Strong Customer Authentication and 3D Secure

Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online and contactless offline payments more secure. To accept payments and meet SCA requirements, we have built additional authentication into the Redbox checkout flow. SCA requires authentication through 3D Secure to use at least two of the following three elements:

Something the customer
- Knows (e.g., password or PIN)
- Has (e.g., phone or hardware token)
- Is (e.g., fingerprint or face recognition)

Which transactions require SCA?

Not all payments require the customer to authenticate through 3D Secure, the requirement is still rolling out in the UK and most payments under £30 are exempted. This guide from Stripe explains which payments are exempted: https://stripe.com/en-gb/guides/strong-customer-authentication . Apple pay payments are already SCA compliant. We are building in this authentication so we are ready for full SCA enforcement in the UK.

The customer's bank decides if the customer has to complete SCA, and currently, we see that it is very rare for a customer to be asked to complete SCA when placing an order through Redbox, if your Radar rules are to only request 3D Secure if the bank requires it. As the requirement rolls out in the UK we expect to see more transactions to require 3D Secure for orders over £30.

If you use Stripe Radar you can increase the volume of payments that require 3DS in the Radar settings, but it's worth noting that 3DS creates extra friction at checkout and could potentially decrease order volume. The benefit of a marketplace completing 3DS for payment is that the liability for any fraud for that payment now lies with the bank. We advise that 3DS settings in radar are not changed at this time.

You can check in Stripe reports your current rate of SCA requests for your transactions, and you can check your 3DS Requested settings in Stripe Radar.

To prepare for full enforcement of SCA we have migrated Redbox to a new Stripe API that supports payment intents and 3D Secure 2. This means that customers who order over the website if the bank requires it will be presented with instructions when they pay on how to complete 3DS. This feature will also be incorporated into a future app release (v4+).

Redbox Management View

While the customer is completing 3DS the order will say AUTHORISE on the orders view. If the customer fails 3DS then the order will not be sent to the outlet to be accepted and the order will say UNAUTHORISED in the orders view. If the customer passes 3DS then the order will change to pending and will be sent to the outlet to accept as usual.

You can check in Stripe why a customer failed 3DS, most of the time the customer failed to complete the information requested or the next step on a banking app. Very occasionally a bank will fail without sending the customer through 3DS.