Allpay – Changes to Online Payment Authentication

From 14th September 2019, WCHG customers will need to provide two types of authentication for some online transactions. This is because debit and credit card issuing banks will implement a regulation called Strong Customer Authentication (SCA), which comes into UK law on that date.

This will see a new standard for verification, 3D Secure 2.0 (3DS2), required for transactions made through websites and mobile apps.

Mastercard and Visa have 3DS2 security products called “Identity Check” and “Verified by Visa” respectively.  These are used by issuing banks to evaluate e-commerce transactions and, where appropriate, present challenges for the cardholder to authenticate themselves that the transaction is genuine.

Transactions checked by 3DS2 see the liability shift for chargebacks from the merchant to the Issuing Bank. allpay clients already benefit from this with Internet Payments and Branded Gateway, which adhere to the current 3D Secure standard.

What is different with 3DS2?

With 3DS2, merchants must send more data with each transaction so that the Issuing Banks are better placed to evaluate the request by having access to more contextual data (such as name, address, email address etc) and only challenge the riskiest transactions.

This approach will:

Protect mobile commerce – native mobile apps will now be included in 3DS checks to ensure that apps are as safe as website payments.
Reduce checkout friction – as only the riskiest transactions are challenged, most cardholders won’t see their checkout journey interrupted. This is likely to increase payments by reducing drop outs.
Increase security – for transactions that are challenged, cardholders will have to pass SCA for the Issuing Bank to be confident that the transaction is from the legitimate cardholder.

How will transactions be challenged?

When transactions are challenged, Issuing Banks will ask the cardholder for :

Something the cardholder is - Biometric check for mobile payments on supported devices e.g. cardholder authenticates with their fingerprint.

Something the cardholder has - One-time password is sent from the Issuing Bank to the cardholder’s phone for them to enter into the payment website or app.

Something the cardholder knows - Knowledge-based password e.g. place of birth, favourite teacher etc.

What does this mean for you?

allpay is working closely with Lloyds Cardnet (our Acquiring Bank) and Global Payments (our Payment Gateway partner) to be compliant by September 14th 2019 to ensure customers continue to make safe, easy payments with minimal disruption. Updates to our mobile App will be rolled out to customers during August and we will keep you (and your customers) notified with any further changes between now and September.

For any questions, please contact your account manager through

Best regards,

allpay Limited
Allpay – Changes to Online Payment Authentication