Changes in 3D secure protocol: we meet 3-D Secure 2.0

Year after year, technology is rapidly moving forward in its achievements and capabilities. In the very near future, the updated 3D Secure 2.0 protocol will bring online security in the payments industry to a whole new level. The protocol will provide the ability to establish a secure data exchange channel that operates in real time, through which much more transaction data will be transmitted for more accurate customer authentication, will increase the speed of payment, since password authentication will not take place all transactions, but only some of them. part. Let's consider the main changes in the new protocol in comparison with its previous version.

What is 3D Secure?

3D Secure is a security protocol that was developed in 1999 and is designed to prevent fraudulent use of credit cards by verifying the authenticity of cardholders in transactions that do not require the physical presence of a card (CNP operations). “3D” means “3 domains” in which the protocol works and which include the issuer's domain (the domain of the bank that issued the card), the acquirer's domain (the domain of the seller and the bank to which the money is transferred) and the compatibility domain (the domain provided by the payment system to support 3D Secure protocol). The protocol is developed and managed by EMVCo, an organization jointly owned by major brands Visa, Mastercard, American Express, Discover, JCB and UnionPay.

The first version of 3D Secure was designed to increase consumer confidence in online payments, which contributed to the growth of e-commerce. To protect against fraudulent transactions, 3D Secure adds another authentication step for online payments, allowing merchants and banks to further verify that the card holder makes the payment. When using 3D Secure 1, the system displays a pop-up window or an embedded frame, requiring the user to enter a password so that the bank can authenticate the user. However, the credentials of the object that generates the pop-up window cannot be authenticated.


For business, the benefits of 3D Secure are obvious: requesting additional information provides an additional level of protection against fraud, ensuring that you accept payments by card only from trusted customers. Also, in the case of using 3D Secure, the so-called “Liability Shift” occurs, in which the responsibility for fraud also passes from the seller to the card issuer. Thus, if 3D Secure does not apply, then when the cardholder disputes the fraudulent transaction:
')

• Seller (merchant) is responsible for the transaction
  
• The seller (merchant) must return the money to the buyer (chargeback)
  

But, if the seller implements 3D Secure, responsibility for fraudulent transactions goes to the issuer (the bank that issued the card).

What are the main changes in the 3D Secure 2.0 protocol?

More than 17 years have passed since the development of 3D Secure 1. Although the payment industry in most countries has fairly well accepted this authentication method, the need to create a new protocol has been recognized to meet current and future market requirements, including the addition of support for authentication based on mobile devices and the integration of digital wallets. In addition, it was noted that the use of 3D Secure 1 has some drawbacks:

• The extra step required to complete the payment increases the complexity of the order placement process and may cause customers to refuse to purchase.
  
• A number of banks still oblige their cardholders to create and remember their own static passwords to complete the 3D Secure check. These passwords are easy to forget, which can also lead to a higher probability of failure to purchase.
  
• The negative impact on user experience (UX) is especially noticeable in mobile applications. When Visa first created the 3D Secure standard, personal computers were the only channel available to consumers to shop online. On mobile devices, 3D Secure can redirect clients from its own application to the bank’s website, which is not optimized for mobile devices.
  

Taking into account the main pain points of 3D Secure, EMVCo recently released a new improved version of the protocol. EMV 3-D Secure (3D Secure 2 or 3DS2) addresses the many drawbacks of 3D Secure 1 and provides the following key benefits:

1. Flexible Device & Channel Support (Flexible support for various devices and channels).

Provides a smoother and more consistent user experience across multiple payment channels, including payment in a mobile phone browser, payments in applications and payments through a digital wallet.

2. Improved User Experience.

Provides merchants with the ability to better integrate the authentication process into the shopping process, giving cardholders quick, easy and convenient authentication with a high level of security. Unlike static passwords, 3D Secure 2 uses dynamic authentication methods such as biometrics and token-based authentication. 3D Secure 2 will also allow companies to embed call flow directly into their web and mobile payment flows - without the need for any redirections. Using new mobile SDKs, companies will be able to inject their own streams into their applications that will no longer require their customers to switch to the stream through the browser to complete the transaction.

3D Secure 1 (3D Secure 2 Stripe guide):

3D Secure 2 (3D Secure 2 Stripe guide):

3. Enhanced Data Exchange to Manage Fraud and Reduce Friction (Enhanced data exchange to combat fraud and reduce obstacles). Risk-based authentication (RBA, risk-based authentication). Frictionless authentication.

Frictionless Flow allows issuers to approve a transaction without requiring manual data entry from the cardholder. This is achieved using so-called “risk-based authentication” (RBA). RBA works by collecting a set of cardholder data during a transaction and transferring it to the issuing bank and its Access Control Servers (ACS), which then compares the collected data with the previous (historical) cardholder transaction data to display the fraud risk value corresponding to the new transactions. 3D Secure 2 will allow companies and their payment providers to safely send over 100 items of data for each transaction to the cardholder's bank. This includes payment-related information, such as a shipping address, as well as contextual information, such as a customer’s device identifier or a history of previous transactions.



The cardholder's bank can use this information to assess the risk level of a transaction and select the appropriate answer. If the fraud risk value is below a predetermined threshold, Frictionless flow is applied. In other words, if the risk of fraud is low enough, the issuing bank will not request additional verification from the cardholder and believes that the cardholder has been authenticated. This eliminates the manual verification step that was always required from cardholders in 3D Secure 1:

1) If there is enough data so that the bank can believe that the real cardholder makes a purchase, the transaction meets the Frictionless flow requirements, and the authentication is completed without affecting user interaction - the cardholder never sees any signs of 3D Secure has been applied. In other words, if the risk of fraud is low enough, the issuing bank will not request additional verification from the cardholder and believes that the cardholder has been authenticated. This eliminates the manual verification step that was always required from cardholders in 3D Secure 1.

2) In the event that the risk of fraud is above a predefined threshold, for example, the bank decides that it needs additional evidence, the transaction is performed in Challenge mode, and the client is asked to provide additional data to verify the authenticity of the payment.


4. Changing the responsibility of sellers (merchants) in case of fraud

Also, the significant differences in PSD2 include changes in seller liability (merchants) in the event of fraud. Issuers are clear beneficiaries of the wider exchange of data required for 3DS 2.0, as they are responsible for any chargebacks. The more data they have, the more accurately they can assess the risk of a transaction.

However, merchants also benefit, especially if they do not yet collect enough transaction data to participate in 3DS, because then they can use this data to improve their own efforts to detect fraud. But even if the seller already has a complicated fraud prevention program, one should not lose sight of the additional level of protection provided by the issuer conducting its own risk assessment. ACS providers used by issuers typically have access to sources of data on fraud that individual vendors do not have, which often allows them to provide a more reliable estimate of the risk of fraud.

When will payment systems support 3-D Secure 2.0?

The widespread adoption of 3D Secure 2 will depend on individual card issuers supporting the new standard. It is expected that the first banks will start supporting 3D Secure 2 for their cardholders in early 2019, it is likely that a wider implementation will be gradual and will take several months. For example, the Visa 3DS 2.0 platform is now available and ready to handle 3DS 2.0 authentication requests: before participating in the 2.0 program, the ACS and 3DS Server service providers must be tested with both EMVCo and Visa. Providers can start testing with Visa only after receiving a confirmation letter confirming successful completion of testing with EMVCo. To ensure that interested parties have enough time to implement 3-D Secure, the full set of program rules will not take effect until the program activation dates listed below:

• April 2019: the date of action for Europe
• August 2019: activation date for Canada, Latin America and the USA.
• April 2020: activation date for the Asia-Pacific and Middle Eastern and African countries.

It is also assumed that 3D Secure 1 and 3D Secure 2 will coexist at least until 2020.

For European businesses, the entry into force in September 2019 of a new regulation known as Strong Customer Authentication (SCA), which will be applied to online payments in the European Economic Area (EEA), where the card holder's bank and payment service provider are in EEA, makes 3D Secure 2 even more important. Since the new rule will require more authentication for European payments, 3D Secure 2 will offer the best UX (user experience) to minimize the impact on site conversion.

Although 3D Secure 2 will be the primary method for complying with SCA card payment requirements, it is expected that Frictionless flow will not be considered as a form of strong client authentication. This will mean that after the SCA in Europe is activated, Frictionless flow can only be used for payments that are subject to an exception (while all payments that require an SCA will need to be authenticated using the Challenge stream).