3D Secure authentication and 3D Secure 2 explained
Fort Knox, the US army station which protects one of the biggest gold reserves in the world, has a dizzying array of security measures: tanks, attack helicopters, mines, laser-triggered machine guns, and more.
Only one person has tried to break into the vault, and he wasn't real. That was Auric Goldfinger, the eponymous villain in the James Bond film.
Unfortunately, online payments aren't protected in quite the same way as Fort Knox. But, as ecommerce adoption increases and the financial industry evolves, new methods of protecting consumers and their money are being introduced. And these security measures include 3D Secure and 3D Secure 2.
This article will explain what they are, their benefits, and how you can use them to save money and reduce fraud.
What is 3D Secure authentication?
Despite the rise in alternative payment methods, cards are still the preferred payment option for many European consumers. And though security measures are in place to protect card users – including the card verification code (CVC) system – data shows that card payments have the highest fraud risk.
To better protect users, in 2001 card schemes introduced the 3D Secure protocol to reduce fraud and increase security for online payments.
3D Secure 1.0 worked by redirecting a shopper to a site managed by the issuing bank – the bank that issued the card to the customer – to answer additional security questions. This could be a unique password or a one-time password sent via SMS.
Although this process did improve security, it also created problems for businesses and shoppers. These problems include these things:
- Checkout friction: Adding a verification step created more friction in the checkout process.
- Static passwords: Some issuing banks also relied on users remembering a static password, which they could easily forget.
- Mobile/app experience: Sometimes, 3DS redirected shoppers using a mobile device or app to a bank's website, which wasn't optimised for the device.
These things could cause shoppers to abandon their cart, costing businesses a sale.
The introduction of 3D Secure 2 (3DS2)
To help solve some of the drawbacks of the original 3DS, EMVCo – an organisation owned by six of the world's major card issuers – released 3D Secure 2 in 2018.
3DS2 (also known as 3DS 2.0 and 3D Secure 2.0) allows businesses and payment providers to share more transaction data with the issuing bank. This creates a frictionless flow and improves the user experience.
As of October 2022, many of the world's major card schemes – including Visa and Mastercard – have stopped supporting 3DS payments in Europe. Instead, 3DS2 authentication is now used for most card transactions.
3DS2 payments are the primary method businesses use to comply with the revised payment service directive (PSD2) regulation and Strong Customer Authentication (SCA) requirements in Europe.
How does 3DS2 work?
With 3DS2 payments, the authentication process is embedded in the checkout flow. This creates a more frictionless experience compared to the original 3DS.
Whenever a customer makes a 3DS2 payment, businesses and payment providers can send more than 150 data points that help the issuing bank assess the payment risk level. This includes data on the customer's shipping address, device, and payment history. The process takes place in the background of the web or mobile checkout flow.
After the data is submitted, the issuing bank chooses to authenticate the payment or ask for more information. Here two things can happen, which are:
- If the issuing bank authenticates the payment immediately, it is called the frictionless flow.
- If more information is required, it is known as the challenge flow.
Frictionless authentication flow
If the issuing bank has enough data about the customer making a payment, it will qualify for frictionless authentication. This is the most significant difference when comparing 3DS vs 3DS2, as it means an issuer can approve a transaction without the cardholder having to input more information.
Better customer experience
Unlike the original 3DS, the 3D Secure 2 protocol is responsive to many devices, including smartphones and tablets. This means it works seamlessly with mobile banking apps to create a frictionless experience.
Less friction during challenge flow
In most cases, 3DS2 allows a cardholder to authenticate a challenge flow payment through their banking app using biometric authentication (such as a fingerprint or facial scan). This is sometimes known as ‘out-of-band authentication’.
3DS2 also helps to embed the challenge information request within the checkout flow itself. This means that cardholders are not redirected to another site to authenticate the payment, reducing friction and the possibility of cart abandonments.
Using 3DS and 3DS2 payments also helps you to reduce the risk of losing money through chargebacks.
Using 3DS2 means the liability for fraud-related chargebacks shifts from your business to your issuing bank. Though there are a few exceptions to this rule, in Europe almost all online payments using 3DS2 activate this liability shift. However, It doesn’t apply to non-fraud related chargeback reasons, such as goods not being delivered.
3DS2, PSD2, and SCA
The revised Payment Services Directive is the primary regulation governing electronic payment services in Europe. And one of the primary ways it provides better security for consumers and businesses is through Strong Customer Authentication (SCA).
3D Secure 2 is the most popular method of authenticating online card payments and adhering to SCA guidelines while reducing friction to help boost conversions.
Some payment providers can help you access SCA exemptions for low-risk payments. That means exempted transactions automatically go through the frictionless flow. In this case, the liability shift does not occur, meaning that your business will be liable for any chargebacks for exempt payments.
How to activate 3D Secure 2
Most businesses work with a payment provider that can help them seamlessly apply 3DS2 for all high-risk payments to help protect your business from fraud.
Here at Mollie, we help you apply 3DS2 to all relevant transactions. Our dynamic 3D Secure tooling means that payments will still complete even if there are issues with the 3DS authentication, such as when an issuing bank does not support it.
We aim to be a trusted partner for your business that offers all the tools you need to power growth. That includes a payment solution that helps you accept multiple payment methods and offer customers a frictionless payment process to boost conversions.
Our product also has advanced security features to protect you and your customers. These features include:
- Dynamic 3D secure payments
- PCI-DSS level 1 certified
- Fraud monitoring
Find out more about payments with Mollie.