[vineyardmike]

Very interesting to hear about the impact of this regulation on industries many here work in but I have many questions that were answered…

What is PSD2?

What is 3DS?

Why do these exist and what did they solve?

Edit: Thanks for the responses everyone!

[vishnugupta]

> What is 3DS?

3DS stands for 3 Domain Secure. Payment processing requires a lot of service providers to co-ordinate; card issuer, merchant acquirer, card network to name a few.

The three domains in 3D refers to the domains of Issuer (the bank that issued the your card), Acquirer (the bank that the merchant has their account in), and the Network (Visa, Mastercard etc., which connects Issuing banks and Acquiring banks).

I'm vastly simplifying because now a days there are new entities which are difficult to typecast into one of Issuer/Acquirer/Network because depending on the scenario they can act as any or all three.

Unlike the Internet which has reasonably well defined protocols/services to provide end user services (HTTP, SMTP, DNS etc.,) online payment processing has evolved by monkey-patching systems as newer challenges have arose. There are no well defined protocols or standards so you have these vast network of systems that somehow work-together to process online payments. Once in a while it fails exposing its innards like how people came to learn about T + 2 settlement during Gameshop saga.

> Why do these exist and what did they solve?

3DS is kind of a protocol that'll enable a card holder to authorise a payment while minimising the number of service providers that have access to their card details. A typical implementation of 3DS requires card holder to authorise a payment through PIN. Another is through second factor auth such as SMS OTP, or RSA tokens, Apple's Face ID.

> What is PSD2?

This is a European specific regulation to make payments more secure. 3DS is one of its requirements.

[moksly]

PSD2 is an EU directive that changed how online payments can take place within the EU. The key points are basically these:

Strong customer identification is required. In Denmark we handle this with our national identity system NemID (soon to be mitID). Which is a national two-factor system, that we previously mainly used for stuff like online banking or interacting with the public sector but is now also required when you buy something online.

Releasing the ownership of your financial data from the banks. Meaning that you can give third party companies access to your banking data. In Denmark this has revolutionised budgeting because the area was disrupted by companies that saw a gap in the age old online banking systems. As an example, my “overview” in my netbank was basically just a table of the data they used to physically mail me, today it offers all sorts of BI like tools to show me how I spent my money because an app named Spir or Spiir or something like it completely revolutionised the area. As you may be able to tell, I’m still doing my budgeting in my own spreadsheet, but the spiir app is one of the most popular apps in Denmark.

Over all it has been pretty well recover in Denmark. Having to utilise two-factor identification when you buy stupid shit online is annoying, and it’s likely costing some sales as people have a few more seconds to think while they pick up their phone, but over all people are happy with the increased protection it also offers them.

[robinjfisher]

I'll link up Stripe's docs for SCA[1] as they have been very helpful for me in getting Leavetrack[2] set up for SCA.

PSD2 is the Second Payment Services Directive from the EU. A directive is required to be implemented in national law no more than two years after it is passed and whilst there have been delays, the past 12 months have seen a ramping up of banks implementing Strong Customer Authentication.

3DS (3D Secure) is like 2FA for debit/credit cards. In my case, I bank with Monzo and if a transaction requires 3DS, I have to open the Monzo app on my phone and confirm it. There are other aspects to SCA e.g. if I have used contactless payment frequently, I am more likely to be prompted to enter my PIN to confirm I still have my card.

[1] https://stripe.com/gb/payments/strong-customer-authenticatio... [2] https://leavetrackapp.com/

[WesolyKubeczek]

Stripe has one of the best pieces of API documentation out there, and their sandbox actually simulates SCA to the fullest extent possible.

The only things missing from their testing arsenal are a debit card that triggers SCA past X amount, and a debit card that has limited funds.

[jeroenhd]

PSD2 is an initiative/set of laws that force banks to have some kind of API available to trusted parties so other companies can access customers' financial data (with explicit consent by the user, of course). This allows the banking app from bank A to work with the bank account of bank B, if bank A implements bank B's API. It also includes some other stuff, like adding security requirements to online payments, like the 3DS system is doing.

Companies that make use of these APIs need to fulfil some requirements so that not just any shitty company can ruin your life by hiring shit developers that accidentally add zeroes to the amount of your transactions.

3DS probably refers to "3D secure", a way to secure credit card payments online. I don't use a credit card for anything but paying for American services so I don't know the details of it, but it seems to be a way to redirect credit card users to the checkout page of their bank so that extra security (like 2FA) can be added to online payments.

[moooo99]

The 3DS is a handheld console by Nintendo.

Just kidding, 3DS is short for 3D-Secure and is an approach to make payments with credit cards more secure. Things like 3DS are mandated by the PSD2 which came into effect a while ago.

PSD(2) is short for payment services directive, its a set of rules to make online payments more secure and reduce the risk of fraud. It has some requirements, such as two factor authentication (3DS) etc for basically any service that is processing payments online.

[slaymaker1907]

The biggest thing with PSD2 seems to be the introduction of mandatory 2FA (CVC code/card number are not sufficient).

[thefounder]

cvc has alaways been a joke

[lrem]

3DS is 2FA for credit card transactions. PSD2 is the law requiring it in EU.

[WesolyKubeczek]

3d-Secure is basically a form of 2FA for payments. It has been around for almost two decades. US banks seem to have happily ignored it, as well as EMV/NFC cards even when good ol' magstripe had been shown to be hackable with a potato, and thus companies who lived in the US come to do business in Europe, find an "impenetrable wall" of having to integrate correctly with a 2FA process they don't understand. Same as GDPR, really. "How come it's opt-in and not opt-never?"