[...] the legacy variant with static password does not meet the
European Central Bank's (ECB) January 2013 requirements.
3D Secure relies upon the issuer actively being involved and ensuring that any card issued becomes enrolled by the cardholder, making it very much
an issuer focused solution.
The ECB has mandated in its January 2013 requirements 'Security for Internet Payments'
[15] that all transactions acquired within the
Single Euro Payment Area (SEPA) must be authenticated using strong
customer authentication by 1 February 2015. This mandate by the ECB, and supported by the
European Commission's Payment Services Directive Mk2 (PSD2), is intended to provide a level and technology neutral playing field within SEPA to foster
eCommerce,
mCommerce and supporting technologies, including competitive forms of strong customer authentication.
As 3D Secure relies upon issuer advance involvement and enrollment of cards, acquirers cannot rely upon 3D Secure to meet their acquiring side authentication requirements, until such time as 3D Secure has a meaningful enrollment approaching 100% of all cards issued.