Product Updates

3D Secure 2: Key points for merchants

December 24, 2020 6 min read

What does 3D Secure 2 mean and how merchants can make a transition smooth with Unlimint? Read on in our guide.

Unlimint team
Your payment experts

If balancing between safety and convenience in your business sounds unbelievable, then you have to learn how 3D Secure 2 works. After being introduced, this data-driven authentication method has been supporting businesses in delivering a better and more secure customer experience. Due to the worldwide spread of connected devices and the rise of online shopping, 3DS 2 has become more important than ever. 

Here, we will break down what this acronym means, why it is relevant for merchants, and explain how we can guide merchants through the transition.

First comes the 3DS 1.0

3D Secure or 3DS stands for three-domain secure. 

This protocol puts an additional layer of authentication by verifying a customer’s identity in the online checkout process. Its main purpose is to protect cardholders from stealing their credit card data thus preventing unauthorized use during online shopping.  

Back in the early 2000s when the PC was the only way to engage in online shopping, Visa presented the first iteration of 3DS or 3DS 1.0. Unless consumers were enrolled in 3DS, they couldn’t make purchases at online retailers that used this technology. Taking into account that it was decades before people started using phones for online shopping, it’s no surprise that the protocol wasn’t supposed to bring good user experience on mobile devices. 

Apart from that, there was an even more serious problem: the insufficient technology resulted in billion-dollar-loss due to false declines across online transactions. 

3DS 1.0 was created only for web-browser use and failed to support shopping on mobile devices. That’s why nearly two decades later 3D Secure 2 arrived. 

What is 3DS 2? Features and benefits

Responding to the rapid increase in mobile traffic, the spread of in-app purchases, and digital wallets, 3D Secure 2 was developed. The goal was to improve previous technology by delivering smoother authentication experience – in particular, completely eliminate friction — and make it more secure. It happens due to these features:

1. With 3DS 2, annoying pop-ups will become increasingly rare as banks try to create a seamless technological experience for shoppers. Yet, at the first stage, customers will have to use two-factor authentication rather than one password.

2. Merchants will deliver 10 times more data with every transaction. That will lead to a higher approval rate and more precise fraud risk assessments.

3. Smooth shopping experience no matter what device is used. Companies can connect mobile and website, applications, or other devices like Smart TVs and wearables with software development kits.   

4. Dynamic authentication that eliminates static passwords. 3DS 2 works only with one-time passwords and biometric authorization. For instance, when your customer proceeds to checkout and pays for an order from a desktop, he or she will receive a one-time code on a mobile device valid for only one login session or transaction.   

What are PSD2 and SCA?

The European Commission and other regulatory bodies issue dozens of new guidelines and directives every year. At first glance, PSD2 might seem like just a second iteration of Payment Services Directive (PSD) which simply tweaks a few things in the background. However, it is anything but that – PSD2 has been designed to revolutionize the way payments are made. 

As of 14th September 2019, PSD2 required Strong Customer Authentication (SCA) for all payments within the European Economic Area (EEA). However, transactions below €30 may be exempted from SCA. Later, the European Banking Authority (EBA) gave further potential exemptions and pushed the new deadline to the 31st of December 2020. The combination of SCA requirements, exemptions, issuer vetoes, and different regulatory approaches per country made the payment process more difficult. 

In spite of the challenges, this move is supposed to change the payment landscape in the eCommerce market, as it will boost transparency and encourage financial institutions to safely share customer information with third parties. 

3DS 2 mobile app and website user flows

In any site or mobile app, there can be different paths for the user to complete their intended task. When customers order pizza or buy a new pair of shoes, either a mobile app or a website gives them an opportunity to make payment. The procedure for online payment with a 3D Secure on a website looks as follows:

1. A customer chooses a product or service on a website. 

2. A customer enters the details of the payment card, which is similar to the regular purchase process.

3. A merchant connects a customer with a bank by redirecting them to a separate secure page.

At the same time, a notification from a bank with a one-time password is sent to a customer.

4. On the current page, a customer specifies the password received in the message.

5. The system automatically goes back to the merchant’s site and initiates payment. 

6. Payment occurs only after successful password entry.

With the new SDK component, 3DS2 is natively integrated into mobile apps. Now it supports native integration, making the payment process a part of your mobile app that results in a reduced cart abandonment rate and e-commerce fraud.

The 3DS 2 mobile app payment looks like this: 

1. A customer sends the card information to the payment gateway.

2. The payment gateway transmits the information to the bank that has issued their card.

3. The bank sends the request to VISA, Mastercard, or other payment systems.

4. The payment system evaluates the customer’s reputation and determines the conditions of the money transaction.

5. The customer’s bank sends a one-time code to approve the payment. If the bank confirms the transaction, money is sent to the merchant’s account. 

Secure and smooth UX: A new standard of authentication 

Frictionless flow

When a customer makes an online purchase, the verification process happens behind the scenes. The access control server (ACS) evaluates the client’s device data and purchased items and then authenticates this information without bothering a customer. 

Thanks to frictionless flow issuers no longer need any input from the cardholder to approve transactions. What does it mean? Pop-ups and static passwords no longer hinder the payment process thus increase the transaction success rate. 

Challenge flow

Although most online payments allow frictionless flow, about 1-2% of high-risk transactions may require a two-factor (2FA) or biometric authentication. In this case, a customer must use at least two elements out of three: 

1. Something they know: pin code or a password.

2. Something they have: phone, wearables, credit, or debit cards.

3. Something they are, which is also called biometric authentication: fingerprint image, facial recognition, voice patterns, etc.

What is Dynamic 3D Secure?

Although 3DS is designed as a safety measure that decreases chargebacks, it can have an opposite effect on the transaction success rate and result in bad payment experience. So what’s the solution? 

Dynamic 3DS is a great way to define the transaction criteria and set up rules that regulate 3D Secure flow. This technology will collect and send the needed security information to the issuer and process all low-risk payments without additional authentication. The verification process will be automatically applied only to risky payments. 

How Unlimint dynamically applies 3DS 2 

  • The 3DS libraries work together with Unlimint 3D Secure server to exchange information with the cardholder’s bank and request authentication. 
  • Unlimint supports 3DS 2 web browser flow in the new Payment API to let you dynamically apply 3DS 2 to high-risk payments and protect your business from fraud.
  • Unlimint system will only apply 3DS 2 when it’s supported by the cardholder’s bank and rely on 3DS 1.0 (a prior version) when the former isn’t supported yet.

When will 3D Secure 2 become mandatory for online transactions?

According to the recent update, as of 31 December 2020, all merchants across the EEA, part of non-EEA countries and the UK will be obliged to adjust their authentication capabilities and migrate to EMV 3DS to be in accordance with the PSD2 SCA requirements. It means that up-to-date security measures involving 2FA will become the mandatory step in all customer-initiated transactions within Europe unless it falls under an exemption rule.

What are the exemptions?

Avoiding the authentication process can significantly improve the payment process, that’s why it is important to take advantage of transactions that fall under the exemptions rule.  

Here is the list of SCA exemptions:

1. Low-value transactions (all payments equal to or under €30).

2. Low-risk transactions

3. Recurring payments for the same amount

4. Secure Corporate payments (can be applied by issuers only)

5. Payments to trusted beneficiaries (can be applied by issuers only)


The full support of mentioned exemptions will be released by March 2021.

KEEP READING

Join Unlimint newsletter and get the highlights of upcoming events, fresh articles & special offers
We’ve got all your details, thanks!