30 Jul 3D Secure 2: The Benefits of Better Authentication
3D Secure v1 (3DS1) is due to be decommissioned over the coming months (Visa on October 15th, Mastercard on October 18th). Over a number of years, it has been phased out with 3D Secure 2 (3DS2); an updated protocol that improves the initial version’s security purpose, functionality and user experience.
Given that 3D Secure has been part of the online shopping experience since 2001, anyone who has shopped online over the last two decades will have experienced the authentication process. As eCommerce grew in popularity, businesses, banks, financial institutions and consumer groups all recognized the potential for online card fraud as criminals could make fraudulent purchases with someone else’s card information.
The introduction of 3D Secure made this more difficult requiring more than a credit card number, CVC code, and address to complete an online transaction.
We take a look at how 3DS1 works, its drawbacks and how 3DS2 now offers a better experience for online shoppers and eCommerce businesses.
3D Secure 1
After the consumer enters their card details to confirm payment, they are redirected to another page where their bank requests the cardholder to enter a code or password to approve the transaction on an authentication page that is co-branded by the card network. (Verified by Visa / Visa Secure, Mastercard SecureCode, or American Express SafeKey etc.)
For both businesses and cardholders, this extra step offers additional fraud protection. It also shifts chargeback liability away from the merchant to the card-issuing bank (issuer).
However, 3DS1 is not without its disadvantages as the additional step added friction to the checkout flow. In some cases, banks insist customers remember static passwords to complete 3DS1 verification, often leading to consumer frustration when they forgot their password and are unable to complete the transaction.
The 3DS1 protocol was also developed when mobile commerce and digital payment options (app based payments, pay by link etc.) were either still in their infancy or yet to be developed. 3DS1 struggled to maintain compatibility with new digital payment options, devices depending on screen size and mobile browsers’ ability to support the pop-up verification window.
The impact of these drawbacks lead to an increase in cart abandonment from a poor user experience and functionality.
3D Secure 2
The evolution to 3D Secure 2
To remedy the drawbacks of 3DS1, an update to its specifications was required. This led to the development of a new solution – 3D Secure 2.0 (3DS2) by EMVCo.
EMVCo. is a global technical body facilitating worldwide acceptance of secure payment transactions and standards, whose members include American Express, Discover, JCB, Mastercard, UnionPay and Visa.
It better supports and protects current and future consumer payment types, allowing more seamless traditional browser-based e-commerce transactions, app based authentication and digital wallet integration. 3DS2 represents a new approach to security – one that’s in keeping with today’s online and particularly mobile world, based on a wider range of data.
How 3D Secure 2 works
When the move to 3DS2 was first discussed, there were fears that every transaction could be challenged. This has not been the case with 3DS2 uses far more data points to help verify transactions.
As the 3DS2 protocol generates over 100 data points (such as transaction history, location, shipping address and the device being used to make the purchase) to determine the validity of a transaction, payments are more secure than with simple password authentication or one time passcodes. This enables more informed and improved decision making from issuers.
The issuer may also deem some transactions exempt from the 3DS2 challenge by using their risk based authentication to bypass it. The additional data points provided through 3DS2 enables a more informed view of the customer and online transaction for a more accurate risk analysis. Strong proﬁling capabilities add details about typical and unusual behaviour as well as the transaction information to the authentication assessment. With this additional data it’s possible for a more conﬁdent risk decision to be made that oﬀers a smoother shopping experience.
Merchants can also avail of exemptions on certain transactions, so that customers don’t have to authenticate their online purchase. However, the merchant then carries the fraud liability risk in that instance.
When consumers are presented with an authentication challenge to complete an online purchase they can do so by using something they own, know or are, with examples illustrated in the image below.
The advantages of 3D Secure 2 over its predecessor
3DS2 customer benefits
The big advantage of 3DS2 is the higher likelyhood of frictionless authentication with increased payment specific data and exemptions allowing consumers to complete purchases without additional input.
When customers must authenticate their purchase, the experience is now more user friendly with the process integrated into the merchant checkout experience too, thus eliminating the redirect issue with 3DS1’s payment flow. The protocol also offers enhanced customer experience through better compatibility with mobile devices and apps, unlike its predecessor.
Another key difference between the creation of 3DS1 and 3DS2 is that the latter was developed within the world of mobile commerce, where new digital payment preferences continue to evolve. This has enabled more innovative authentication options to complete online transactions, such as verifying with your banking app or with biometric authentication.
3DS2 merchant benefits
For merchants, the better user experience will help reduce cart abandonment rate with enhanced data flows allowing better decision making on transactions and therefore, potentially less challenging. The knock-on effect from this should allow a growth in consumer confidence in e-Commerce environments, resulting in a greater number of consumers buying online
3DS2 also meets Secure Customer Authentication SCA requirements, and ensures businesses compliance with the revised Payment Services Directive (PSD2) and reduces the risk of fraud and chargebacks, with fraud-related liability protection for merchants, when SCA is applied to a transaction.