What is 3-D Secure?
3-D Secure is an authentication method put in place to prevent fraud in online card payments.
The first version of 3-D Secure, 3-D Secure 1, was introduced by a range of card networks in 2001. It added an extra step to the authentication flow and shifted liability from the merchant to the issuing bank, saving merchants time and money. But although 3-D Secure 1 is still widely used today, it has a major drawback: By adding another step in the authentication process, it adds friction to the checkout flow. Often, cardholders are forced to remember static passwords and this leads many customers to abandon their purchase. It is estimated that 11 % percent of payments are dropped because of 3-D Secure. So for many merchants, the bumpy checkout flow caused by 3-D Secure is not worth their while.
On 14 September 2019, new requirements for Strong Customer Authentication (SCA) in online payments were introduced in Europe as part of the second Payment Services Directive (PSD2). The new regulation means that merchants and their Payment Service Providers (PSPs) need to apply authentication on European payments. But how do online stores abide by the law and ensure less churn at the same time?
To reach this objective, merchants will rely heavily on the new version of 3-D Secure, called 3-D Secure 2. 3-D Secure 2 is the newest version of 3-D secure. It is developed and certified by a range of global stakeholders in the form of the company EMVCo and allows businesses and their PSPs to send more transaction data to the cardholder’s bank. Some of these data points, like email addresses and billing addresses are supplied by customers, while others come from the customer’s device and browser data. Combined, this information about the customer will reduce the need for a lengthy authentication process and ensure less fraud.
The improved user experience of 3-D Secure 2 is important because it helps reduce the negative impact 3-D Secure has on conversion. In the challenge flow of 3-D Secure, the cardholder can authenticate a payment by using for example fingerprint or facial recognition. Additionally, 3-D Secure 2 is embedded directly into web and mobile checkout flows with the help of a Software Development Kit (SDK) — so the card holder is not redirected to another page.
All European merchants will need to be able to support 3-D Secure 2 by the end of 2020. This puts pressure on PSPs to integrate with a 3-D Secure 2 provider quickly. See the timeline here.
What is the difference between 3-D Secure 2.0, 2.1 and 2.2?
The specifications for 3-D Secure 2.0 were first published by EMVCo in 2016. Today 3-D Secure 2.0 is not supported anymore because additional functionalities have been added to improve compliance with PSD2 and user experience.
For instance, version 2.1 introduced frictionless authentication, shorter transaction times and uses 10 times more data than version 1.0. The newest version 2.2 includes support for exemptions for low-value transactions and whitelisting of merchants.
Future versions will include enhancements to risk assessment and support for other devices than web browsers and mobile devices. As global card providers like Visa and MasterCard begin to issue mandates throughout 2020, payment providers are forced to embrace the latest version of 3-D Secure.
3-D Secure 1.0 is still effective in the event of the 3-D Secure 2 process failing. A 3-D Secure 1 solution is included when you sign up for 3dsecure.io.
When do I need to use Strong Customer Authentication?
Strong customer authentication (SCA) is a requirement for European merchants by the EU’s second Directive on Payment Services (PSD2) which came into effect September 14th 2019. The requirement ensures that electronic payments are authenticated by multiple factors - like fingerprint scans and passwords. In fact, SCA requires the customer to use at least two of the following three elements.
SCA will apply to customer-initiated online payments. This means that all bank transfers and most card payments will require SCA. On the other hand, ‘Merchant-initiated’ transactions, like subsequent recurring transfers, will not require SCA. 3-D Secure covers all requirements of SCA and will therefore be the go-to authentication method.
To accept payments and meet SCA requirements, Payment Service Providers (PSPs) need to build additional authentication into their checkout flows using 3-D Secure. During 2020, a number of deadlines will incentivise PSPs to integrate into the newest version of 3-D Secure. You can see the timeline here.
The 3-D Secure Timeline 2020
What are the SCA exemptions?
A majority of online transactions will require Strong Customer Authentication due to PSD2. But some types of low-risk payments are exempted from Strong Customer Authentication in order to reduce friction. The most relevant exemptions for online stores are:
Payments below €30
Transactions below €30 are considered so low that they will be exempted from SCA. However, banks will request authentication after five consecutive transactions of this kind or if the sum of exempted payments exceeds €100.
Payment providers are allowed to do a real-time risk assessment to determine whether to apply SCA to a transaction. However, this is only possible if the card payment fraud rates of the payment provider or bank stays within the following thresholds:
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions below €250
- 0.01% to exempt transactions below €500
In cases where only the payment provider’s fraud rate is below the threshold, but the cardholder’s bank is above it, the bank will require authentication.
This exemption applies in the event of a series of recurring payments of the same amount to the same business. Here, SCA is required for the first payment while the subsequent charges are exempted.
Customers are able to whitelist a business they trust to avoid future authentications. The list of “trusted beneficiaries” is maintained by the customer’s bank or Payment Service Provider.
In addition, corporate payments, contactless payments and Transaction Risk Analysis are exempted from SCA, while Merchant-initiated Transactions and MOTO payments are out of scope for SCA.
5 reasons 3-D Secure 2 is pivotal for online stores
Traditionally, a payment made in an online store was checked using only the authorisation process. In this simple process, card details were validated by the issuing bank and account information was checked in order to confirm a sufficient amount of funds.
This meant that basically anybody could make purchases using any card as long as there was enough money in the account. That process could potentially lead to fraud. But the payment industry came up with a solution: 3-D Secure. This method reduced fraud, but also implemented an authentication step in the checkout process, which caused less conversion.
The new version of 3-D Secure, 3-D Secure 2, aims to get rid of these pains. In the following you can get an overview of 5 great things for merchants when it comes to 3-D Secure 2:
1. It’s quick!
With 3-D Secure 2, transaction time will decrease by 85%. This is possible because the amount of data exchanged between cardholder, merchant and issuer is 10 times bigger than before. Based on this data for low-risk transactions, issuers will be able to verify the identity of the cardholder without the authentication step. Here are some examples of new contextual data used by 3-D Secure 2:
2. It keeps merchants out of chargeback-trouble
3-D Secure 1 was clunky and bad for sales due to forgotten passwords and cart abandonment. But the incentive for merchants to use 3-D Secure has always been that the liability for fraud shifted to the issuing bank. Suddenly, it was the big banks instead of the tiny online stores who were responsible when fraudulent transactions occurred.
3. It’s customisable
Another great thing about 3-D Secure 2 is that it can be customised. Online stores simply don’t have to go all in. They can request their acquirer and gateway to have 3-D Secure activated for high-risk transactions or for transactions of specific amounts. Conditional 3-D Secure has been proven to be very useful in increasing the number of retained customers.
4. It’s a sales machine
Thanks to the additional data gathered, authentication may become unnecessary in many cases. This will mean a 70% decrease in cart abandonment and more sales for merchants.
5. It’s PSD2 compliant
Last but certainly not least, 3-D Secure will ensure that merchants abide by the law. PSD2 requires all European merchants to use Strong Customer Authentication (SCA). One sure way of fulfilling this criterion is by implementing 3-D Secure. You can read more about PSD2 in this e-book.
How to prepare your merchants for 3-D Secure 2
It’s all about data. The more data, the more frictionless experiences. But this can be hard for merchants to grasp. Payment Service Providers thus have a responsibility to educate their merchants on which data to provide, so merchants can focus on their core business.
In the past, everything needed by the issuing bank to authorise a payment was a card number, expiration date, CVV and some additional pieces of information. However, with 3-D Secure, banks are responsible not only for authorising the transaction, but also for authenticating it.
This shifts the liability away from merchants, but at the same time gives them the responsibility to share more high quality data to issuing banks. Data simply matter more with 3-D Secure 2. As an example, merchants with a guest checkout option, as opposed to a customer account, can experience lower conversion because the issuing bank is more likely to challenge the transaction.
The issuing banks require merchants to supply 20 specific data points. Around 80 additional data points are optional. Providing these data points is relatively easy since the data will be collected from the customer with minimal interactions. But it is important for merchants to know which kinds of data they need to provide and which kinds they don’t.
Merchants can relatively easily provide customer information like name, email address, billing address and shipping address. Furthermore, contextual data like the age of the customer’s account, the last time the account was accessed or whether the password has been changed recently can be valuable information when authorising frictionless payments.
Payment Service Providers (PSPs) have access to much more data than the average merchant. So, cooperation between merchant and PSP when providing banks with data remains crucial. For example, data points like device type, browser type, browser language, screen size or timezone are incredibly useful in fraud prevention. It is thus important for PSPs to educate merchants on the benefits and drawbacks of certain data points.
How do I integrate with 3-D Secure 2?
3-D Secure 2 will soon be the primary authentication method for Payment Service Providers around the world. So, we aim to make it easy for everyone to implement it.
At 3Dsecure.io we take pride in providing a free sandbox environment for initial integration - and for live tests. In this environment, which is free of charge, you can test the product and make up your mind whether you want to go forward with our service.
Besides the free sandbox environment, there are a number of other advantages by choosing 3dsecure.io as your provider:
Updates and deployments are engineered to have no downtime for integrators.
The service is highly scalable and has been engineered to be redundant.
Our pricing is customised to fit every provider in the market.
Our 3-D Secure dashboard gives you insights into your 3-D Secure usage.
A devoted team is at your service to solve any question.
Sign up to 3-D Secure here.
Hungry for the technical specifications to integrate with 3-D Secure? Read the documentation.