PCI Compliance

What is 3DS2?

See how 3DS2 benefits merchants and provides support for transactions across a wide variety of devices while reducing checkout process friction.

Written by
Rachel Fine
Publication Date
January 23, 2024
Social Share
Newsletter

Subscribe

Don’t miss our latest news and updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

In this article, Spreedlty will examine rising global ecommerce volumes and the prevalence of fraud and false-declines. We will then examine 3DS security protocols, how they work, and whether implementing 3DS protocols might make sense for your business. 

In 2023, market researchers predict global eCommerce revenue will reach more than $3 trillion — and by 2028, revenue will increase to more than $4.9 trillion. Accompanying this growth has been a significant increase in card-not-present (CNP) fraud, to which merchants and issuers have effectively responded with a variety of fraud screening tools.

Today, there are numerous solutions to mitigate the threats of legitimate fraud, but for many merchants false declines are more troubling than fraud losses. According to a 2023 PYMNTS report, roughly 70% of all card-related fraud occurs in card-not-present (CNP) scenarios. Additionally, the report cites researchers predicting that CNP fraud will reach a global value of $49 billion by 2030. The largest program built to control CNP fraud is 3D Secure 2.0 (3DS2), a mandated security protocol for regions under the Payment Services Directive (PSD2). However the PYMNTS report further highlights that only 1% to 3% of transactions in the U.S. use 3D Secure protocols.

Common estimates note that over half of eCommerce transaction declines are actually legitimate transactions.. Originally, 3DS protocols were onerous for customers, but 3D Secure 2.0 (3DS2) brought many improvements, including streamlined authentication that helps both reduce false declines and abandoned carts, removing friction from the checkout experience. 

Merchants are working harder than ever to capture and retain customers. A single poor online checkout experience causes many consumers to abandon the cart - and the merchant - permanently. That’s why it is critical to understand the tools available and leverage the right ones for your business. How can merchants implement 3DS security protocols? Why is adoption low outside of Europe? Is now the right time to consider adding 3DS checks to your checkout?

What Is 3DS2?

3D Secure is a multi-factor security protocol designed to authenticate cardholders in card-not-present (CNP) transactions. The first version of 3D Secure was released more than 20 years ago, while the current version — 3D Secure 2.0, or 3DS2 for short — was released in 2016 and formally published in 2017. 

The global activation of 3DS2 occurred from 2019 to 2020, making the second version of the regulation the official standard for organizations to follow. 

First used by Visa, 3DS2 has evolved into a major component of the PCI 3DS Core Security Standard. The regulation was developed to offer a more frictionless and user-friendly authentication process that accounted for modern security threats in the payments industry. 

As of 2022, most major card networks have halted support for 3DS1 entirely, making adoption of 3DS2 required to ensure transactions will be authenticated without an error.

In 2021, the newest version of 3DS2 (v.2.3.1) was released by EMVCo

This updated version of 3DS2 introduced new enhancements intended to increase flexibility for 3DS2 implementations across multiple channels and devices. The latest version helps users identify instances of fraud more quickly and with greater accuracy, as well as streamlines the authentication process further. 

The main difference between 3DS1 and 3DS2 comes down to how authentication is done. According to the official 3DSecure2 FAQ page:

“Rather than static passwords, 3D Secure 2 uses dynamic authentication methods such as biometrics and token-based authentication.”

3DS2 uses risk-based analysis to authenticate transactions by “supporting authentication based on enriched data elements shared through the protocol.” The regulation also removes the original sign-up process for cardholders and removes static passwords, helping to create an improved and simplified verification experience.

How 3DS2 Works

3D Secure has been around for more than 15 years. In 2018, EMVCo developed the next generation standard to improve fraud screening while enhancing the customer experience. 3DS2 is a multi-factor authentication protocol used to confirm digital identity during checkout. In addition to the primary account number, you are required to provide something you have, something you know, or something you are in order to confirm that you are the legitimate account holder during a CNP transaction.

To support enhanced risk-based decision making for card issuers, 3DS2 collects 10x more data than version 1. Using device data as preferred means for authentication, a consumer is likely to receive a frictionless transaction flow without even realizing authentication has happened in the background.

When a 3DS2 transaction is initiated from a web browser or mobile app, specific data points are collected, sent to a 3DS Server, and routed to the card issuer Access Control Server (ACS) for approval. To make a decision on the next step, issuers analyze more than 150 data fields, including browser IP address, browser language, delivery timeframe, shipping indicator, merchant category code, among many others. The issuer may respond with a frictionless approval, device fingerprint, challenge, or fallback. The frictionless flow provides immediate approval based on the initial transaction data collected. 95% of transactions should be deemed low risk and qualify as frictionless, requiring no additional consumer verification.  

For the remaining 5% of transactions—those deemed “risky”—the issuer will request additional consumer verification by escalating to one or more of the next flows. The device fingerprint flow enables the issuer ACS to communicate directly with the web browser or mobile SDK managing 3DS authentication to collect additional data. The challenge flow enables the issuer ACS to request authentication by displaying an embedded modal or collecting biometrics. The fallback flow notifies the merchant that they must redirect the consumer to a different login page to go through the 3DS1 authentication process.

The Benefits of 3DS2 for Merchants

Although compliance with 3DS2 requires extra technical effort, the benefits for merchants are significant. 

In today’s digital era of payments, the risk of fraud and other cybercrimes is skyrocketing like never before. As a result, merchants must be much more mindful of the transactions they facilitate and ensure the proper 3DS2 measures are in place to authenticate cardholders.

Let’s take a look at the three key benefits of 3DS2 for merchants:

Improving Customer Experience

3DS2 provides transaction support across a wide range of devices, including mobile devices. The regulation strives to reduce friction during checkout, improving the customer experience and reducing shopping cart abandonment. Whereas 3DS1 involved a page redirect for authenticating customers — a process that proved jarring and often resulted in high cart abandonment — 3DS2 does not require a page redirect and supports transactions in native mobile apps or IoT devices.

Providing a framework for authentication outside of a web browser, the latest versions of 3DS2 support transactions in native mobile apps or IoT devices. More than 50% of all eCommerce transactions originate from mobile devices, so a native mobile experience to provide frictionless authentication is no longer considered nice-to-have for most merchants. 3DS2 is designed specifically to support native mobile experiences, including biometric authentication methods depending on issuing banks’ supportability. The forthcoming 3DS version 2.3 is expected to enhance authentication flows for IoT devices, including voice authentication.

Liability Shift

3DS2 shifts the responsibility of customer authentication back into the hands of each consumer’s bank, meaning the chargeback falls to the card issuer rather than the merchant themselves. This not only simplifies compliance and fraud prevention, but also reduces the impact of chargebacks for merchants. 3DS2 partially achieves this liability shift by collecting 10x the amount of data as 3DS1, enabling issuers to make better-informed approval decisions and reduce liability exposure for merchants.

Regulatory Compliance

Along with the direct benefits in preventing CNP fraud and false declines, improving customer experience, and shifting liability, it also helps merchants meet the regulatory standards of the Payment Services Directive 2.0 (PSD2). The Payment Services Directive (PSD2) requirement for Strong Customer Authentication (SCA) on transactions originating in the European Economic Area is an EU regulation that requires Strong Customer Authentication (SCA), a requirement that aligns with many of the components of 3DS2. The evolving 3DS2 standards are a direct outcome of the desire to control fraud without exposing consumers to poor eCommerce checkout experiences. Currently, the European Commission is working on an updated version of the Payment Services Directive, known as PSD3. PSD3 will likely place even greater emphasis on SCA, further increasing the overlap between the EU regulation and 3DS2.

Overcoming The 3DS2 Challenge With Spreedly

3DS2 and PCI compliance require the right technologies and solutions to achieve optimal efficiency and operational resilience within your payments system. 

Spreedly’s payment orchestration platform offers compliance solutions for both 3DS1 and 3DS2. Through Spreedly’s platform, you can connect to a majority of the most popular payment gateways and payment service providers (PSPs) while remaining compliant with 3DS2 and the PCI DSS 4.0

Plus, Spreedly is Level 1 PCI compliant, ensuring all of our merchant clients have the regulatory support necessary to reduce their compliance burden. 

Want even more insight on a real-world implementation of 3DS? See how Arc'teryx implemented 3DS as part of the PSD2 Mandate in this video from PAYMENTSfn On-Demand.

Speak with our team today to learn more about Spreedly’s 3DS2 solution.

Download the PCI Compliance eBook Below

Ready to turn possibilities into payments?

Get Started