Payments in Focus Insight that keeps you ahead of change

5 read time

3D Secure 2 - A Beginner’s Guide

by: Conor Tweed
Wednesday, April 24, 2019

What is 3D Secure?

3D Secure or 3DS is the umbrella name for each of the Card Schemes’ branded online payment authentication solutions:  Visa Secure, Mastercard Identity Check, American Express Safekey, J/Secure for JCB and ProtectBuy for Discover and Diners International.

It is an authentication protocol that was designed to reduce fraud, increase customer security and reduce merchant liability to chargebacks. The new 3D Secure 2 (3DS2) protocol has been developed to meet the requirements of the modern remote payments environment, including the mobile checkout experience and is also the solution for European businesses to the upcoming Strong Customer Authentication (SCA) regulations.

Why do we need 3DS2?

There are a number of key areas where the need for 3DS2 becomes apparent:

  1. Combating Fraud & Chargebacks
    Fraud and the risk of chargebacks is a concern for most eCommerce businesses and finding ways to mitigate this is key. 3D Secure is the only card-scheme solution that offers a liability shift, shifting liability for fraudulent transactions to issuers and/or cardholders when transactions are authenticated, as per the card scheme rules.

  2. Regulatory Compliance
    On 14th September 2019, a new regulation is being introduced that will change the way payments are made online within the European Economic Area (EEA).

    After this date most eCommerce payments will have to undergo Strong Customer Authentication (SCA) to validate that the payer is who they say they are. This will make 3DS2 adoption a necessity for almost all European ecommerce merchants as it is the only compliant SCA solution available for card payments.

  3. Authorisation optimisation
    3DS2  grants Issuers visibility of a significant amount of transactional, customer and device data which, combined with cardholder authentication, will help them to approve more authorisations and reduce the number of false declines that would otherwise result in lost sales.

  4. Mobile and native app compatibility
    Unlike the previous version of 3D Secure, 3DS2 is built with Mobile experiences in mind and is the only way to provide your customers with native in-app authentication.

  5. Biometric authentication support
    3DS2 allows for many different authentication methods including the previously unavailable biometric authentication option - providing cardholders with the ability to authenticate themselves through simple processes like fingerprints or facial recognition.

  6. SCA Exemption Support
    The current version of 3DS2, v2.1, supports the ability for merchants to identify where they wish for no cardholder authentication challenge to be applied. This version also supports all the added data that can facilitate Issuer exemptions such as low risk and low value transactions. The upcoming 3DS2, v2.2, available later in 2019, will support explicit SCA exemption flags for identifying acquirer-side exemption requests.

Why does my business need to collect more customer data?

In total there are 135 data elements that can currently be captured as part of the 3DS2 protocol including device or browser data, customer billing and contact details, and many other optional data elements.

The quality and accuracy of the data you provide can directly influence the likelihood of your customers being authenticated in a frictionless manner at your checkout. Visa analysis shows that, for example, the addition of just one of those data points – device ID information – improves fraud detection rates by 200%+.

These new required and optional data elements are used by the Issuer’s fraud engine to determine the risk of each transaction. Where risk is assessed as low, the Issuer may apply the TRA (Transaction Risk Analysis) exemption to the transaction avoiding a cardholder authentication challenge.

Where the risk is assessed as high, an authentication challenge will need to be completed by the cardholder. The authentication challenge can come in several forms, at the Issuer’s discretion, but the most common implementation is likely via an OTP (one-time passcode) sent by the Issuer to the cardholder’s mobile number that must be entered to confirm authentication. This scenario may occur, for example, because there is not enough data or the data doesn’t match what the Issuer is expecting. For the best cardholder experience it is important you capture and send as much good data as you can.

Since the introduction of a risk-based approach to authentication, Visa has published that there has been a 70% reduction in abandonment rates and at the same time fraud rates have fallen, indicating that risk-based assessments are an effective tool to detect and prevent fraud.

How does this data collection impact my business’ GDPR responsibilities?

As a business you have responsibilities to inform your European customers about what personal data you collect from them, how that data is being used, and why this data is needed. These responsibilities will extend to the additional data you need to collect as part of the 3DS2 authentication process.

It is important that you review your current GDPR position to reflect any changes to how you collect data and to be transparent that this data will be used as part of cardholder authentication. All additional personally identifiable information provided to Global Payments as part of the 3DS2 process will only be used for the express purpose of this authentication protocol and will not be stored beyond the lifecycle of this processing.

How can we start using the 3DS2 service through Global Payments?

Global Payments are delivering a 3DS2 service that will provide effortless authentication for a faster checkout, improved security and increased conversion. This solution is available both as part of our payment gateway offering and also as a standalone service that can be used in conjunction with your own gateway provider.

Global Payments’ hosted payment solution is the simplest way for you to provide a fully PCI compliant, 3DS2 capable payment experience on your website. Learn more here

For more information and documentation visit our Developer Portal.