Online payments have revolutionized how we shop and do business.
But they have also opened the door to a new kind of crime. Annual worldwide eCommerce fraud is estimated to be at 48 Billion dollars this year.
One of the best defenses against it is 3D Secure 2.0.
Let's take a look at what it is, what its predecessor (and contemporary) 3D Secure is, and more. We also explain how it relates to Strong Customer Authentication.
What is 3D Secure?
3D Secure (3DS) is an authentication protocol used for online payments and mobile payments.
The earliest version of it appeared in 1999. It provided an advanced extra layer of security for cardholders and merchants.
'3D' refers to the 'three domains' involved in the authentication process. These three domains are the card issuer, the merchant, and the 3D Secure infrastructure:
- The card issuer is the financial institution that issues a debit or credit card to the customer, i.e., the ca`rdholder's bank
- The merchant is the business that will receive the payment
- The 3D Secure infrastructure is the layer of added security between customers and merchants through the card issuer.
3D Secure is implemented to prevent and reduce fraud. It does this primarily by placing additional authentication factors into the transaction process.
Is implementing 3D Secure mandatory?
The Financial Conduct Authority's Strong Customer Authentication (SCA) regulation requires the use of 3D Secure for all online transactions in the European Economic Area (EEA).
In other international regions, it is optional but highly encouraged.
How does the 3D Secure process appear to the customer?
When a cardholder enters their card details to confirm a payment, they might be redirected to an authentication page or portal.
This is where the issuing bank will ask the customer for additional verification with a static password.
Authentication pages are typically co-branded by the given card network. These are usually familiar and trusted brand names from the major card schemes, such as Visa Secure, American Express' SafeKey, and Mastercard's Identity Check.
After completing authentication, the customer will be redirected to the checkout page. The customer and merchant will see the authentication result.
What is 3D Secure 2.0?
3D Secure 2.0 is a security protocol for online transactions that provides higher level identity verification information than standard 3D Secure.
It is designed by some of the major card networks to address some of the shortcomings of the original version released in 2016.
It has a less disruptive authentication process, better user experience and a higher level of security than the original version for reduced risk.
Its mass adoption has taken place alongside the consumer shift to using mobile devices and online shopping.
How does 3D Secure 2.0's authentication protocol work?
1. Initial assessment
It performs high-risk based authentication on an access control server (ACS) - an advanced type of server that that can validate credentials and control access to resources.
Using 3D Secure 2.0, a cardholder's issuing bank can quickly assess a transaction's risk levels. It looks at a wealth of rich data, including merchant's contextual data, the cardholder's previous transactions, etc.
2. 1. Immediate authorization of authentication
If each authentication standard is met, the initial transaction process can be completed with no additional cardholder input.
2. 2. Additional customer authentication
If the protocol raises a red flag indicating a high risk rather than a normal transaction risk, an advanced layer of security is requested from the person trying to make the transaction.
At checkout they will be sent through a 'challenge flow'. This will be an iframe (an element within a html page) which uses the entire existing browser window or just part of it. Here, the customer is asked to provide additional information for authentication.
What are the differences between 3D Secure and 3D Secure 2.0?
1. Customer experience
Part of the purpose of version 2.0 is to offer a painless checkout process than the original 3D Secure.
It does this is by embedding the challenge flow directly into browsers and mobile checkout flows without requiring any page redirects. Authenticating payments with 3D Secure, on the other hand, requires a redirect.
2. Frictionless authentication
3D Secure 2.0 payments provide a more frictionless authentication experience than 3D Secure ones.
In payments, 'frictionless' refers to payment processes that are easy, fast, and convenient.
In this case, an authentication request can be regarded as friction as it complicates and slows down a transaction. This risks causing users to abandon online card payments at point-of-sale (POS).
3D Secure requires two-factor authentication measures like static passwords and pop-up windows. 3D Secure 2.0, on the other hand, authenticates transactions in the same digital location and with less cardholder input (see below, 'authentication methods').
This difference has an impact on sales. According to Visa, using 3D Secure 2.0 protocol reduces card abandonment by 70% and checkout times by 85%.
3. Mobile integration
3D Secure 2.0 has an added mobile SDK (Software Development Kit) component. It allows merchants to build an in-app authentication flow and avoid browser redirects.
This feature makes the mobile checkout experience faster and more seamless.
4. Non-payment authentication
Unlike 3D Secure, 3D secure 2.0 can be used for more than just verifying online purchases and transactions. Its non-payment authentication capabilities enable issuing banks to verify the cardholder without them making an online purchase.
This can be used to add a debit or credit card to a mobile wallet, for example. The issuing bank verifies the cardholder and device information through frictionless flow to prevent fraud.
5. Authentication methods
3D Secure authentication relies on the manual entry of passwords or a PIN code to verify a customer's identity.
3D Secure 2.0 offers different methods for customer authentication, such as biometric authentication (fingerprint or facial recognition), one-time passwords or PINs.
Less support, lower costs
People often forget passwords. A study by Google in 2019 found that 75% of respondents reported feeling frustrated with keeping track of passwords.
One of the negative consequences of this is that 24% opt for common and easy-to-remember passwords such as 'Password', abc123, 111111, etc. This obviously is not an effective level of fraud protection.
Another negative result is the customer support or systems needed to help retrieve or reset the passwords of legitimate customers.
3D Secure and 3D Secure 2.0 can work together
Many payment service providers offer both versions of 3D Secure as an option to their customers.
They can work together to provide a more secure and flexible authentication process.
This depends on the risk level of the transaction and the capabilities of the customer's issuing bank.
For example, the authentication process may begin with 3D Secure 2.0 then be redirected to 3D Secure for additional authentication through the standard password or PIN entry.
Nuvei's 3D Secure 2.0 solution
With Nuvei, your business is protected by high-performance fraud detection and prevention.
Our software enables you to balance Strong Customer Authentication (SCA), security, and conversions for your ecommerce business.
You can automatically direct any payment flow through our cutting-edge authentication process based on exemptions, rules, and individual risks assessments.
We offer an acquiring bank-agnostic solution to help you manage 3D secure 2.0 complexity as required by market law restrictions and PSD2 SCA regulations.
Summary
3D Secure is a security protocol used to authenticate online payments payments. It has been preventing and reducing payment fraud with added authentication factors since 1999.
Its authentication process involves redirection to an authentication page or portal where the issuing bank will ask for additional verification such as entry of a registered password.
3D Secure 2.0 is the next iteration of the protocol. It addresses some of the shortcomings of the original version and has a less disruptive authentication process, better user experience, and higher level of security.
The main differences between 3D Secure and 3D Secure 2.0 include customer experience enhancements, frictionless authentication, mobile device integration, non-payment authentication, authentication methods, and lower costs.
Both benefit cardholders and can even work together seamlessly.