Understanding 3D Secure 2.0

3DS2, sometimes referred to as 3D Secure 2, 3-D Secure Authentication, or EMV 3D Secure, is a security protocol for card-not-present (CNP) transactions. The initials stand for 3-Domain Secure, after the three domains – or entities – involved. Those are the acquiring (merchant’s) bank, the issuing (cardholder’s) bank, and the infrastructure that supports the 3DS protocol, which includes the internet, an access control server, a merchant plug-in, and other software providers.

What’s the difference between a security protocol and a fraud prevention solution?

A security protocol also referred to as a cryptographic protocol, is an added layer of security in which legitimate participants exchange encrypted information. 3DS as a security protocol was designed to allow customers to authenticate their identity by providing key pieces of information.

It is not a fraud analysis tool, meaning that if a fraudster gains access to those pieces of information or successfully takes over a victim’s device, they can bypass it. 

A fraud prevention solution, on the other hand, is a tool to actively detect and prevent fraudulent activity in card-not-present transactions. There are several types of fraud prevention solutions, including rule-based, scoring, and machine learning.

What is 3D Secure?

The first iteration of the protocol, known as 3DS1 or 3DS, came out in 1999. Starting from 2001, it was offered under branded names such as Verified by Visa (later changed to Visa Secure), Mastercard’s SecureCode, and American Express SafeKey. In a card-not-present transaction, once the details of a credit card were entered during checkout, the issuer relied on up to 15 data points, such as currency and the web browser’s user agent, to determine the transaction’s riskiness. If a transaction was deemed risky, the shopper would be prompted to enter a static password or code, previously agreed upon with the issuer, to verify their identity.

3ds image

The benefits 3DS1 promised were twofold: not only did it protect against fraudsters by facilitating a more secure transaction, but it also shifted the liability from the merchants to the card issuers, who were in charge of the authentication process. In actuality, though, there were several bumps in the road:

  • Poor CX – 3DS1 added friction to the transaction, leading to a poor customer experience and high drop-off rates.
  • Mobile unfriendly – 3DS1 was created in the early days of the internet, long before the rise of multichannel and omnichannel. Thus, it was designed with only web-browser authentication in mind, and not, for example, mobile phones. Upgrades to the protocol were made throughout the years, but still did not provide an optimal experience. 
  • Risk-averse – Due to the liability shift, issuers would often take the “better safe than sorry” approach, leading to increased false declines, especially for higher-value transactions.  
  • A data black hole – Merchants had no access to post-checkout information or analytics on their customers, as shoppers were redirected to the issuers’ site to complete the authentication process. The relevant data was collected from their browsers without passing through the merchants’ systems. 
  • Inflexible – If a merchant decided to use 3DS1, they had to apply it to all 3DS1-supported transactions, with no ability to pick and choose only certain segments or transactions that met specific criteria. This inflexibility led some merchants to drop 3DS1 altogether. 

Unbalanced – not all geographies were equal when it came to 3DS1. Both Visa and MasterCard, for example, considered Puerto Rico as a non-US territory, leading to increased scrutiny and friction for local consumers. As a result, many US merchants preferred using Address Verification Service (AVS) instead.

And then came 3DS2

Over time, it became clear that 3DS1 wasn’t meeting the demands of the changing payments and eCommerce landscape. Both merchants and consumers wanted a system that would provide more secure transactions and better data analytics alongside a seamless shopping experience. In 2016, EMVCo, an organization encompassing six major card networks (American Express, Discover, JCB, Mastercard, UnionPay, and Visa) that was involved with the first version of 3DS, released a new version of the protocol: 3DS2. Issuers started granting liability shifts for 3DS2 in 2019, and some, including Visa and MasterCard, intend to stop supporting 3DS1 by late 2022.

What are the benefits of 3DS2?

According to EMVCo, the main promise of the new version is a better user experience alongside reduced fraud rates. 

  • Improved customer experience – 3DS2 has the capability to integrate with both browser-based and mobile-based environments. This means that shoppers are not redirected to another site but rather perform the authentication process within the relevant app or payment gateway
  • Better data – Instead of relying on up to 15 data points as with 3DS1, between 100 and 150 data points are sent to the issuer to determine whether a transaction is risky enough to require further verification
  • Increased security – Instead of a one-time password, the verification process relies on multi-factor authentication (MFA), using two or more authentication steps, such as a password and an SMS code, or a password and a biometric element. Some multi-factor authentication protocols can require a location or time factor

3DS2 As Strong Customer Authentication Under PSD2

3DS2 is most relevant for merchants who need to comply with regulations such as the Revised Payment Services Directive, more commonly known as PSD2. The directive, which came into full effect in September 2019 (though an extension was granted until December 2020), mandates Strong Customer Authentication (SCA) for EU-to-EU payments, meaning for transactions where both the issuer and the acquirer fall within the EU’s jurisdiction. For more information on PSD2, click here

It should be noted that 3DS2 only protects against pre-authorization fraud, and does not protect against other types of fraud such as friendly fraud and policy abuse

Some terms you should know / 3DS2 lexicon

  • Strong customer authentication (SCA): SCA is required by PSD2, which mandates all electronic transactions be made using multi-factor authentication. For SCA, this is broken down into something you know (like a password or a PIN), something you are (biometrics, for example, a fingerprint), and something you have (device ID or card). 3DS2 requires two of the three, also known as two-factor authentication.
  • Two-factor authentication (2FA): Also sometimes called two-step verification or dual-factor authentication.
  • Single-factor authentication (SFA): Uses only one element for security, for example, a password.
  • Risk-based authentication (RBA): A system that assesses the profile of the requesting account/credentials to determine the risk level of the transaction and whether it should be sent for additional verification. Intended to increase accuracy while reducing friction to consumers. 
  • Challenge flow: when a 3DS2 transaction is deemed risky enough to be sent for additional verification. Also called step-up authentication or 3DS challenge. 
  • Frictionless flow: when a 3DS2 transaction is not sent for additional verification.
  • Soft decline: a new type of decline added with 3DS, intended to give merchants a chance to save a problematic order. Returns to the merchant as a transaction that has been sent without authentication, or one that has been sent with an exception request that the issuer is unwilling to honor. 
  • Challenge rate: the rate at which issuers introduce an additional verification step, out of the total volume of orders sent to 3DS. 
  • Conversion rate: the percentage of transactions successfully authenticated (both with and without a challenge). 
  • Abandonment rate: the percentage of customers who abandon checkout following a 3DS challenge. 
  • Drop-off rate: the total volume of transactions lost to 3DS (abandonment rate + declined transactions).