           to create a fingerprint for the device that is
                                                                                                           being used, to help authenticate the customer.

                                                                                                           A recurring payment has no agreed end date,
        EMV 3DS brings a number of                        faster experience. This is likely to increase
                                                                                                           so it may be challenging to complete the
        opportunities for merchants                       customer satisfaction and may increase
                                                                                                           expiration date field in this case. As 3D Secure
                                                          repeat business and conversion rates.
        to streamline their payments                                                                       is adopted throughout the year and into 2021,
        workflow, while reducing their                    The appendix shows the data points
                                                                                                           there may be refinements in how card issuers
        exposure to fraud. These include                                                                   request and use data like this.
                                                          included under EMV 3DS. Some of this data
        the use of richer data, optional                  is mandatory, such as the cardholder name
                                                                                                           As well as data quantity, data quality will matter.
        exemptions that help to optimize                  and billing address. Some other fields are
                                                                                                           If existing data will be repurposed for payment
        conversion rates, and better                      easy to complete, such as the shipping
                                                                                                           authentication you may wish to spend some
        mobile integration.                               address, which merchants engaged in selling
                                                                                                           time checking it is good enough, in particular
                                                          physical goods will have on record for
                                                                                                           with regard to its completeness and formatting.
                                                          delivery purposes.
                                                                                                           Ingenico can help you with this.
        Sharing data for frictionless authentication
        In the past, merchants were able to process       Some fields might be difficult to complete
                                                                                                           Another strategy merchants can use to
        transactions using a card number, expiry          because merchants are not collecting
                                                                                                           ensure a frictionless payment flow involves
        date and card verification code (CVC). Under      or calculating the appropriate data yet,
                                                                                                           the card issuer lifting key data points
        EMV 3DS, there are around 100 data points         such as the number of transactions a
                                                                                                           directly from the customer’s browser. This is
        that card issuers can use to authenticate         year. Merchants may be able to increase
                                                                                                           highlighted through the payment process to
        the customer and assess the risk of the           the likelihood of frictionless approval by
                                                                                                           ensure it is frictionless and doesn’t require
        transaction. This data can be supplied by the     updating their systems to capture these
                                                                                                           additional approvals from the customer. This
        merchant with each payment request.               metrics now. By requiring customers to log
                                                                                                           is included as part of 3D Secure V2.1.
                                                          in to accounts, rather than using a guest
        Providing this data increases the chance of       checkout process, merchants can increase
        a frictionless flow. Once the TRA (transaction    the amount of data they capture. It is
        risk analysis) on the issuer side has been        important that this is done in a way that
        determined as ‘low risk’, the payment is          meets the merchant’s obligations under the
        authenticated and the card issuer assumes         General Data Protection Regulation (GDPR).
        the fraud liability, without the customer                                                          Frictionless authentication in brief
        needing to take any additional action. If the     Customers must be notified of how their
        issuer cannot categorize the transaction                                                           Frictionless authentication brings all the
                                                          data will be used and give their consent.
        as ‘low risk’, due to insufficient data, or                                                        benefits of EMV 3DS, including transfer of
                                                          Merchants that offer checkout without an
        if the data indicates that the transaction                                                         fraud liability away from the merchant,
                                                          account are likely to find their customers are
        falls outside the customer’s usual behavior,                                                       without any impact on the customer
                                                          more likely to be challenged, and conversion
        they may require the customer to provide                                                           experience. It presents a fantastic opportunity
                                                          rates may be lower as a result. As an added
        additional authentication, e.g. a one-                                                             for those merchants that can capture and
                                                          bonus, customers that create accounts may
        time password. While this authentication                                                           communicate more complete information.
                                                          prove to be more loyal, and will be able to
        process is not onerous for customers, a                                                            Merchants have an opportunity to prepare
                                                          enjoy a faster ordering process because some
        frictionless flow will offer a simpler and                                                         and test their data capture systems now.
                                                          of their data can be stored in the account.

10   Ingenico ePayments | Turn PSD2 compliance into better payments performance                                                                    Turn PSD2 compliance into better payments performance | Ingenico ePayments   11
Requesting exemptions                                whitelisting may benefit from greater                 Exemptions will be supported in EMV 3DS
        In certain circumstances, merchants can              stickiness, by making it easier for                   V2.2. In addition, Mastercard’s EMV 3DS V2.1+
        request an exemption to skip the secure              customers to shop with them.                          will support the exemptions for low value
        customer authentication requirements. While                                                                transactions, whitelisting, TRA, and a different
                                                          • Transaction Risk Analysis (TRA): If the
        most payments can be approved seamlessly,                                                                  implementation of delegated authentication.
                                                             payment acquirer falls below fraud rates
        merchants cannot know in advance
                                                             determined by the European Banking
        whether the bank will require additional                                                                   American Express (Amex) is not planning
                                                             Authority (EBA), the transaction may be
        authentication. Merchants may prefer to                                                                    to support any exemptions, so it will be
                                                             exempt from authentication. The fraud
        request an exemption, to avoid interrupting                                                                particularly important to improve the
                                                             rates are shown in Figure 3. To use this
        the customer’s order process. Merchants                                                                    quality and quantity of data shared to
                                                             exemption, the merchant needs to carry out
        will be liable for any resulting fraud on the                                                              achieve a frictionless payment process for
                                                             a risk assessment on the transaction before
        transaction, but it might help to improve                                                                  Amex cardholders.
                                                             submitting the payment for approval.
        conversion rates. Requesting an exemption
                                                             Ingenico can provide risk assessments so
        is not a guarantee that it will be granted.                                                                By introducing EMV 3DS now, merchants
                                                             merchants can take advantage of this.
                                                                                                                   can take the opportunity to test when it is
        Here are the exemptions that may apply:                                                                    in their interests to use secure customer
                                                                Threshold      Reference CNP fraud rate            authentication and when it is not, so they can
        • Low transaction value: Strong                         EUR 500        0.01                                see whether exemptions are attractive for
           authentication may not be required for               EUR 250        0.06                                them. There is a balance to be struck between
           transaction values of less than EUR 30.                                                                 conversion rate and fraud risk, and merchants
                                                                EUR 100        0.13
           This exemption applies if there have been                                                               can only reach an informed decision by
           no more than five payments since the last                                                               gathering data that compares authenticated
           strong authentication, with a total value         Figure 3: Reference fraud rates for card-not-         and non-authenticated transactions.
                                                             present (CNP) fraud. If the acquirer is below these
           of less than EUR 100.
                                                             thresholds, secure customer authentication may
        • Corporate payments: Business-to-                   be exempt.

           business transactions do not require
           strong authentication where there are          • Delegated authentication: Although
           dedicated payment processes and the               not strictly speaking an exemption,
           reference fraud rate is less than 0.005%.         delegated authentication has much the
           This exemption applies for corporate and          same effect. Participating merchants
           lodged cards.                                     that use strong authentication when
                                                             customers log in to their accounts may
        • Recurring payments: Setting up a
                                                             not need to use it when the payment is
           recurring payment agreement requires
                                                             processed. Merchants will need to work
           strong authentication because the                                                                       Exemptions in brief
                                                             with the card schemes for permission to
           customer is present and it is the only
                                                             use delegated authentication, and card
           payment initiated by the consumer of                                                                    Exemptions enable merchants to request that
                                                             schemes will notify issuers that they
           the series. Each individual payment                                                                     secure authentication is not used in certain
                                                             should not authenticate the merchant’s
           under the agreement does not require                                                                    circumstances. Using exemptions reduces
                                                             transactions. Mastercard will consider
           authentication.                                                                                         the risk of the customer being challenged
                                                             allowing delegation for merchants that
        • Whitelisting: Payers can choose to add             follow the authentication standards of the            to authenticate the transaction, which may
           merchants to a list of trusted payees for         FIDO Alliance, an industry body dedicated             increase conversion rates. Merchants carry the
           whom they do not wish to use secure               to authentication standards. If you’re                cost of fraud when an exemption is granted,
           authentication. Setting up the whitelist or       interested in delegation, we recommend                though, so they should begin testing now to
           changing it does require authentication,          discussing it with card issuers and your              work out the optimum balance between sales
           but customers can then shop without               payment service provider today, so you                conversion and fraud risk.
           authenticating each purchase. Merchants           have time to put the necessary measures
           that give customers the option of                 in place.

12   Ingenico ePayments | Turn PSD2 compliance into better payments performance                                                                          Turn PSD2 compliance into better payments performance | Ingenico ePayments   13
Improving mobile payment processes
           Mobile phones now account for more than
           half of online transactions globally2. 3D
           Secure 1.0 predated both Android and iOS
           by several years, and was designed for
           desktop browsers, so it wasn’t working well
           for mobile workflows.

           With EMV 3DS V2.1, the industry has taken
           the opportunity to create a mobile software
           development kit (SDK) so that payments can
           be integrated within your mobile app. EMV
           3DS V2.2 will further enhance the SDK by
           integrating with banking apps so they can
           be used for authentication.

           In most cases, the authentication will be
           frictionless and automatic. Where the
           customer is challenged to provide additional
           authentication information, it will be
           possible to do this from within the app,
           without having to redirect to a browser.

           EMV 3DS V2.1 also introduces support for
           other devices such as gaming consoles,
           so merchants can take advantage of the
           reduced fraud risk of 3D Secure in those
           channels too.

           Ingenico is working with EMVCo, the industry-
           wide technical body responsible for EMV 3DS,
           to incorporate EMV 3DS, including exemptions,
           in its mobile payment SDK. The SDK helps
           merchants to easily build PSD2-compliant
           payments within their apps. The SDK abstracts                            Mobile payment processes in brief
           away the complexity, with Ingenico taking
           care of how EMV 3DS is implemented, and                                  EMV 3DS gives merchants an opportunity
           managing the payments in the background.                                 to improve their mobile conversion rates,
           When step up authentication is required,                                 enhance the experience of in-app payments,
           Ingenico is able to do that automatically,                               and reduce their exposure to fraud. Using EMV
           and as new features are added to EMV 3DS,                                3DS, authentication challenges can be built in
           Ingenico will update its processes and systems                           to the mobile app, and most authentication can
           to shield merchants from the complexity as                               be carried out in the background seamlessly.
           much as possible.                                                        Ingenico’s mobile SDK is being enhanced to
                                                                                    support EMV 3DS, to make it easier to build
                                                                                    authentication into apps.

2 Worldwide Retail and Ecommerce Sales: eMarketer’s Updated Forecast and
New Mcommerce Estimates for 2016—2021, eMarketer, 29 January 2018

14     Ingenico ePayments | Turn PSD2 compliance into better payments performance                                        Turn PSD2 compliance into better payments performance | Ingenico ePayments   15
Conclusion: You say regulation,
        we say innovation

        Implementing EMV 3DS as part of PSD2 compliance efforts
        presents a number of opportunities for merchants.

        They can transfer the liability for fraud to card issuers while enhancing their
        customer experience, by enabling frictionless authentication in the background.
        Some merchants may choose to absorb the fraud risk and request exemptions
        to secure authentication. As the mobile phone is an increasingly important
        shopfront, merchants will welcome the opportunity to integrate authentication
        tightly with their apps for a better user experience.

        To make authentication a better experience for their customers, it’s important
        that merchants can make an informed decision. Beginning pilot projects now will
        enable them to gather the data they need before authentication is a mandatory
        requirement.

        EMV 3DS is a huge transformation for the payments industry – and the potential
        rewards are there for merchants that can see them. By working with Ingenico,
        you can abstract away much of the complexity of implementing 3D Secure, and
        benefit from expert insight into how your data can be used to streamline your
        authentication processes.

                  Contact us

16   Ingenico ePayments | Turn PSD2 compliance into better payments performance           Turn PSD2 compliance into better payments performance | Ingenico ePayments   17
Appendix: Data used to authenticate transactions
          under the latest 3D Secure versions

          Providing these data items can help the card issuer to identify
          a transaction as low risk, so it can be authenticated seamlessly

          Card Information                                        Merchant risk information (all required if available)
          Card/Token Expiry Date (M)                              Information related to the delivery
          Cardholder Account Identifier (Required if available)   Shipping Indicator
          Cardholder Account Number (M)                           Delivery Timeframe
                                                                  Delivery Email Address
          Cardholder information                                  Reorder Items Indicator
          Cardholder Email Address (M)                            Pre-Order Purchase Indicator
          Cardholder Home Phone Number                            Pre-Order Date
          Cardholder Mobile Phone Number                          Gift Card Amount
          Cardholder Work Phone Number (Required if               Gift Card Currency
          available)                                              Gift Card Count
          Cardholder Name (M)
                                                                  Consumer Information (all required if available)
          Cardholder Billing Address (all Mandatory)              This information is usually part of the consumer
          Cardholder Billing Address City                         account in the merchant’s website
          Cardholder Billing Address Country                      Cardholder Account Age Indicator
          Cardholder Billing Address Line 1                       Cardholder Account Date
          Cardholder Billing Address Line 2                       Cardholder Account Change Indicator
          Cardholder Billing Address Line 3                       Cardholder Account Change
          Cardholder Billing Address Postal Code                  Cardholder Account Password Change Indicator
          Cardholder Billing Address State                        Cardholder Account Password Change
                                                                  Shipping Address Usage Indicator
          Shipping Address (all required if available)            Number of Transactions Day
          Cardholder Shipping Address City                        Number of Transactions Year
          Cardholder Address Country                              Number of Provisioning Attempts Day
          Cardholder Shipping Address Line 1                      Cardholder Account Purchase Count
          Cardholder Shipping Address Line 2                      Suspicious Account Activity
          Cardholder Shipping Address Postal Code                 Shipping Name Indicator
          Cardholder Shipping Address State                       Payment Account Age Indicator
                                                                  Payment Account Age
          Merchant Basic Information (all Mandatory)
          Merchant Category Code                                  Browser Information (all mandatory with exceptions)
          Merchant Country Code                                   Browser Accept Headers
          Merchant Name                                           Browser IP Address (Required if available)
                                                                  Browser Java Enabled
          Purchase information                                    Browser Language
          Purchase Amount (M)                                     Browser Screen Color Depth
          Instalment Payment Data (Required if available)         Browser Screen Height
          Purchase Currency (M)                                   Browser Screen Width
          Purchase Date & Time (M)                                Browser Time Zone
          Recurring Expiry (Required if available)                Browser User-Agent
          Recurring Frequency (Required if available)
          Transaction Type (M)                                    For mobile app integrations there is similar
                                                                  information required that the issuer can use to
                                                                  display the challenge correctly

                                                         www.ingenico.com/global-epayments

18   Ingenico ePayments | Turn PSD2 compliance into better payments performance
You can also read