3D Secure 2.0 (3DS2)

The purpose of this article is to help you learn more about

• What 3D Secure 2.0 (3DS2) is and how it works
• How 3DS affects adding cards and capturing payments 
• What customers experience when making purchases with 3DS2-enabled cards
• How to enable automated 3DS2 notifications to authenticate charges 
• How to edit the customer's charge authentication page
• What the 3DS payment intents and labels indicate in your payment processor 

What is 3DS2? 

3DS2 SCA (Secure Customer Authentication) is an authentication and security protocol designed to help merchants and banks meet the Strong Customer Authentication (SCA) requirements of the EU’s Revised Payment Services Directive (PSD2). The protocol is designed to help ensure secure online payments and protect against fraud. 3DS2 SCA works by using a combination of two-factor authentication (2FA) and 3D Secure 2 (3DS2) technology to verify a cardholder's identity.

3DS2 SCA is designed to ensure customers can make secure online payments while helping merchants and banks meet the SCA requirements of PSD2. By using a combination of two-factor authentication and 3D Secure 2, 3DS2 SCA provides an additional layer of security for online payments.

When a customer makes an online payment, the merchant sends a request to the customer’s bank to authenticate the transaction. The bank will then provide the customer with an authentication method, like SMS codes, biometrics, or a one-time password, to verify their identity. Once this step is complete, the bank sends a response to the merchant with the authentication result. This result is used to determine whether the transaction can be approved or declined.

Click here to learn more about 3DS2 in this article by Stripe.  

Which payment processors utilize 3DS2?

Three out of the payment processors that integrate with BookingKoala are 3DS2-compliant:

• Stripe
• Square
• PayPal (via Braintree)

The payment processor Authorize.net currently does not support 3DS2.

Click here to learn more about payment processors and BookingKoala. 

How does 3DS2 impact payment processing? 

3DS2 implementation affects how the following actions are completed in BookingKoala:

• Adding a card to a customer's profile
• Charging/pre-charging a booking
• Placing a hold/card preauthorization
• Selling/purchasing a gift card
• Adding a late tip
• Charging a rescheduling fee
• Charging a cancellation fee
• Charging an additional fee

Whenever a customer's card is added or charged, your payment processor will first check to see if the customer's bank requires additional authentication as required by 3DS2. 

• If authentication is required, the system will automatically send the customer an email and/or SMS notification asking them to authenticate their card via a secure link.
• If it is not required, transactions will process as usual. 

Enable 3DS2 for Your Account

You can enable 3DS2 for your account by going to:

Settings > General > Store Options

Click on the "Admin" tab at the top of the page, then scroll down to just after the "Connect Payment Gateways" section.  Look for the feature "Enable or disable 3DS (Strong Customer Authentication) feature".

If the button in front of the feature is red and reads "Disabled", this indicates that the 3DS2 feature is not live for your account.

You can toggle the button to "Enabled" by clicking on the bottom. A pop-up window will ask if you are sure you would like to enable the 3DS2 feature.  Click the blue "Yes" button to proceed.  

A green system alert will appear in the top right corner of the page confirming that the changes you've made to your store settings have been saved successfully.

To learn more about how 3DS2 impacts 

Adding a New Credit Card

Adding cards with 3DS2 to BookingKoala will now require an additional step to authenticate the card. Regardless of how the new card is added, the procedure for 3DS2 card authentication will follow the same flow once the card information is entered.  

1. To begin, go to one of the sections that allow you to add a new card.
    

   • Add a card to a customer profile

     1. Go to the Customers section and click on a customer's name.
     2. Click on their Profile tab.
     3. Scroll down to the Billing Information section, and
     4. Click on the blue "Add New" button. 
        
        

      

   • Add a card to a new booking

     1. Click the blue Book Now button at the top of the side menu to create a new booking.
        
     2. Scroll down to the Payment Information section and use the New Credit Card option.
        
        

   • Add a card to an existing booking

     1. Click the Edit button/icon for an existing booking anywhere in your dashboard.
        
     2. Scroll down to the Payment Information section and use the New Credit Card option.
        
        
        

   • Add a card to charge an additional fee or late tip

     1. Go to Bookings > Booking Charges > All Charges tab.
        
     2. Click on the Additional Charge or Add Tip icon for the booking. 
     3. Use the New Credit Card option.
        
        
        

   • Add a card to charge a cancelation fee 

     1. Click the Cancel Booking button/icon for any active booking in the system.
     2. Select the Add New option in the pop-up window.   
        
        
        

   • Add a card to charge a rescheduling fee

     1. Click the Edit button/icon to open the booking and
     2. Click the Reschedule button under the check availability section and select a new date and time.
     3. Click the Update Booking button.
     4. Use the Add New option in the pop-up window.    
        
        
        
2. Next, enter the card number, expiration date, and security code into the "Add New" or "New Credit Card" fields, then click Next if applicable or proceed to the next step.
   
   
   
3. Click the Add Card button. The payment processor will check to see if the bank requires additional authentication to add the card.
   
   
   
4. If the bank does not require additional authentication, the card will be added to the customer's profile or booking(s) automatically. If the bank requires additional authentication, a pop-up will appear for you to complete the process. Click the Complete Authentication button to proceed.
   
   
   
   
5. The customer's bank may send them a password or code for you to enter into the next step, or they may get a security challenge or verification step to complete on their end.
   
   
6. Once this step is completed, the card will be saved to the customer's profile or booking(s).

How does 3DS2 impact booking charges?

BookingKoala allows you to charge customers manually, automatically, or use a combination of both methods. To learn more about the booking charges, click here.  To learn how to set up automatic charges and other payment preferences, click here.

Processing Manual Booking Charges

The process for collecting pending payments for cards with 3DS2 is the same as processing payments for other cards with one additional step for the customer: completing card authentication so the payment can be collected.

Payments can be charged by going to Bookings > Booking Charges > Pending Payments tab.

1. To charge a single booking, click the $ icon to charge the card on file. 
   
   
   If you see the dollar bill icon instead, the booking has Cash/Check set as the payment method instead so 3DS2 will not be a factor when "charging" the booking. 
   
   
2. Upon clicking the charge icon, a pop-up window will appear asking you to confirm the charge.
   
   
   
3. Once you click the Charge Now button, the payment gateway will check if the card requires additional authentication to process the payment.  
• If the bank requires additional authentication, an email and SMS notification will be sent to the customer asking them to authenticate the card using a secure link. Once the customer clicks the link and authenticates their card, the charge will be posted.
• If the bank does not require 3DS2 authentication, BookingKoala will process the transaction per usual.
4. While the charge is pending, a Booking Charge Pending Authorization tag will be added to any booking(s) that require customer authentication.  The tag will be removed once the customer completes the transaction.
   
   
   

Please Note: The flow that authenticates the customer's card for charging a tip, rescheduling fee, cancellation fee, additional charge, or gift card follows the same flow as when processing a booking charge.  Each type of charge has a corresponding tag that shows if the pending authorization charge is for a booking, tip, cancellation free, etc.

Canceling Bookings with Cancellation Fees

BookingKoala allows you to charge cancellation fees to compensate the company and/or your providers for loss of work due to last-minute cancellations. To learn more about how to set up cancelation fees, click here.

• Bookings can be canceled by clicking on the trash can icon when in list view.
  
  
  
• If viewing jobs in the calendar view, click on the job and select "Cancel" from the right-side menu buttons.
  
  
  

If you cancel a booking that is applicable for the cancelation fee, there will be a cancelation pop-up that displays the fees that the customer will be charged for canceling the service.

• If 3DS2 authentication is not required, the cancellation fee will be processed per usual upon clicking "Cancel Booking"/"Cancel All Appointments" in the cancellation pop-up. 
   
• If the 3DS2 authentication is required to charge the cancellation fee, a cancellation fee authentication email and/or SMS notification will be sent to the customer to complete the authorization and a cancellation fee pending authorization tag will be added to the booking until the customer authenticates the charge.  
  
  
  
  • The booking will not be canceled until the customer authenticates the cancellation fee.  If you need to cancel the booking and would like to waive the cancellation fee, you can check the box(es) next to the "Don't Pay Cancellation Fee" option in the booking cancellation pop-up.  
    
    

Processing Automatic Booking Charges

• For the transactions in which 3DS2 authentication is not required, the process will remain the same.
• For the transactions for which 3DS2 authentication is required, an email and SMS notification will be sent to the customer asking to authenticate the charge
• The pending authorization tag will also appear on any booking(s) that require authentication and remain there until the customer completes the transaction.
  
  

Processing a Combination of Manual and Automatic Charges

• If a booking is pre-charged and 3DS2 authentication is required to process the transaction, an authentication notification will be sent to the customer asking them to authenticate the charge.  
  • If the customer does not authenticate the precharge amount before the booking is set to be automatically charged, the previous authentication request will expire and a new request will be sent to the customer for the most recent attempt.
• The pending authorization tag will also appear on any booking(s) that require authentication and remain there until the customer completes the transaction. 
  

How does 3DS2 impact credit card holds/preauthorizations?

BookingKoala allows you to perform credit card holds to reserve the customer's payment before it is collected. You can learn about setting up automatic card holds by clicking here. To learn more about manual card holds, click here.   

• If you save a new booking during the automatic card hold period, an authentication notification will be sent to the customer as required by the customer's bank.  
  
• A pop-up message will notify you about the pending card hold authentication. 
  
  
  
• A Pending Authorization tag will be shown on the booking until the customer authenticates the card and the hold is placed. 
  
  

Please note: The process for placing automatic card holds upon rescheduling a booking and placing manual card holds is the same as when the card hold is placed upon saving a new booking.

How does 3DS2 affect pre-charges?

Pre-Charges with a Price Increase

If you have pre-charged an upcoming booking and the transaction is not finalized due to 3DS2, an authentication notification will be sent to the customer to authenticate the charge. 

When increasing the total and updating the booking, a pop-up will confirm that the pre-charge amount has been updated for the pending card hold. Once authentication has been completed by the customer, they will be charged the updated amount.   

Please note: The flow for price decreases remains the same.  

Pre-Charges with Pre-Paid Coupons

The Coupons section under the Marketing tab allows you to create custom discount codes to share with your customers. Click here to learn more about how to set up, share, and apply coupons in BookingKoala.

Specifically, pre-paid coupons require the customer to pre-pay one or more appointments before the coupon discount is applied to their bookings/services.  This option can be enabled under the Limitations tab when creating or editing the coupon code.

Once the coupon code has been applied and the booking is saved or rescheduled, a pre-charge will be performed for the applicable number of pre-paid bookings.  In the example above, the coupon requires two pre-paid bookings to apply the discount. 

• If the payment gateway does not require authentication, the charge(s) will be processed as usual.
  
  
• If 3DS2 authentication is required, a pre-charge authentication email and/or SMS will be sent to the customer and the booking(s) will be saved/updated successfully. 
  
  • A Pending Authorization tag will be shown on the booking until the customer authenticates the card and the pre-charge(s) are processed.

How does 3DS2 affect the customer experience?

All transactions that take place in the customer dashboards (except pre-charges and rescheduling fees) will be on-session, meaning the customer will be asked to authenticate the card during the checkout process.  

For pre-charges and rescheduling fees, an authentication email or SMS will be sent to the customer asking them to authenticate the payment if required by their bank.  

If a customer adds a booking that falls under automatic card hold/preauthorization conditions and their bank requires authentication, the bank will pose a challenge or security question to authenticate the charge.  

• Once they pass the challenge, the funds will be held/preauthorized automatically.  
• If the authentication fails for any reason, the booking will be saved successfully and the system will send a notification with an authentication link to the customer instead.  

3DS2 Authentication Notifications 

Once the 3DS2 feature is enabled, as explained above, the Email and SMS notification sections have five templates to assist customers with authenticating their cards. To view, edit, or enable/disable these templates, go to Notifications > Email > Customer tab or Notifications > SMS > Customer tab.

3DS-related templates for both email and SMS notifications can be found in the following sections:

Booking fee charges & refund

• Card charge authentication
  
• Pre-charge authentication
  

Card declined

• Card Hold authentication
  

Gift card and referral

• Gift card authentication
  

Canceled booking

• Cancellation fee
  
  

How do customers authenticate the charge once they receive an authentication notification?

The customer 3DS notifications contain a secure link that directs them to the authentication page. 

Once the customer clicks on the blue "Authenticate Card" button, they can authenticate an existing card by filling in the security code/CVV and clicking on the “Authorize Card” button. 

• Please note: The payment processor Square does not require the customer to enter the CVV if the transaction is using an existing credit card as opposed to a newly added card.

The customer can also process the transaction using the new card by clicking on the new card link on the authentication page. 

• On the New Card page, they can enter the card details and then click on the “Authorize Card” button. 
  
  
  
• Their card issuer will send a verification code or security question to the customer to authenticate the new card.
• Once the security challenge is completed, the hold or booking charge will be processed immediately and the pending authorization tag will be removed.
  
  
  

Handling Expired Authentification Requests

All card and charge authentication requests eventually maintain a higher level of security if the customer fails to complete the authorization promptly. 

Authentication requests will expire under the following circumstances:

1. Once the customer successfully authenticates the charge.
2. If the 3DS2 authentication request is sent to the customer for booking charge/ pre-charge/booking remaining charge and the card is changed on the booking.
3. If the booking charge/ pre-charge/ reschedule-fee/ additional charge/ extra charge request is sent to the customer and the booking is canceled successfully.
4. If the cancellation request is sent to the customer and the booking is rescheduled or updated.
5. If the 3DS2 authentication request is sent for the booking charge, and the booking is moved to the future.
   
6. If the booking charge and the booking cancellation request are sent to the customer and the customer authenticates the booking charge. In this case, the cancellation fee request will be expired.
   
7. If the card hold request is sent to the customer and the booking is rescheduled after the card hold criteria, in this case, the booking card hold request will be expired.
   

If you even need to resend the card authorization notification to the customer, you can click on the Resend icon to the right of the Pending Authorization tag anywhere the booking is listed.

A pop-up will appear confirming you'd like to resend the authentication email to the customer.  Select "Yes" to proceed.

Editing the Card Authentication Page

The appearance and/or redirect link for the customer's card authorization page can be edited inside the Website and Theme Builder.  

• To begin, go to Settings > Design Forms & Website > Website Builder & Themes > Customize Theme button. 
  
  
  
• Click on the top center Page menu and select the Reauth Card page. 
  
  
  
• Use the website builder tools to edit the text and appearance of the authentication page. 
  
  
  • To edit the background color, click the background of the page and click on the white Edit button that appears in the top corner of the section.
    
    
    
  • To edit the title and text boxes on the page, click on the text and select the white Edit button that appears in the top left corner of the box.
    
    
    
  • To link the page customers are redirected to after completing authentication, click on the “Authorize Card” button and select the white Edit button that appears in the top corner. 
    
    
    
  • Be sure to click the blue "Save & Publish" button in the top right corner of the page to push your changes live.
    
    
    

Understanding 3DS2 Payment Intents and Statuses

For all payment processors (except Authorize.Net), the transaction flow for 3DS2 cards is the same. However, each payment processor has different labels for the payment intents and transactions.

Stripe

The payment status "failed" will appear in Stripe if a transaction cannot be completed because of 3DS2. 

On the payment overview under your timeline, the payment failure code will appear as “authentication_required". 

When the payment is authenticated by the customer, the same payment intent will show as “succeeded”. 

Click here to see learn more about Stripe's 3DS2 transaction handling.

Square

When a transaction declines due to a lack of 3DS2 authentication, it will not be visible anywhere on the payment dashboard.  

Upon authenticating the charge, a new transaction is created and displayed on the Square Transactions dashboard upon successful processing.

Click here to learn more about Square 3DS2 transaction handling.

Braintree

If a payment fails due to 3DS2, the payment status displayed is "Processor Declined". 

A second transaction will be created for the same amount to re-attempt with a "Settled”. 

Because Braintree does not allow a failed transaction to be processed again, a new transaction is created to complete the customer authentication process. This results in two separate transactions (one declined and the other settled) in the transaction logs section. 

Authorize.Net

3DS2 is not currently supported by Authorize.Net. 

Click here to see their documentation on this topic.