Explained: 3D Secure 2 (3DS2) and Payment Authentication

Explained: 3D Secure 2 (3DS2) and Payment Authentication

September 9, 2020
Explained: 3D Secure 2 (3DS2) and Payment Authentication

The more you sell online, the more opportunities there are for fraudsters. Luckily, there are measures you can take to protect your customers and secure your revenue. One of these measures is 3DS2. Unfortunately, 3DS2 isn’t a one-stop-shop solution. While offering fraud protection, it also diminishes customer experience and curbs revenues.

3DS

First introduced in 2001 by EMV, 3D Secure, known by its acronym 3DS quickly became the standard anti-fraud measure in the industry. So how does 3DS work? Whenever customers initiate a purchase on the web, they are redirected to a secure page on their card provider’s website. Here, they are prompted to either enter a password or an authentication code that is sent to their mobile phone. Once the information is verified, the payment is approved and customers are redirected to the merchant’s website.

By adding a security layer to online transactions, 3D Secure made it a lot harder for fraudsters to steal, it lowered transaction costs, increased trust among online customers shifted liability away from merchants. And yet, it also had various drawbacks that only became worse in time.

For the average consumer, being redirected to a separate website and asked for a code turned out to be less straightforward than expected. This leads to abandoned carts and lost revenue. Moreover, when it was introduced in 2001, mobile commerce was non-existent.

3DS2

The follow-up to the original 3D Secure brings much-needed improvements to security and user-friendliness. To grasp these changes, we need to understand what 3DS2 is meant to accomplish. The new standard, 3DS2, has been developed in line with the regulations outlined in the European Union’s Revised Payment Services Directive (PSD2).

PSD2 outlines the rules and regulations by which all players within the European payments industry must abide by in order to protect consumers, secure payments and foster healthy competition within the market.

One of the practical results of the Revised Payment Services Directive is the development of Secure Customer Authentication (SCA) as a European regulatory requirement. For transactions to comply with SCA, customers are required to identify themselves using multi-factor authentication. In other words, they must present two out of three of the following identifiers: Knowledge (Something they know, e.g. password/PIN), Possession (Something they own, e.g. mobile phone, token), Inherence (Something they are, e.g. biometrics, voice/facial recognition).

In other words:

3DS2, the new version of 3D Secure, is meant to be SCA compliant. Being SCA compliant has many benefits that go beyond fraud prevention. With 3DS2, issuing banks are provided with over 100 data points that help them identify users and authenticate payments.

3DS2 today: What are the latest features

In its current iteration, 3DS2 supports soft declines and merchant-initiated transactions, enhancing both flexibility and security to provide a better checkout experience for customers and merchants alike. Additionally, other key updates included are delegated and decoupled authentication, which allow merchants to authenticate transactions on behalf of issuing banks and separate the authentication process from the main transaction flow.

3DS 2.3 builds upon these advancements by optimizing data exchange between merchants and issuers, improving transaction approval rates without always sacrificing security. Additionally, more user interface enhancements have been introduced to make the authentication process more intuitive and efficient, while automated out-of-band transitions simplify confirmation for transactions requiring authentication through separate channels. Device binding support enables quicker authentication for subsequent transactions, and support for recurring transaction data enhances visibility and simplifies authentication for recurring charges.

Moreover, collaboration with industry standards bodies like the W3C and FIDO Alliance underscores 3DS2's commitment to transaction legitimacy verification, which shows another effort to improve security standards.

Where 3DS2 falls short: adoption, compatibility & user experience

Even though 3DS2 provides many benefits, it’s not without problems. There are many credit cards, issued both within and outside the EU, that either do not have 3DS codes enabled or lack SCA compliance on mobile devices.

In many situations, 3DS2 is also an unnecessary burden on the consumer. Every consumer is required to undergo the exact same extra security checks, while every consumer and every purchase can be different.

Therefore, by protecting your revenue with these anti-fraud measures, you are also turning away potential customers in the worst way: by disappointing them at checkout.

As a merchant, you need to keep in mind that though the fraud(risk) is reduced, you’re also lowering conversion rates and limiting your overall revenue. In many cases, the loss of potential revenue is higher than the total cost of fraud and chargebacks combined.

Recommended reading
This article is an excerpt. For a thorough review of 3DS2 and information on how to avoid the problems caused by 3DS2, check out the following resource:
https://alphacomm.io/blog/how-to-combat-payment-fraud-without-losing-revenue/

Additional insights about securing payments

What you need to know about secure digital payments is crucial for ensuring both safety and efficiency in your transactions. In today's world, the landscape of digital payments is rapidly evolving, driven by advancements in technology and increasing consumer demand for convenience.

Strong customer authentication (SCA) is a critical element in enhancing the security of payment transactions. It requires the use of at least two independent factors to verify the identity of a user, making it much harder for unauthorised parties to gain access. This is particularly important for online card payments, where the risk of fraud is higher.

Another vital concept is risk based authentication. This approach tailors the security measures based on the level of risk associated with a particular transaction. For instance, a transaction risk analysis might consider the previous transaction history of a user to determine if additional verification steps are necessary.

In the context of payment systems, the payment flow needs to be smooth yet secure. This is where the security protocol known as 3D Secure 2 (3DS2) comes into play. It introduces a more streamlined and user-friendly challenge flow compared to the older 3D Secure 1.

One of the significant improvements in 3DS2 is its ability to integrate with mobile apps and mobile devices, recognising the growing trend of mobile commerce. This ensures that users can enjoy a seamless experience while maintaining high levels of security.

The role of the access control server (ACS) is also pivotal in this setup. The ACS is responsible for authenticating the cardholder during an online transaction, ensuring that the payment provider and the consumer are protected from potential fraud.

Traditional methods such as static passwords are increasingly being replaced due to their vulnerability to breaches. Modern payment providers are now focusing on more robust solutions that can dynamically adapt to the risk level of each transaction.

In summary, understanding these elements - from strong customer authentication to mobile apps, and the functionality of the access control server - is essential for navigating and securing the modern payment flow. By staying informed about these practices and technologies, users and payment providers alike can ensure a safer environment for digital payments.

Heading here
Heading here
Heading here
Heading here
Heading here