Understanding 3D Secure and 3D Secure 2

Spiderman’s Peter Parker Principle states that ‘with great power, comes great responsibility’. The triarchy of payment systems: American Express, Mastercard, and Visa certainly hold a lot of power and they take their responsibilities seriously. In 1999 (lead by Visa) they decided to improve the security of internet payments with 3D Secure.

This article will walk you through everything you need to know about 3D Secure and explain why you need to care. You’ll learn:

Traditionally, 3D Secure was that additional authentication step where a customer is directed to a page hosted by their bank. They’d enter a code or trigger an SMS to complete the purchase and were then redirected back to the merchant’s site. Things have moved on since then, which we’ll explore below.

3D Secure is supported by most of the major schemes including Visa, Mastercard, Amex, Discover, JCB, and UnionPay.

3D Secure has always been a powerful means for helping prevent fraud. But now, withPSD2ramping up the authentication standards enforced by issuers in the EU, 3D Secure is essential. Note: There are someexemption categories.

In the UK, the PSD2 deadline is currently March 2022.You can learn more about PSD2 timelines and other regional nuances here.

The first iteration of 3D Secure was the redirect to Verified-by-Visa or Mastercard SecureCode. Over the years, it’s helped make online shopping much safer and reduced fraudulent chargebacks. But, like any new protocol, it’s had a mixed reception.

Before 3D secure, an online payment process looked like this:

Issuers could still run a check on the card’s three-digit CVC and shopper address, but they were weak and tended to be information fraudsters had access to. So, if the card was stolen, fraudsters could run riot. 3D Secure brought the issuer into the process by hosting the authorisation on their domain. So, as well as keeping fraudsters in check, 3D Secure has the added benefit of shifting the liability from the seller to the card issuer.

Every region has different security requirements and legislations, which meant the adoption of 3D Secure varied hugely by country and industry. In one year for example,34% of small and medium merchants used 3D Secure whereas only 12% of large merchants did. In the Netherlands, adoption was almost 90%, while in the US, it was only 3%. This was confusing and far from watertight.

Cardholders hated it. The extra step in the process was clunky, and no one could ever remember their 3D Secure code. Consequently, 3D Secure was quickly dubbed the ‘conversion-killer’. Plus, the simplistic web pages were easy to copy and customers couldn’t tell the difference between a legitimate 3D Secure authorisation page or a phishing site.

3D Secure 2 (3DS2) brings a new approach to authentication with a wider range of data points, biometric authentication, and an improved experience (optimised for mobile). It not only addresses the many issues of 3D Secure 1, it brings a whole host of new benefits.

With 3DS2, device information is enough to authenticate a customer and in most cases authentication is ‘passive’ with all necessary information exchanged in the background.

However, some transactions are higher risk, or are subject to regulations like PSD2. In this case, the issuer may choose to ramp up the authentication with one of the following methods: This comes in several forms, for example:

Two-Factor- The user is asked to provide a two-factor authentication code sent via email or SMS.

Biometric- An app-switch to an issuing-bank app is facilitated by the SDK. The user can use their fingerprint or face in the issuing bank app.

Better authorisation rates

As well as authentication, 3DS2 can also be used as a tool to share up to 100 data points with the issuer. This can be used alongside your risk engine to make better risk decisions and boost authorisation rates.

Regulatory frameworks like PSD2 can be confusing, especially when different countries have different deadlines. And, if you're operating across several regions, you’ll need to know which transactions fall within regulated areas and which don’t. You’ll also need to know in which regions 3DS2 will help boost your authorisation rates and in which it will damage your conversions.

The best approach is to apply Dynamic 3D Secure. This works in real-time to apply or avoid 3D Secure based on conditions like: payment method, transaction value, and location of the shopper. Below is the flow:

OurAuthentication Enginecan help you build authentication flows natively into your apps and will automatically apply the correct authentication to comply with regulations such as PSD2.

When setting up 3DS2, there are two core components of the integration to consider: The front-end SDK and the 3D Secure server.

The job of the SDK is to securely collect and transmit device information and display authentication flows. As a result there is a strict certification process on these libraries with EMVCo and the Schemes, which we’ll take care of. The SDKs weren’t a component of 3DS1 so, if you’re migrating from 1 to 2, you’ll need to introduce them into your frontend payment flows.

The 3DS2 SDK works together with our 3D Secure server (3DSS) to exchange information and request authentication. You can see more information on how these calls work inour documentation.

See our libraries on GitHub. 

Recommended reading:

If you have any questions about anything you’ve read in this article, or would like to explore how we can help you get set up with 3D Secure 2,we’d love to hear from you.