3D secure protocol changes: meet 3-D Secure 2.0
Year after year, technology is rapidly advancing in its achievements and capabilities. In the very near future, the updated 3D Secure 2.0 protocol will take online security in the payment industry to a whole new level. The protocol will provide an opportunity to establish a secure real-time data exchange channel, through which much more transaction data will be transmitted for more accurate authentication of the buyer, the payment speed will increase, since not all transactions will pass authentication with a password, but only some of them part. Let's look at the main changes in the new protocol compared to its previous version.
What is 3D Secure?
3D Secure is a security protocol developed in 1999 and aimed at preventing fraudulent use of credit cards by checking the authenticity of cardholders in transactions that do not require the physical presence of a card (CNP operations). “3D” means “3 domains”, in which the protocol works, and which include the issuer’s domain (the domain of the issuing bank card), the acquirer’s domain (the seller’s and the bank’s domain to which the money is transferred) and the compatibility domain (domain provided by the payment 3D Secure protocol support system). The protocol was developed and managed by EMVCo, an organization jointly owned by major brands Visa, Mastercard, American Express, Discover, JCB and UnionPay.
The first version of 3D Secure was designed to increase consumer confidence in online payments, which has contributed to the growth of e-commerce. To protect yourself from fraudulent transactions, 3D Secure adds another authentication step for online payments, which allows outlets and banks to additionally make sure that the cardholder makes the payment. When using 3D Secure 1, the system displays a pop-up window or an embedded frame, requiring the user to enter a password so that the bank can authenticate the user. However, the credentials of the popup window generating entity cannot be authenticated.
For businesses, the benefits of 3D Secure are obvious: requesting additional information provides an additional level of protection against fraud, ensuring that you accept card payments only from trusted customers. Also, in the case of using 3D Secure, the so-called “Liability Shift” occurs, in which the responsibility for fraud also passes from the seller to the card issuer. Thus, if 3D Secure is not applied, then when the cardholder disputes a fraudulent transaction:
- The seller (merchant) is responsible for the transaction.
- The seller (merchant) must return the buyer money (chargeback)
But, if the seller implements 3D Secure, the responsibility for fraudulent transactions passes to the issuer (the bank that issued the card).
What are the main changes to the 3D Secure 2.0 protocol?
More than 17 years have passed since the development of 3D Secure 1. Although the payment industry in most countries adopted this authentication method pretty well, the need to create a new protocol was recognized taking into account current and future market requirements, including the addition of support for authentication based on mobile devices and the integration of digital wallets. In addition, it was noted that the use of 3D Secure 1 has some disadvantages:
- the additional step necessary to complete the payment increases the complexity of the process of placing an order and may lead to the fact that customers refuse to purchase.
- a number of banks still require their cardholders to create and remember their own static passwords to complete 3D Secure verification. These passwords are easy to forget, which can also lead to a higher probability of refusing a purchase.
- The negative impact on user experience (UX) is especially noticeable in mobile applications. When Visa first introduced the 3D Secure standard, personal computers were the only channel available to consumers to shop online. On mobile devices, using 3D Secure can redirect clients from their own application to the bank’s website, which is not optimized for mobile devices.
Taking into account the main pain points of 3D Secure, EMVCo recently released a new improved version of the protocol. EMV 3-D Secure (3D Secure 2 or 3DS2) addresses many of the shortcomings of 3D Secure 1 and provides the following key benefits:
1. Flexible Device & Channel Support.
It provides a smoother and more consistent interaction with the user through several payment channels, including payments in the mobile phone browser, payments in applications and payments through a digital wallet.
2. Improved User Experience.
Provides merchants the opportunity to better integrate the authentication process into the purchasing process, providing cardholders with fast, easy and convenient authentication with a high level of security. Unlike static passwords, 3D Secure 2 uses dynamic authentication methods such as biometrics and token-based authentication. Also, 3D Secure 2 will allow companies to embed a call flow directly into their web and mobile payment flows - without the need for any redirects. Using the new mobile SDKs, companies will be able to implement their own streams in their applications, which will no longer require their customers to switch to the stream through the browser to complete the transaction.
3D Secure 1 (3D Secure 2 Stripe guide):
3D Secure 2 (3D Secure 2 Stripe guide):
3. Enhanced Data Exchange to Manage Fraud and Reduce Friction (Improved data exchange to combat fraud and reduce obstacles). Risk-based authentication (RBA, Risk Based Authentication). Frictionless authentication.
Frictionless Flow allows issuers to approve a transaction without requiring manual entry of data from the cardholder. This is achieved through what is known as risk-based authentication (RBA). RBA works by collecting a set of data on cardholders during a transaction and transmitting it to the issuing bank and its Access Control Servers (ACS), which then compares the collected data with previous (historical) cardholder transaction data to display the fraud risk value corresponding to the new transactions. 3D Secure 2 will allow companies and their payment providers to safely send more than 100 data elements for each transaction to the cardholder's bank. This includes payment-related data, such as a delivery address, as well as contextual data, such as a client device identifier or a history of previous transactions.
The cardholder's bank can use this information to assess the level of risk of the transaction and select the appropriate answer. If the fraud risk value is below a predetermined threshold value, Frictionless flow is applied. In other words, if the risk of fraud is low enough, the issuing bank will not request additional verification from the cardholder and considers that the cardholder has passed authentication. This eliminates the manual verification step that was always required from cardholders in 3D Secure 1:
1) If there is enough data so that the bank can believe that the real cardholder is making a purchase, the transaction satisfies the requirements of Frictionless flow, and authentication is completed without affecting user interaction - the cardholder never sees any signs 3D Secure has been applied. In other words, if the risk of fraud is low enough, the issuing bank will not request additional verification from the cardholder and considers that the cardholder has passed authentication. This eliminates the manual verification step that was always required from cardholders in 3D Secure 1.
2) In the case when the fraud risk value is above a predetermined threshold, for example, the bank decides that it needs additional evidence, the transaction is performed in Challenge mode, and the client is asked to provide additional data to verify the authenticity of the payment.
4. Change of liability of sellers (merchants) in case of fraud.
Also significant differences in PSD2 include change of responsibility of sellers (merchants) in case of fraud. Issuers are the clear beneficiaries of the wider data exchange required for 3DS 2.0, as they are responsible for any chargebacks. The more data they have, the more accurately they can assess the risk of a transaction.
However, merchants also benefit, especially if they have not yet collected enough transaction data that is required to participate in 3DS, because then they can use this data to improve their own efforts to detect fraud. But even if the seller already has a sophisticated fraud prevention program, one should not lose sight of the additional level of protection provided by the issuer conducting its own risk assessment. The ACS providers used by issuers typically have access to fraud data sources that are not available to individual sellers, which often allows them to provide a more reliable assessment of the risk of fraud.
When will payment systems support 3-D Secure 2.0?
The widespread availability of 3D Secure 2 will depend on individual card issuers supporting the new standard. It is expected that the first banks will begin to support 3D Secure 2 for their cardholders in early 2019, it is likely that a wider implementation will be gradual and take several months. For example, the Visa 3DS 2.0 platform is now available and ready to handle 3DS 2.0 authentication requests: ACS and 3DS Server providers must pass testing with both EMVCo and Visa before participating in 2.0. Providers can start testing with Visa only after receiving a confirmation letter confirming the successful completion of testing with EMVCo. In order for interested parties to have enough time to implement 3-D Secure, the full set of program rules will not take effect until the program activation dates indicated below:
- April 2019: valid for Europe
- August 2019: Activation date for Canada, Latin America, and the United States.
- April 2020: activation date for Asia Pacific and the Middle East and Africa.
It is also assumed that 3D Secure 1 and 3D Secure 2 will coexist at least until 2020.
For European businesses, the entry into force in September 2019 of a new regulation known as Strong Customer Authentication (SCA), which will apply to online payments in the European Economic Area (EEA), where the cardholder’s bank and payment service provider are located at EEA, makes 3D Secure 2 even more important. Since the new rule will require more authentication to be applied to European payments, 3D Secure 2 will offer the best UX (user experience) to minimize the impact on site conversion.
Although 3D Secure 2 will be the primary method for adhering to SCA card payment requirements, it is expected that Frictionless flow will not be seen as a form of strong client authentication. This will mean that after the SCA is operational in Europe, Frictionless flow can only be used for payments that are subject to an exception (while all payments requiring an SCA will need to be authenticated using the Challenge stream).