3D Secure or 3DS provides an extra security layer for online card transactions. It covers three domains for sellers and acquirers (the banks to which the money is paid), card issuers, and for interoperability.
Global online retail sales are fast approaching US$5.5trillion so they have, unsurprisingly, attracted the attention of criminals. Recent figures indicate that in the first quarter of 2022 one in four online accounts were fakes used for fraud and other scams. In 2021 retail digital payment fraud around the world was thought to have cost more than US$20billion.
Protecting online transactions efficiently is a top priority for customers who are concerned about the emotional and financial cost of online fraud.
What is 3DSV2?
3D Secure Version 2 or 3DSV2 is used by card payment providers for strong customer authentication (SCA) especially focussing on mobile payments. SCA has been required on all electronic transactions in the European Union since 1 January 2021 and in UK from the 14 September 2021.
The 3DS protocol was originally created by Visa in 1999 to help retailers and issuing banks authenticate cardholders’ identities when they were shopping online. At the time desktop computers were most commonly used for online shopping so 3DS wasn’t originally designed for mobile use. Version 2 enhances the original 3DS protocol to reduce friction in the payment flow across different devices whether customers are using desktop computers, smartphones or tablets.
How does 3DSV2 work?
Over 100 key data points are analyzed as an advanced layer of fraud protection. The cardholder enters their card details at checkout and your 3DS service provider sends an authentication request with rich data to the issuer. This data includes variable cardholder and device information depending on regional legal restrictions. It might include the device ID, MAC address, geo-location, and previous transactions, for example.
The 3DS standard is supported by most major card schemes. The issuer’s 3DS service provider assesses whether the transaction is high-risk that requires a further challenge stage. This might involve verifying the cardholder’s identity using biometrics or two-factor authentication, for example. Once verified, the issuer sends the result to the merchant who submits the transaction for authorization along with confirmation of authentication.
If authentication fails the transaction won’t be processed and the customer isn’t charged. This might happen if:
- Customer details are incorrect – during a 3DS transaction customers might be redirected to a page controlled by their issuing bank to either answer additional security questions, for example providing a one-time password (OTP), or entering their 3DS personal identification number (PIN). If the wrong details are entered authentication will fail.
- The issuing bank doesn’t support 3DS – banks might use different protocols in different parts of the world. If 3DS authentication is the default for every transaction it won’t be possible to verify the user.
- Technical issues – if 3DS is unavailable for technical reasons the transaction won’t be authenticated and processed.
How is 3DSV2 different from 3DSV1?
The main difference is reduced friction in the authentication process to provide a better user experience across devices. Originally some issuing banks required cardholders to enrol for the 3DS service using a static password with their payment card for added security. However, customers often abandoned their purchases if they couldn’t remember their passwords, because page loading times were too slow, due to compatibility issues, or concern about validity of the pop-up windows that appeared as part of the process.
The 3DSV2 upgrade provides a more consistent user experience with reduced friction across devices. Using rich data exchange most of the authentication process can take place in the background so the cardholder isn’t involved at all.
Why use 3DSV2
3DSV2 is easier to use and normally all customers need to do is wait for their payment confirmation message. It improves your customers’ purchasing experiences and helps to address their concerns about fraudulent transactions.
3DSV2 allows issuers to carry out Risk-Based Authentication (RBA) based on more than 100 data points during a transaction. Authentication can take place in most cases without any additional information from cardholders.
You will benefit from:
- reduced false declines – as issuers can use multiple key data points for a single transaction more genuine purchases can be accepted.
- improved conversion – since 3DSV2 is designed for cross-channel transactions and better customer experiences cart abandonment will be reduced.
- liability shift – there is also a shift in liability from you as the seller to the cardholder’s bank for chargebacks due to fraud. This is why customers will often be asked for additional 3DS verification for high-value transactions.
VISA announced that it would withdraw fraud liability shift for transactions submitted using the older 3DSV1 in October 2021 but later withdrew the decision. However, online sellers will need to upgrade to 3DSV2 to continue to benefit from liability shift as Visa says it will discontinue support for 3DSV1 from 15 October 2022 and other card providers are likely to follow.
The European Payment Services Directive 2 (PSD2) requires SCA for online payments using a minimum of two of the following authentication factors:
- something the consumer knows such as an OTP, an SMS code, PIN, password, or security question
- something the consumer owns such as a credit or debit card, key fob, mobile device, or wearable device
- something the consumer is which can be confirmed using biometric data such as a fingerprint, iris scan, facial or voice recognition.
These authentication factors must be independent so that, if one factor is compromised, the reliability of the second factor is unaffected. The choice of which factors rests with the payment service providers but 3DSV2 meets these SCA requirements unless the transaction falls under an exemption rule such as a low risk or low value transaction.