June 1, 2022

Are You Ready to Make the Move to 3-D Secure 2.0?

By Cody Firuta

Payment industry groups and regulators have been working for years to create standards and regulations that ensure secure online credit and debit card transactions without introducing excessive friction into the online payment process. Initial efforts worked well for security but resulted in a slow and cumbersome payment experience for shoppers. More recent offerings have made significant progress in enabling a more frictionless shopping experience while taking security to an even higher level.

In this blog post, we’ll provide an overview of 3-D Secure (3DS), the leading industry protocol for securing online credit and debit card transactions. We’ll also cover 3-D Secure 2.0—the latest update to 3DS—which has made great strides in enabling a more frictionless online payment experience. Finally, we’ll describe the steps you should take to prepare your organization to support 3-D Secure 2.0.

What is 3DS?

3DS is a security protocol that provides an additional layer of security for online credit and debit card transactions. It is supported by EMVCo, a standards organization overseen by six member organizations—American Express, Discover, JCB, MasterCard, UnionPay, and Visa.

Each card brand that adopts the 3DS protocol uses its own branding (e.g., Visa’s “Verified by Visa” and MasterCard’s “Mastercard SecureCode”).

The “3D” portion of the name refers to the three-domain model that provides the additional layer of security. The three domains are:

  • Acquirer Domain: The bank and merchant receiving transaction payment.
  • Issuer Domain: The bank that issued the credit or debit card used for the transaction.
  • Interoperability Domain: The infrastructure that’s used to support the 3DS protocol (e.g., Visa and MasterCard networks).

The first generation of 3DS (1.0) enabled authentication of the customer by the card-issuing bank. With this approach, shoppers were often redirected to the bank’s website to enter a password or a code sent to the customer’s phone. This increased checkout time and cart abandonments, which limited adoption and merchant satisfaction.

Who Does 3DS Apply to?

3DS applies to merchants, merchant banks, issuing banks, and payment service providers who accept or process online credit or debit card transactions.

What is 3-D Secure 2.0?

3-D Secure 2.0 (3DS2) is designed to create a more frictionless online payment experience by drastically reducing the need for the cardholder’s bank to require the cardholder to enter a password or code sent to their phone for authentication. This is accomplished by enabling the merchant or merchant’s service provider to send a robust set of over 150 potential data elements to the cardholder’s bank (issuer bank) with each authentication request. This data includes payment-related data such as the shipping address as well as a rich set of contextual data used to determine the risk of the transaction. Here are some examples of contextual data that can be sent:

  • Customer device ID
  • Customer transaction history
  • Customer’s browser IP address and language
  • Delivery timeframe
  • Merchant category code

This robust set of data allows the issuer bank to better assess the risk level of the transaction and determine whether to approve it or ask the customer to provide additional input to authenticate the payment.

The 3DS2 contextual data will typically allow issuers to approve 95% of all transactions without additional customer authentication requests, significantly reducing the friction of the average online payment transaction.

For the 5% of transactions that the issuer deems too risky to approve without prompting the cardholder for additional information, 3DS offers improvements that can eliminate the explicit and cumbersome redirect to the issuing bank’s website (e.g., additional authentication performed by the bank’s mobile device application).

Here’s a summary-level depiction of the 3DS2 process that Visa Inc. developed.

How 3DS2 Works

What Are the Benefits of 3DS2?

3DS2 improves online purchase security, reduces fraud, enables faster checkout times, and reduces cart abandonment. The following statistics from a recent study[1] by Visa Inc. quantify some of these benefits:

  • Shopper checkout transaction time reduced by 85%.
  • Cart abandonment reduced by 70%.

How Does 3DS2 Relate to PSD2?

Payments Services Directive Two (PSD2) is a European regulation for electronic payment services that is intended to make European payments more secure.

A key element of PSD2 is the Strong Customer Authentication (SCA) requirement, which dictates how customers must be authenticated. SCA goes above and beyond traditional username and password authentication. Under SCA, customers must identify themselves by providing two of three possible types of information, referred to as Knowledge, Possession, and Inheritance. These information types are commonly known as:

  1. Something you know (e.g., password or PIN).
  2. Something you possess (e.g., phone or hardware token).
  3. Something you are (e.g., fingerprint or facial recognition).

3DS2 was designed to meet the PSD2 SCA requirement, so 3DS2-compliant merchants can be confident that they meet this important PSD2 requirement.

Is 3DS2 Mandatory?

The major card brands (e.g., Visa and Mastercard) now require card issuing banks to support 3DS2. Here’s a summary[2] of the adoption deadlines that were used to roll out the 3DS2 issuer mandate in different regions:

Other than in select countries such as South Africa and India, 3DS2 is not required for merchants. However, the 3DS2 improvements over the initial version of 3DS offer many benefits for merchants and cardholders as described above.

What Should We Do to Prepare for PSD2?

If you are a merchant that currently supports the initial version of 3DS, and you want to move to 3DS2, contact your merchant service provider and find out if they support 3DS2. If so, work with them to identify the changes you will need to make in your environment to support 3DS2. While every merchant service provider will be somewhat different, you’ll likely need to make changes in these general areas:

  • Sophisticated authentication beyond static userid and password.
  • Support for mobile-device payment transactions.
  • No enrollment required.
  • Merchant opt-out option.
  • Additional use cases.
  • Enriched dataset.

If you are a new merchant or new to 3DS, you’ll need to identify a merchant service provider that supports 3DS2 and work with them to develop an implementation plan.

Tevora Can Help

Adopting 3DS2 requires a significant commitment of staff resources, and can be a challenging change for some companies. If you would like help with your transition, Tevora has extensive experience helping merchants adopt and assess compliance with 3DS2 and would be happy to help you make this important move.

Here are some of the reasons that make Tevora uniquely qualified to help with your journey to 3DS2:

  • Payment Security Expertise—In addition to our deep expertise and experience with 3DS2, we have equivalent experience with multiple PCI standards, including PCI DSS, PA DSS, PA SSF and PCI 3DS.  As an experienced PCI Qualified Assessor (QSA) company, Tevora can assess your compliance with all of these standards. We are also a qualified PCI Forensic Investigator (PFI) and have extensive experience helping clients comply with SWIFT requirements. Our broad scope of payments expertise allows us to help clients achieve compliance with multiple payment security standards as part of the same project, which can significantly reduce demands on your resources and reduce audit fatigue.
  • Partnership—We work with a long-term outlook. We’re motivated to succeed today so we can exceed your expectations again next year. We spend the time to get to know your team and business priorities, which enables us to develop customized solutions, tailor-made to meet your unique requirements. And we’re committed to delivering security solutions that you can sustain and maintain long term, so training and equipping are always an integral part of our projects.
  • Dedication—Our dedicated team of experts is laser-focused on keeping your brand and environment safe. We are committed to providing high-quality services and meeting tight timelines while maintaining flexibility to adapt with you as business conditions change. Going above and beyond is just another day at the office for us.
  • Proven Compliance Approach—Our proven approach puts you on a fast track to payments and PCI compliance. Here’s a summary of the process steps we follow:

Additional Resources

Below are additional resources that provide a deeper dive on the topics covered in this blog post:

Contact Us

If you have questions about 3DS2 or would like help becoming compliant with this important standard, just give us a call at (833) 292-1609 or email us at sales@tevora.com.

[1] “Frictionless Experience with Verified by Visa,” a risk-based authentication case study.

[2] Summary developed by Braintree

About the Author

Cody Firuta is an Associate Manager, Payments at Tevora

Discover in-depth compliance resources and featured events

Blog
Interested in Certifying for 3DS? Tevora’s Got You Covered.

Blog
10 Steps to Guard Against Ransomware Attacks
Case Study
Tevora’s Unified Assessment Program