3D Secure Guide
3D Secure Authentication: The Complete Guide
Builds an additional layer of security into the payments process
In 2020 alone, more than two billion people purchased goods or services online, and global retail eCommerce sales grew more than 25 percent. The total number of card-not-present (CNP) transactions has likewise increased; with a 9 percent compound annual growth rate, CNP transactions are on track to overtake card-present transactions by 2023.
Though convenient, these transactions introduce additional risk to the payments process: Without the card or cardholder physically present, it is far more challenging to authenticate the transaction. According to a study from Juniper Research, merchants are projected to lose approximately $130 billion USD to CNP fraud between 2018 and 2023.
As eCommerce continues its meteoric ascent, it is clear that merchants need to implement stronger fraud and identity theft prevention methods, which is where 3D Secure authentication enters the picture. 3D Secure authentication is a security protocol that enables merchants to safeguard online transactions, as well as comply with the EU Revised Directive on Payment Services’ (PSD2) strong customer authentication standard.
Keep reading to learn more about this important security measure and how it helps merchants maintain regulatorily compliance.
What is 3D Secure authentication?
3D Secure authentication — also known as 3DS or payer authentication — is a security protocol designed to reduce the risk of fraud, identity theft and other illicit activities during CNP transactions. 3DS gets its name from the fact that it is based on a three-domain model; each domain refers to one of the parties involved in the authentication process:
- Acquirer Domain: The bank or merchant to which money is being paid
- Issuer Domain: The cardholder’s issuing bank
- Interoperability Domain: The underlying systems that support 3DS
At a high level, 3DS authentication works by sending Extensible Markup Language (XML) messages over Secure Sockets Layer (SSL) connections with client authentication. This process creates digital certificates verifying the identities of the different parties involved in the transaction.
Arcot Systems (now CA Technologies) developed 3D Secure authentication in 1999, and Visa was the first major card scheme to bring it to market in the form of Visa Secure in 2001. As noted, 3DS has gained popularity in recent years for its ability to support PSD2 compliance.
Originally adopted in 2015 and fully implemented in 2019, PSD2 is a European regulation designed to make electronic payments more secure and to create a more integrated European payments market. As such, PSD2 includes a strong customer authentication (SCA) standard which stipulates that multi-factor authentication (MFA) must be applied to all electronic payments in order to ensure the security of transactions. 3DS authentication satisfies PSD2’s SCA requirement, which led to widespread adoption of the protocol. Today, multiple card schemes offer their own branded version of 3DS, including Mastercard Identity Check, Discover Global Network ProtectBuy and American Express SafeKey.
What is 3D Secure Authentication 2.0?
Despite its initial success, 3D Secure authentication faced numerous complaints from consumers, largely due to its incompatibility with different devices and mobile browsers. These complaints were justified: Given that it was invented in 1999, the original iteration of 3DS was never designed to accommodate mobile devices and platforms. As a result, it struggled to keep up with the pace of change. As it began to decline legitimate transactions at an increasing rate, it became apparent that 3DS was in need of an upgrade.
In 2018, EMVCo — a consortium between Visa, American Express, Mastercard, China UnionPay, Discover and JCB — introduced 3D Secure 2.0. Compared to 3DS 1.0, 3DS 2.0 includes a software development toolkit that supports native integration with mobile applications. Additionally, rather than require consumers to complete authentication steps at checkout, with 3DS 2.0, issuers’ Access Control Server (ACS) platforms conduct risk-based and biometric authentication in the background, entirely out of sight. Consumers only need to provide additional authentication information if the ACS platform detects a high risk.
Ultimately, 3D Secure authentication 2.0 is designed to deliver a consistent customer experience across all platforms and devices, enhance payment orchestration and create frictionless flows, while allowing for a better overall consumer experience. According to research from Visa, 3DS 2.0 is expected to reduce checkout times by 85 percent and lead to a 70 percent reduction in cart abandonment. Merchants benefit as well: In addition to reducing fraud risk, 3DS 2.0 shifts liability for 3DS transactions to the issuer, eliminating chargebacks.
Updates to 3DS 2.0 have introduced additional enhancements. 3DS 2.1 increased the number of data elements that merchants are able to send to issuers at the point of transaction to 100. By accessing richer datasets, issuers are able to assess potential risk at a more rapid rate, further optimizing frictionless flow. Updates included in 3DS 2.2 enable merchants to request exemptions through their acquirer, issuers to use third parties for delegated authentication and users to conduct authentication outside of the main authentication flow.
How do 3DS and 3DS 2.0 authentication work?
As noted, 3D Secure authentication uses a combination of XML messages, SSL connections, digital certificates and client authentication to confirm the identities of the different domains involved in an electronic transaction. At a high level, a typical 3DS 1.0 flow looks something like this:
- A consumer visits a merchant’s website and enters their card information at checkout when they’re ready to make a purchase.
- The merchant’s payments gateway automatically sends transaction details and a 3D Secure verification request to the cardholder’s issuing bank.
- The issuer consults its internal records to determine whether that card is registered for 3DS services.
- If the card isenrolled in 3DS, the issuer will send a verification response to the merchant, along with a URL to its ACS platform; if the card is not enrolled in 3DS, the merchant will receive an automated message notifying them, at which point they must decide whether to carry on without 3DS or end the transaction flow.
- The merchant uses the URL to redirect the cardholder to the issuer’s ACS platform, where they will be prompted to verify their identity; common identity verification methods include entering a unique password, answering a security question, fingerprint identification, bank app approval and using a URL sent via SMS on the cardholder’s phone.
- If the cardholder enters the correct password or provides the correct answer to the security question, they’re redirected back to the merchant’s website, where they will receive confirmation of a successful payment.
Though this process helped increase payments security, it was not without flaws. In addition to experiencing compatibility issues, many consumers felt that the additional step in the payment process was unnecessary — even frustrating — while others questioned the authenticity of 3DS pop-ups and/or redirects. Both scenarios led to a significant increase in cart abandonment, which prompted in certain regions to eliminate 3D Secure authentication entirely, and instead conduct their own internal fraud screenings.
Similarly, consumers with multiple cards began to favor issuers who did not require authentication. In order to compete for wallet share, many issuers started to adopt Dynamic 3DS, a version of 3DS in which only high-risk transactions are redirected for authentication. Given that 3DS shifts chargeback liability from merchants to issuers, the widespread adoption of Dynamic 3DS resulted in more lax fraud screening tactics amongst merchants, which led to a spike in fraudulent activity. At the same time, with less visibility and intelligence to reference, issuers began to decline transactions at an increasing rate. According to research from Javelin, nearly $118 billion USD in revenue was lost in 2014 alone due to false-positive declines in online transactions.
In an effort to protect their own best interests, merchants, issuers and even acquirers had all lost sight of their shared purpose: to mitigate fraud. Therefore, 3DS 2.0 was devised as a means of reestablishing alignment between these various parties and strengthening protections for consumers. Integral to this is the introduction of frictionless flows — that is, authentication flows that take place without additional input from the consumer.
Based on the updated protocol, a 3D Secure authentication 2.0 flow should look something like this:
- A consumer visits a merchant’s website and enters their card information at checkout when they’re ready to make a purchase.
- The merchant’s payment gateway automatically sends transaction details and a 3DS 2.0 verification request to the cardholder’s issuing bank.
- The issuer consults its internal records to determine whether that card is registered for either 3DS 1.0 or 2.0 services:
- If the card is enrolled in 3DS 1.0, it automatically triggers a traditional 3DS 1.0 authentication flow (shown above).
- If the card is enrolled in 3DS 2.0, the issuer initiates a 3DS 2.0 authentication flow (see below).
- If the card is not enrolled in either 3DS 1.0 or 2.0, the flow automatically stops.
- The issuer must determine whether it is possible to complete a frictionless authentication:
- If the issuer determines that a transaction is low-risk and a frictionless authentication is possible, it runs a fraud screening and risk assessment in the background, without input from the consumer.
- If the issuer determines that a transaction is high-risk and a frictionless authentication is not possible, it initiates a challenge authentication flow, which operates in much the same was as a traditional 3DS 1.0 authentication flow.
The key distinction between a 3DS 2.0 challenge authentication flow and a 3DS 1.0 traditional authentication flow is that with the former, the cardholder is required to verify their identity using either a one-time authentication code (provided by the issuer) or biometric data.
- The cardholder receives confirmation of a successful payment on the merchant’s website.
In addition to changing the authentication process, 3DS 2.0 makes it so all stakeholders have access to and can share richer datasets for more comprehensive fraud screening and risk assessment. These datasets can include up to 100 data points, including a consumer’s geolocation, device ID, transaction history and more, with a minimum requirement of 20 data points per exchange.
3DS 2.0 also offers greater flexibility by enabling merchants to request transaction risk analysis (TRA) exemption for low-risk transactions. Merchants that receive TRA exemption approval are able to automatically bypass the authentication process. If, however, the issuer sees suspicious activity on the card, it can issue a soft decline, which would prompt standard 3DS protocol.
Other SCA exemptions that apply merchants that use 3DS 2.0 include:
- Contactless Payments at Point of Sale: Merchants may bypass the authentication process if the value of the transaction does not exceed €50; the cumulative limit of consecutive contactless transactions without application of SCA does not exceed €150; OR the number of consecutive contactless transactions since the last application of SCA does not exceed five.
- Unattended Transport and Parking Terminals: Merchants may bypass the authentication process for transactions that take place at unattended terminals for transport fares and parking fees.
- Trusted Beneficiaries: Merchants may bypass the authentication process if the payer has designated them as a trusted merchant and added them to their issuer’s list of trusted beneficiaries. In order for a merchant to qualify for this exemption and avoid the application of SCA to future transactions, the payer must first complete an SCA challenge.
- Recurring Transactions: Merchants may bypass the authentication process on a series of transactions of the same amount made to the same payee. Note that SCA must be applied either when the series is first set up or to the initial transaction in the series (provided the first transaction is set up by the payee).
- Low-Value Transactions: Merchants may bypass the authentication process on remote transactions that do not exceed €30, provided velocity limits are met. Additional conditions include that the cumulative limit of consecutive contactless transactions without application of SCA must not exceed €100; OR the number of consecutive contactless transactions since the last application of SCA must not exceed five.
- Secure Corporate Payments: Merchants may bypass the authentication process on payments made through dedicated corporate processes and protocols.
Why should you care about 3D Secure payments?
3D Secure payments offer substantial benefits to both merchants and consumers, including:
- More Secure Payments: 3D Secure authentication builds an additional layer of security into the payments process, which supports fraud protection by ensuring that merchants only accept payments from legitimate sources. And by increasing the total number of data points that stakeholders are permitted to exchange, 3DS 2.0 allows for more comprehensive risk-based authentication.
- An Optimized User Experience: Updates included in 3DS 2.0 make the protocol compatible with all devices and all mobile browsers, while eliminating slow loading speeds and clunky interfaces in the process. 3DS 2.0 allows for a more consistent customer experience, enabling consumers to securely shop from their device of choice with confidence.
- Increased Brand Loyalty: 3D Secure authentication prevents consumers’ card credentials from being accessed by unauthorized parties and distributed online; this provides consumers with the peace of mind of knowing that their transactions are hassle-free and secure, which can improve a brand’s reputation with the public, reduce cart abandonment rates, increase sales volumes and drive customer loyalty.
- Chargeback Liability Shift: 3DS 2.0 shifts liability for chargebacks due to fraud from merchants to issuers, which reduces fees for merchants and safeguards them from unauthorized transaction chargebacks.
- Enhanced Compliance: 3D Secure authentication meets PSD2 SCA requirements, thereby ensuring PSD2 compliance.
What else should you know about 3D Secure authentication?
Before taking any steps to implement 3D Secure authentication, there are a few things merchants should know:
- Not all card schemes currently support 3DS, though this is likely to change as 3DS 2.0 becomes more widespread. Card schemes that currently support 3DS 2.0 include Visa 3D Secure 2 Verified by Visa, Mastercard Identity Check, American Express SafeKey 2.0, J/Secure by Japan Credit Bureau, Discover ProtectBuy and UnionPay 3D Secure 2.0.
- 3DS does not prevent chargebacks from happening, but rather reduces the cost associated with fraudulent chargebacks.
- 3DS 2.0 is mandated in many regions, however, it is not yet mandated in the United States. Additionally, issuers in the U.S. do not offer the same technical flows, such as soft declines, as connectors in other regions. Based on these factors, it seems unlikely that U.S. merchants will adopt 3DS 2.0, unless major industry leaders such as Amazon choose to do so, first. Instead, it’s more likely that U.S. merchants will adopt delegated authentication, as it offers a statistically lower risk of fraud than standard credit card payments.
- 3DS 2.0 eliminates many of the pain points associated with 3DS 1.0 — in fact, according to Visa, 95 percent of transactions using 3DS are low risk and do not require additional authentication. Although 5 percent of 3DS 2.0 transactions will still require additional authentication, this is a significant improvement over 3DS 1.0 and will substantially reduce fraud rates.
A solid 3D Secure payment strategy starts with a robust profiling solution with a deep understanding of fraud. ACI Fraud Management for Merchants is an industry-leading fraud prevention solution with built-in cost calculation and ROI visualization tools designed to help merchants better assess and manage risk and make more informed decisions.
Contact us today to learn more about this or any of ACI Worldwide’s innovative real-time payment solutions.