3-D Secure
Summary
The 3-D Secure protocol—bundled into services by card brands like Visa Secure, Mastercard Identity Check or American Express SafeKey— is based on a three-domain model where the acquiring bank and issuing bank are connected by the protocol for the purpose of authenticating a cardholder during an ecommerce transaction. The protocol was developed and is maintained by EMVCo, a consortium of the card scheme brands. Beginning in late 2019, banks are expected to start supporting 3-D Secure version 2 (3DS2).
This new version of 3DS introduces the concept of “frictionless authentication” and adds support for mobile applications. It’s expected to be the main method that merchants use to meet PSD2’s requirement to “dynamically link” the payment to the issuing banks and confirm that SCA has been conducted so that their acquiring bank can receive funds from the transaction.
Signifyd’s Payments Optimization Solution leverages the latest authentication standards of EMV® 3-D Secure to complete all transactions without disruption, either using the 3DS2 protocol or its own SCA decision to authenticate transactions without any step-ups.
What’s new with 3DS2
EMVCo, an organization made up of six major card networks, recently released a new version of 3-D Secure. 3DS2 (also called EMV 3-D Secure, 3D Secure 2.0 or 3D Secure 2) aims to address many of the shortcomings of 3DS1 by providing more information to the bank domains so they can, in turn, provide less disruptive authentication methods and a better user experience for ecommerce transactions.
Frictionless authentication
3DS2 allows merchants to send more data elements for each transaction to the cardholder’s bank—the “issuing domain”—so that the bank can make a better-informed decision about the transaction’s risk. This additional data includes payment-specific data like the shipping address, and can also include transaction-specific data, such as the customer’s device ID.
- If the data passed through the protocol is enough for the bank to verify the cardholder and the payment, the transaction goes through the “frictionless” flow without any additional input from the cardholder beyond the traditional checkout page.
- In the base 3DS2 protocol, if the bank does not have enough information to authenticate the transaction, it can request a “challenge” step-up flow and prompt the customer to provide additional data.
- With Signifyd’s Seamless SCA™ , if the bank requests a challenge, takes too long to respond or declines a transaction that Signifyd can authenticate by leveraging its Commerce Network and real-time machine learning, then the merchant can suppress the 3DS2 protocol and still route the transaction through its payment provider to authorize capture.
An example flow of authenticating a payment using 3DS2 with fallback support for Seamless SCA™:
Regardless of whether a transaction follows the frictionless flow of 3DS2—in which case, the issuing bank will bear liability—or the Seamless SCA™ flow of Signifyd—where Signifyd will bear liability—merchants will benefit from a guaranteed liability shift for fraudulent orders, and with Signifyd’s Complete Chargeback Protection, from any type of chargeback.
Best user experience
3DS2 was designed after the broad adoption of smartphones and makes it easier for banks and service providers to offer innovative authentication experiences.
With Signifyd’s Payments Optimization Solution, instead of entering a password or receiving a text message (two relatively insecure authentication methods that introduce substantial friction for customers), the cardholder can authenticate a payment through the merchant’s app or website by just using their device and interacting with the merchant’s storefront. With our solution, the 3DS2 protocol serves as the language to communicate the dynamic link between the transaction and the issuing bank, rather than the sole method of authentication, and the merchant maintains control over their checkout experience.
3DS2 versus Strong Customer Authentication
The pending enforcement of PSD2 makes 3DS2 all the more important if you are doing business in Europe, as it is the most widely adopted method of dynamically linking the transaction details to the issuing banks. As this new regulation will require you to apply more authentication on European payments, the improved user experience of Seamless SCA™ can help reduce the negative impact on conversion compared to the basic 3DS2 protocol. SCA is the regulatory framework that describes how to be compliant when authenticating a transaction by measuring at least two of the three elements below, and it ensure that if one is compromised, it won’t compromise the other.
“Something you know”, the KNOWLEDGE Element (e.g., password or PIN)
“Something you have”, the POSSESSION Element (e.g., phone or hardware token)
“Something you are” the INHERENCE Element (e.g., fingerprint or face recognition)
Simply implementing the 3DS2 protocol does not, on its own, satisfy PSD2’s requirements for SCA. Additionally, the basic protocol only has the capability to pass information regarding two of the elements, knowledge and possession, but not inherence. These two elements, both generally by their nature and specifically by the most-often used technologies, require more customer interaction and friction than inherence. For example, an SCA-compliant flow would require a cardholder to both enter a previously known password or PIN (the knowledge element) and also confirm the cardholder’s device by entering a one-time password sent over SMS (the possession element).
- The EBA’s Opinion on 21 June 2019 confirmed that 3DS2 does not support the ability to measure any inherence data points and that a one-time password may satisfy possession but does not satisfy knowledge.
- Visa, Mastercard and a group of European payments and retailer consortiums released a Joint Industry Statement on 1 August 2019 that also confirmed the industry’s updated understanding that none of the planned versions of 3-D Secure 2.x include the ability to measure the inherence element.
The 3DS2 protocol itself will allow payment providers to request exemptions to SCA and skip authentication for certain types of payments. If an exemption passes through the “frictionless flow,” the merchant doesn’t benefit from the liability shift from the issuing bank under the basic protocol but does receive a liability shift guarantee from Signifyd.
When will 3DS2 be supported by banks?
The widespread adoption of 3DS2 will require that banks that are also card issuers support the new standard. Although the first issuing banks have started supporting 3DS2 for their cardholders, we expect that full implementation will take time–perhaps years–and vary by country and region.
In the European Economic Area, we expect many banks to upgrade their infrastructure to support the 3DS2 protocol throughout 2020 and 2021, to be ready for the enforcement of Strong Customer Authentication in December of 2020 for the majority of the European Economic Area (EEA) and September of 2021 for the UK. While we anticipate that 3D Secure version 1 and 3DS2 will coexist until at least 2021, we’re excited to utilize the latest versions of 3DS2.2 to communicate with issuing banks using the card brands’ delegated authentication programs.
This article was last updated on 12 May 2020