3D Secure 2.0: What is it and How Does it Work?

What is 3D Secure?

3D Secure (3DS) is a globally accepted authentication solution designed to make eCommerce transactions more secure in real-time by providing an additional layer of security. It enables the exchange of data between the merchant, card issuer and, when necessary, the consumer, to validate the transaction is being initiated by the rightful owner of the account.
Created by Visa and Mastercard, it further secures CNP (Card-Not-Present) transactions over the Internet.

Introducing 3D Secure 2 – the new generation of the 3DS protocol

The improvement in 3DS acceptance is great news for merchants. Developed and owned by EMV, 3D Secure 2 (3DS2) is designed to improve upon the 3D Secure 1 (3DS1) by addressing the old protocol’s pain points and delivering a much smoother user experience. With 3DS2’s frictionless flow, cardholders can authenticate themselves without being challenged. The quick and painless checkout process will benefit cardholders, while merchants can expect up to 66% less cart abandonment rates, according to Visa.
The enhanced 3DS2 provides several improvements over 3DS1, including:

• Support for transactions across a variety of devices for improved customer experience.
• 10X more data to support enhanced risk-based decision-making for issuers.
• Less friction for consumers, leading to reduced shopping cart abandonment.
• The average time to authenticate has reduced from 42 seconds to 37 seconds.

How does 3D Secure 2 work?
3D Secure 2 analyzes over 100 key data points, including the merchant’s contextual data, acting as an advanced layer of fraud protection. During checkout, the merchant’s 3DS service provider sends an authentication request with rich data to the issuer. This data includes a varying amount of cardholder and device information upon regional or market law restrictions, such as device ID, MAC address, geo-location, previous transactions, and so on.

Then, the issuer’s 3DS service provider assesses the transaction risk. If the transaction is determined as high-risk, the cardholder will be asked to verify their identity using biometrics, and/ or two-factor authentication. If the transaction is deemed as low risk, no further action is required on the cardholder’s end. The issuer sends the authentication result to the merchant, who in turn submits the transaction for authorization with a flag indicating the authentication result.

Why should merchants care about 3D Secure?

• Reduced risk of fraud. A significant selling point for 3DS is that it reduces the risk of fraud. This extra layer of security helps merchants accept card payments only from legitimate customers. Even if the customer’s card number and card details are used fraudulently, it is less likely that a fraudster would also have access to the cardholder’s 3DS pin or one time password (OTP).
• Chargeback liability shift. The biggest benefit of 3D Secure is the chargeback liability shift. It shifts the liability for chargebacks due to fraud from the merchant to the cardholder’s bank. This additional protection is why customers often face the 3D Secure challenge during high-value transactions such as airline tickets.
• Increased authorization rates. Visa and Mastercard report up to a 10% increase in authorization rates with 3DS.
• PSD2/SCA Compliance. Implementing 3D Secure is the best method to comply with SCA (Strong Consumer Authentication).

Is 3D Secure mandatory?

3D Secure is not mandatory. It is up to each merchant to decide whether to implement 3D Secure or not. However, 3D Secure is mandated in some countries like India and South Africa.

If your business’ acquiring bank and card holder issuer are in the EEA (European Economic Area), then you will need to comply with PSD2 and implement Strong Customer Authentication also known as SCA. SCA promotes the use of two-factor authentication and implementing 3DS2 is commonly agreed to be the best method to comply with SCA.

If either your acquiring bank or card holder issuer is not part of the EEA, then it doesn’t apply. It is hard to control where the issuer cards might be coming from, especially if you are operating an eCommerce business in the EEA. It’s safe to assume that if your merchants’ acquirer is in the EEA then you should implement SCA. It is now the cost of doing business in the EEA.

How do I get 3D Secure 2?
To enable 3DS, merchants should contact their payments service provider. Payway can support merchants seeking 3DS through its partnership with PAAY, a provider of EMV 3DS. For more information on how 3DS authentication and enablement can limit your chargeback liability, please contact us or call us at 800.457.9932.