3D Secure 2.0 specification in a nutshell
As I’ve mentioned in one of the previous blog posts, EMV® 3D Secure was broadly discussed during this year’s PCI European Community Meeting in Barcelona. Read on to learn what comes with the new 3D Secure specification and what improvements it brings.
PCI Security Standards Council (PCI SSC) released a new security standard at the PCI European Community Meeting in Barcelona in October 2017. It is about supporting EMVCo’s (jointly owned by Visa, MasterCard, American Express, JBC, UnionPay, and Discover) EMV® 3D Secure Protocol and Core Functions Specification that follows the release of 3D Secure version 2.0.
As the EMV has been successful in reducing card present fraud, there’s still a problem with fraudsters’ focus on card-not-present (CNP) transactions. Today, when the digital commerce is growing at a fast pace and there are more and more online and mobile payment methods on the market, verifying customers identity becomes a real challenge.
What does this mean for payments?
Just to remind you, the 3D Secure authentication is an additional security layer for card-not-present transactions. 3D Secure (Three Domain Secure) is a messaging protocol that involves three domains, such as bank, technology that processes the transaction and the issuing bank.
The system is used to authenticate cardholder information, usually requesting a static password or PIN. 3D Secure 1.0 helps merchants fight fraud, but also comes with frictions for online consumers. It adds extra steps during payments and supports only browser-based transactions.
There’s no question that introducing 3D Secure to the market has significantly improved online shopping security, but merchants are struggling with a drop in conversion. It also has a negative impact on the user experience.
This is why the new 3D Secure specification includes EMV as the answer to mitigate fraud during online transactions. EMV® 3D Secure is considered to be more effective and its main assumptions are not only to stop fraudsters from succeeding, but also improve customer experience.
Differences between 3D Secure 1.0.2 and 2.0
The new 3D Secure standards were released as the answer for security issues, hence the verification process is one of the major changes. Old-fashioned static passwords will be replaced by tokens and biometric. This means much better checkout experience for both e-commerce shoppers and app users.
Here are the main changes.
The purpose of the new protocol is to facilitate the data exchange between the merchant, cardholder and issuer. In this case, authentication is done more accurately without asking for a static password. And you should know that requiring customers to remember passwords may cause abandonments.
This could make a real change, as forgetting passwords is a common issue. Also, consumers usually choose passwords that are easy to remember, so they are also easy to guess for a potential fraudster. Otherwise, some of the consumers create difficult to guess passwords, which cause the difficulties remembering it, so it comes with frictions and lost transactions.
Having said that, biometric authentication methods, such as face or voice recognition, are considered more secure than a static password. Also, they are much easier to use and create a better experience for consumers. Biometric is considered a solution that not only reduces fraud risk, but also helps to cut down cart abandonment rates.
EMV® 3DS also introduces the risk-based authentication, which enables issuers to get additional data from both transaction context and merchant’s and cardholder’s risk profiles. The improved datasets for risk-based authentication consists of, for instance, email, billing and shipping address, cardholder behaviour information, etc.
It will help them make smarter, more informed decisions. For instance, low-risk transactions will be frictionless for customers, as there will be no need to make any extra interactions. And, as before, cardholders won’t take the responsibility for unauthorized charges made with their account.
What’s more, it’s good to know that the new 3D Secure protocol supports the PSD2 Directive, which also mentions strong customer authentication.
Enhanced customer experience
No need in using static passwords, as well as elimination of the initial sign-up process during shopping come with better user experience and fewer abandonments.
Under this new specification, merchants can provide the same look and feel of their interfaces across various devices, as the pop-up window will be completely eliminated. So, this is also about giving customers a choice and creating customer-centric solutions.
Keeping fraud prevention on the right track while not hindering the customer experience is one of the biggest challenges for the merchants. That’s why we, at SecurionPay, introduced you our non-invasive 3D Secure authentication.
Various devices support
The new messaging protocol also enables creating a framework for digital authentication to make it possible on a wider set of devices. It will be possible to run 3D Secure payments in both application and browser-based solutions, on mobile and other consumer connected devices.
This also means that new 3D Secure can be used not only for card-based payments, but also other payment means and non-payment methods with strong customer authentication. In short, 3D Secure 2.0 enables mobile, in-app and digital wallet payment methods — all of them weren’t supported by 3D Secure version 1.
Another difference can be found is in the way the result of challenge is communicated from the issuer to the merchant. In 3DS 1.0 is done via the cardholder while in EMV® 3DS 2.0 this is communicated through the Directory Server.
The EMV® 3D Secure reflects current and future market requirements and shows the direction for the next years to come.
While m-commerce is one of the fastest growing channels and we choose in-app purchases more often, there was the need for a solution created also for mobile transactions. The authentication experience will become more user-friendly, so 3D Secure transactions won’t cause that much drop in conversion as before.
However, it will be much easier to prevent making unauthenticated payments, even if the card is stolen or cloned. This is important, as today’s consumers are getting more concerned about their account and personal data protection. And it’s not any surprise, as we can see high-level data breaches all the time.
Known that, an end user is in the center of the strategy. And you know that we, at SecurionPay, always emphasize customer experience as being the heart of our solution, right?
Want to add something? Share your thoughts in the comments.