Card-not-present (CNP) transactions such as those conducted online are inherently riskier than those made by a customer with a physical card in hand. 

To address these vulnerabilities, Visa first adopted a 3-domain secure protocol known as Visa Secure in 2001 that was eventually implemented and customized by the other major card companies. 

Now over two decades later, the 3D Secure platform has been enhanced to reflect today’s security and authentication challenges.

What is 3D Secure?

3D Secure authentication, sometimes known as 3DS or payer authentication, has been designed to reduce fraud, identity theft and other cyber crimes that frequently occur during the CNP transaction process. 

There are three separate parties or domains that are involved in this new form of authentication.

First, there is the acquirer domain. This is the merchant or bank who is to receive the payment. The issuer domain is the cardholder’s financial institution who is paying the funds. Finally, there is the interoperability domain, the underlying infrastructure that supports the 3DS system.

3DS 2.0 is the updated version of the protocol. Its creation was spurred on by the need to comply with the new PSD2 regulation that came into full force in 2019 in the European Union. 

PSD2 seeks to enhance the security of online payments via a strong customer authentication (SCA) standard that requires multi-factor authentication (MFA) on all transactions. Since 3D Secure 2.0 meets this standard, it has quickly been embraced by the major financial players in the form of brands such as Mastercard Identity Check, American Express SafeKey and Discover Global Network ProtectBuy.

How 3D Secure has improved

Today’s technological landscape is worlds away from what the protocols original creators contended with at the dawn of the new century. Mobile devices and platforms were nothing more than a far-off whisper back then. 

As a result, the original 3DS fell further and further and behind, unable to keep up with the pace and diversity of the systems it was meant to safeguard.

As a direct result of these issues, a coalition of representatives from various major card companies known as EMVCo rolled out their solution: 3DS 2.0. This improved 3DS payment processing solution and new approach to authentication comes with a software development toolkit that supports integration with modern mobile applications. 

In addition, it removes the need for customers to complete time-consuming authentication steps during checkout – all without sacrificing data integrity.

3DS 1.0 and 3DS 2.0 in action

To fully grasp how the upgrade has enhanced this security protocol, let’s take a look at the steps that take place with each. 

With 3DS 1.0, a customer enters their card information during checkout. The seller’s payment gateway then transmits transaction details and a 3DS verification code to the cardholder’s bank. 

This issuer checks to see if the user is enrolled in 3DS. If so, it sends a verification response and a link to its ACS platform. If there is no record that the card is enrolled, the merchant will be notified of this via an automated message.

Next, the merchant uses the provided URL to redirect the customer to the bank’s ICS platform where they can enter additional details to verify their identity. Options include answering a security question, entering a password, fingerprint identification, bank app approval or clicking on an URL sent via text to the customer’s phone. 

As long as identity verification is successful, the customer will be sent back to the merchant’s website and notified that the payment was successful.

By contrast, 3DS 2.0 does not contain pop-ups, nor does it redirect customers to a different page. Furthermore, the identity verification process is conducted behind the scenes; customers are only asked to furnish additional details if the system has incomplete information or suspects potential fraud.

The 3DS 2.0 flow is much smoother. This is how it works: A customer enters their card information at checkout. The payment gateway transmits details and a 3DS 2.0 verification request to the customer’s bank. 

The issuer determines the card is registered for 3DS 1.0 or 2.0. If the former is the case, a traditional 3DS 1.0 authentication flow occurs. If the latter is registered, the issuer then investigates whether it is possible to conduct a frictionless authentication or if more information is needed from the customer.

If the transaction is low-risk, the issuer runs a fraud screening and risk assessment behind the scenes without involving the customer at all. If, however, risk is deemed higher and frictionless authentication is not possible, a challenge authentication flow is initiated. 

This looks a lot like what happens with the old-school 3DS 1.0.

The key distinction between 3DS 1.0 and 2.0 authentication involves how the cardholder verifies their identity. In the upgraded 3DS, this can only happen by entering a one-time verification code provided by the issuer or by submitting biometric data such as a fingerprint or facial ID. 

Once the identity details are approved, confirmation of a successful payment is displayed on the seller’s website.

3DS 2.0 also enhances the data sets that are available to merchants to aid in the fraud detection process. With 3DS 2.0, sellers now can view up to 100 data points, including the buyer’s geolocation, transaction history and device ID. 

Merchants can even request transaction risk analysis (TRA) exemptions that allow the authentication process to be bypassed altogether for low-risk transactions. Even so, the issuer can still issue a soft decline that red-flags the purchase and prompts the initiation of a standard 3DS authentication protocol if the situation warrants.

Benefits of 3D Secure 2.0 payments

There are several reasons to incorporate 3D Secure authentication into your business model. The protocol helps to ensure that you only receive payments from verified, legitimate sources. 2.0 makes risk-based authentication even more comprehensive with its enhanced data points.

The upgrade also ensures that 3DS authentication is seamless because the system is compatible with all types of mobile devices and browsers. As a result, buyers can shop with confidence using their preferred device. 

With this enhanced shopping experience can come increased loyalty, lower cart abandonment rates and longer customer retention.

Simultaneously, the merchant is relieved of liability for chargebacks due to fraud, with fees now being paid by the issuer. 

Finally, the updated protocol ensures full compliance with PSD2 because of its robust SCA, furnishing buyers and sellers alike with bolstered security and compliance.

Upgrading 3DS 1.0 has made payments more secure while simultaneously improving the shopping experience. If you have not talked to your payment processor about integrating 3DS 2.0 into your systems, there is no time like the present.