3DS 2.3 - what's new?

Learn about the new EMV 3DS v2.3 enhancements and how this affects your business and customers

Link to the author's page
Checkout.com
August 15, 2023
Link to the author's page
3DS 2.3 - what's new?

Ever since 3D Secure was introduced by Visa and Arcot in 1999, the payments industry has been constantly trying to improve its fraud fighting capabilities. 

Under the stewardship of EMVco - the global technical body that enables secure card payments - 3DS has been continuously enhanced and improved to keep up with the ever-changing digital payments landscape.

These enhancements are made after regular reviews and evaluations by EMVCo and other payments industry stakeholders via the EMVCo associates program. First introduced in 2021, 3DS 2.3 has made improvements to the speed and accuracy of authentication, streamlined the process for consumers, and allowed for implementation across multiple channels and devices. 

Find out everything you need to know about what’s new in 3DS 2.3 here. 

What is 3D Secure?

Digital payment security and payment fraud are locked into a perpetual arms race. As the former invents ever-better defense, the latter responds with ever-more ingenious attacks.

In response, the EU’s Payment Service Directive (PSD) updated to PSD2, implementing more robust security standards across the payments landscape. Central to these standards is 3D Secure, the directive’s enhanced security protocol that protects online transactions through Strong Customer Authentication (SCA), Risk Based Authentication (RBA), and Transaction Risk Analysis (TRA). Combined, these measures work to protect customer and business data from fraudsters, while boosting conversions and reducing cart abandonment. 

Here’s how 3DS works: when a customer attempts a payment, the merchant and payment provider send 100 data points to their bank in order to verify their identity and assess their risk level. If the bank is able to verify the cardholder's identity, the risk is considered low and the payment is authenticated immediately, known as frictionless flow. If there’s a risk that the cardholder isn’t who they say they are, the bank will ask for more more information, known as challenge flow. 

Currently, all merchants doing business in the European Economic Area (EEA) and the UK are mandated to meet SCA requirements by implementing at least two-factor authentication (2FA) for all payments. However, if either the business’s or customer’s bank is outside the EEA or UK, SCA is not required. 

What is 3D Secure 2.3?

3DS 2.0 (3DS2) was introduced to improve upon some of the limitations of its predecessor by incorporating a wider range of data and biometric information into the authentication process, allowing for faster and more effective fraud detection. As of October 2022, all major card brands have used 3DS2.

3DS 2.3 has enhanced this latest version of the security protocol even further, introducing new specifications in order to continually keep step with the latest advancements in payment technology and industry requirements. Broadly, these improvements allow merchants to offer an even more optimized payment experience for their customers and provide issuers with enhanced data for quicker, easier authentication. 

What are the key changes for 3DS 2.3?

The key changes for 3DS 2.3 are as follows:

  • Additional authentication approaches - version 2.3 is designed to accommodate new authentication approaches based on issuer preferences by considering factors like risk and regulations to determine how customers will be authenticated. It can also be used to comply with the SCA regulation by enabling two-factor authentication
  • Streamlined consumer authentication - 3DS 2.3 improves how data is exchanged between merchants and issuers, allowing issuers to better assess transaction risks and the consumers involved. This helps determine the necessary level of authentication without causing unnecessary delays in the payment process. It can result in increased transaction approval rates without the need for additional security steps. In most cases, consumers can simply click or tap to make an online payment, and it will be approved. For higher risk transactions (such as those made from a new device, unusually large amounts, or unexpected transaction types) the latest improvements simplify the process, making it easier for consumers to confirm the transaction, which minimizes friction
  • Enhanced data - merchants and issuers now have more transaction data, payment method details, and device information, such as payment token data and recurring transactions. This allows issuers to authenticate consumers’ recurring payments more quickly and more accurately. They can also display clearer and more simple information to consumers for a wider range of scenarios, such as when there is a fixed amount for the first recurring payment, a free trial followed by fixed subscription fees, or variable amounts/frequencies based on usage
  • FIDO-based WebAuthn and SPC support - when consulting on enhancements for version 2.3, EMVco collaborated with the World Wide Web Consortium (W3C) and the FIDO Alliance to include support for WebAuthn and Secure Payment Confirmation (SPC). This allows issuers and merchants to use these technologies within the 3DS process, improving their ability to verify the authenticity of transactions and limit the risk of fraud through biometric authentication 
  • Automated out-of-band (OOB) transitions - automated out-of-band (OOB) transitions make it easier for consumers to confirm transactions that require authentication through a separate app. Instead of the usual manual process, which involves multiple steps such as receiving a push notification, switching to the banking app, and logging in separately to review and confirm the transaction, this enhancement automates the transition between the merchant app and the banking app. This simplifies and speeds up the checkout process for consumers
  • Device binding - this simply allow consumers to specify that they would like to be remembered on their devices, meaning future purchases can be authenticated more quickly
  • User interface (UI) updates - issuers and merchants now have additional options for how they present information to customers, making it easier and more efficient to guide them through the authentication process
  • Split-SDK model - the new Split-SDK Specification simplifies the implementation of 3DS in various ecommerce payment channels and devices, including the likes of smart speakers and other Internet-of-Things (IoT) devices.

Difference between 3DS 2.0 vs. 3DS 2.3

The main difference between 3DS 2.0 and 3DS 2.3 is support for additional authentication approaches, which take into account the wider context of risk and regulations; much better data sharing and availability of a wider range of data for issuers, leading to more accurate decisions; improvements to user experience through enhanced UI, speed and efficiency; and support for more channels and devices. 

Benefits of 3DS 2.3

The key benefits of 3DS 2.3 are:

  • Improved security - more detailed data and improved data sharing means more accurate decision-making for issuers, which results in improved security for all parties
  • Faster authentication - version 2.3 includes a number of changes that simplify and speed up authentication, such as SPC, OOB transitions, device binding, and data exchange improvements, which reduce unnecessary delays. Although they all perform different functions, what unites these developments is their ability to strip repetitive and additional steps from the authentication process, making it faster and easier for consumers and merchants
  • Better user experience - a quicker authentication process also means a more frictionless and less frustrating user experience for consumers. This is also apparent in the UI updates, which make it easier and more efficient for merchants and issuers to communicate key information to customers 
  • Support for more devices and apps - the majority of online shopping and online payments is now conducted through smartphones and tablets, while voice commerce is becoming a growing area. Thanks to improvements like SDK and device binding, 3DS 2.3 responds to these changing consumer preferences by making it easier for authentication to be completed through various apps and even devices such as smart speakers, bringing payments more in line with the way we shop now

Checkout.com becomes 3DS 2.3.1 certified

Checkout.com is the first global payment provider to be 3DS 2.3.1 certified. That makes us an excellent partner for meeting your regulatory requirements and providing your customers with a fully optimized payments experience. 

The certification enables us to enhance our payments solution through proprietary AI, improving your capacity to fight online fraud while enhancing your payments performance. 

Find out more about 3DS Payment Authentication with Checkout.com. 

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button
August 15, 2023 17:29
August 15, 2023 17:29