Considering the rapid evolution of consumer behavior and the surge in payments made through digital channels like tablets, mobile phones and the Internet of Things in recent years, along with the increased fraud rates observed, the European Payment Service Directive (PSD) has introduced an updated version of the directive, known as PSD2.
The new directive requires banks to open their customer data assets to third parties and also includes new safety requirements. It also led to the development of an enhanced security protocol known as 3-D Secure 2.0. PSD2 also introduces new transaction security measures such as Strong Customer Authentication (SCA), Risk Based Authentication (RBA) and Transaction Risk Analysis (TRA). Our research found that 73% of consumers say that multi-factor authentication makes their payment feel safer and more secure.
What is 3D Secure?
3D Secure (3DS) is a security protocol that requires customers to complete an additional authentication step when attempting an online card payment. 3D refers to “three domains”, the card issuer, the merchant, and the infrastructure that mediates between the consumer and the merchant.
In Europe, 3DS is required by the Strong Customer Authentication (SCA) regulation for all card payments, though it is optional in other regions.
What is 3D Secure 2.0?
In October 2022, all major card brands made the switch from 3DS 1 to 3D secure 2.0 (3DS2), an updated version of the protocol that improved upon some of the limitations of its predecessor. In essence, 3DS2 enables faster, more secure, more accurate fraud detection.
How does 3D Secure work?
3DS verification is triggered whenever an attempted online card payment meets certain conditions. Those conditions are either that the customer lives in an SCA-mandated region or that the transaction or user falls within the parameters of the rules you’ve created in your payments or fraud prevention system.
For example, you might set 3DS to be presented to the customer if the transaction value exceeds $500 or is deemed especially risky. Your payments system will probably come with default rules for 3DS, though you can create custom rules to meet your own requirements.
If the transaction requires 3DS, your customer will be asked to complete an additional authentication step. Most commonly they will be redirected to the authentication page of their bank’s website or app and then have to use a one-time password (OTP) or biometric information to approve their purchase. Once authenticated, they’ll be returned to your website to receive confirmation of payment.
Advantages of 3D Secure v2
3DS 2.0 represents a marked improvement on 3DS1, which had a reputation for being slow, non-user-friendly, and sometimes even damaging to customer trust.
The main advantages of 3D secure are:
- Improved risk assessment - 3DS2 has significantly increased the quantity of data sent to issuers. This gives the system far more contextual information about the customer and the transaction, leading to more accurate risk assessments, optimized outcomes for the shopper and the merchant, and higher acceptance rates.
- Improved user experience - as a result of improved risk assessments, customers deemed low risk by 3DS2 can continue with their purchase without any disruption (frictionless flow), with the whole process taking place ‘behind the scenes’. Higher risk customers can now be presented with a user-friendly authentication procedure such as biometrics or a OTP (challenge flow) that can take place entirely within the merchant’s website or app. This improved user experience boosts customer trust and confidence
- Reduces fraud and chargebacks - more accuracy results in a higher acceptance of legitimate transactions and better fraud prevention. Additionally, 3DS2 protects merchants by shifting the liability for fraud-related chargebacks onto the card issuer
- Reduces cart abandonment - integrating the 3DS experience into the users shopping journey minimizes disruption and reduces the chance that they’ll abandon their purchase in frustration
Read more: frictionless authentication
Difference between 3DS 1.0 vs. 3DS 2.0
Most shoppers have experienced, at least once, the limitations of the 3DS 1.0 protocol through non-browser e-commerce transactions; paying on mobile devices or in-app can sometimes be a frustrating experience and not quite user-friendly.
The 3DS 2.0 protocol – created, owned and managed by the EMVCo and its six-member organization that include American Express, Discover, JCB, Mastercard, UnionPay and Visa – has been developed with the goal of improving the overall performance of the 3DS program and supports the payments industry in delivering a global, inter-operable and consistent user experience across all e-commerce channels and connected devices.
The biggest differences in PSD2 and the new protocol include merchant liability shift in case of fraud, reduced interchange fees and authentication upgrades – all of which can result in benefits like higher approval rates and reduced friction due to improved risk-based authentications and a richer exchange of data.
Understandably, businesses may initially be concerned that more authentication elements will inevitably mean more friction points, thus affecting the overall customer experience which will have a negative impact on conversion rates – but in fact, it will likely have the opposite effect.
While drafting the PSD2, regulators kept these as central considerations and included a number of provisions that will allow merchants to maintain, and even improve, speed and user-friendliness.
With increased usage and popularity of these types of transactions, the new version of 3DS specifications is designed to deliver better integration with the merchant – widening the limitations of 3DS 1.0, curbing cart abandonment rates and improving the user experience, all without compromising security. Let’s break down some of the key changes in 3DS 2.0 and what they'll mean for your business.
What is Risk-Based Authentication (RBA)?
An important advantage of 3DS 2.0 is that it facilitates a richer exchange of data between the cardholder’s device and the issuer – essentially, enabling the issuer to perform Risk-Based Authentication (RBA). 3DS 2.0 will allow for an exchange of over 100 data elements on each transaction, factoring data points like a shipping address, device ID, and previous transaction history, in order to assess the risk level of each transaction. Depending on the issuer’s decision, the authentication will then either go through a frictionless flow, when the transaction is perceived as secure or through a challenge flow, where the user may be prompted to provide further verification.
According to Mastercard, through this data validation measure, it is expected that 90% of all transactions will not require a challenge to authenticate the user thus reducing overall friction and cart abandonment rates. Even better, users will not need to provide a password or SMS in order for the merchants to benefit from the liability shift.
With 3DS 1.0, there is a security protocol in which a bank page appears and confirms that there is no need to authenticate for this transaction – this can be an unnecessary friction point. However, with 3DS 2.0, the redirect or bank page will no longer be displayed to the user which will create a smoother, faster flow toward checkout completion.
What is Transaction Risk Analysis (TRA)?
The new protocol also introduces Transaction Risk Analysis (TRA) which is the proprietary risk fraud analysis that issuers and acquirers will apply on each transaction. It is based on an algorithm built to detect the cardholder’s spending or behavioral patterns. Other risk factors analyzed include cardholder location, merchant location, monetary threshold, and real-time fraud rates for e-commerce transactions.
Checkout.com receives 3DS 2.3.1 certification
In May 2023, Checkout.com received its 3DS 2.3.1. certification from EMVCo, the technical body composed of the six largest payment networks that manages and promotes secure payments.
The certification authorizes us to use proprietary AI to enhance our payment solutions while reducing fraud, giving our clients more power to tackle online threats and improve their payment performance.
The latest 3DS 2.3.1 protocol further improves on the limitation of its predecessors, specifically in reducing cart abandonment and customer friction, and improving payment performance.
Read more: 3DS 2.3 - what's new?
It has also introduced a process that means, rather than switching manually from the merchant’s checkout to their banking app or website, your customers will be automatically redirected directly to their bank app for verification. Additionally, 3DS 2.3.1’s new integrated authentication methods, including Secure Payment Confirmation (SPC) and WebAuthn, help to combat fraud while improving customer experience.
These tools and more are available as part of our flexible Fraud Detection Pro and Integrated Platforms solutions, which allow merchants to customize their fraud prevention and payments strategies to their exact needs.
Read more: Best practices for secure online payment processing