With the increasing internet penetration, globalization, and consequent eCommerce growth, cards...
With the surge in eCommerce and online shopping comes a disturbing trend of rising fraud. Shockingly, payment fraud on eCommerce platforms cost USD 41 billion in 2022 and is projected to increase to USD 48 billion by 2023. The gravity of such losses necessitates high-security features for merchants to provide a secure payment experience for their esteemed customers. 3DS or 3D Secure is one notable security measure that enables merchants to achieve this objective.
In this blog, we'll discuss what 3D Secure is, how it has been updated over the years, how it makes online payments more secure, and what benefits it brings to online merchants. So, read in full if you want to learn in-depth about 3DS and similar terms such as SCA and PDS2.
What Is 3D Secure?
3D Secure or 3DS is a security protocol developed by CA Technologies (formerly Arcot Systems) in 1999, during the early days of eCommerce. The primary goal of 3DS is to add a layer of security and reduce the risk of fraud during card-not-present (CNP) transactions.
3DS is based on a 3-domain model, hence the name 3D Secure. Here are the three domains involved in this security protocol:
Please Note: Each domain signifies the party involved in the authentication process.
- Acquirer Domain: This is the bank account of the merchant.
- Issuer Domain: This entity issues the card to the customer.
- Interoperability Domain: This domain represents systems that support 3DS.
3DS1 (or 3DS version 1) was adopted by card brands in 2001, such as Mastercard (Identity Check) and Visa (Verified). And over the years, 3DS became popular as it helped merchants process transactions securely and, more importantly, comply with PSD2 guidelines.
While 3DS offered benefits such as secure transactions, reduced fraud, and a liability shift towards the card issuer, it also brought several downsides.
For instance, merchants had to experience too many transaction declines, as the card issuers wanted to play safe. Merchants couldn't access transaction data which stopped them from improving the checkout experience. Moreover, the overall checkout experience could have been better, which increased the cart abandonment rate, and merchants experienced compatibility issues with mobile browsers.
Then came the 3D Secure Authentication 2.0. Let's learn what it is.
What is 3D Secure Authentication 2.0?
3DS 2.0 or 3D Secure authentication 2.0 was the much-needed upgrade of 3DS launched back in 2018. This version solves every limitation of 3DS.
For instance, with 3DS 2.0, users can authenticate using biometrics, and OTPs, reducing unnecessary steps. Also, this update offers a consistent experience across all types of devices, improving overall customer experience.
For merchants, 3DS 2.0 completely shifts the liability to the issuer for a chargeback. In addition, the further updated version 3DS 2.1 offers merchants access to over 100 elements, which they can send to the issuer to assess potential risks.
Good Read: What is 3D Secure, and why do you need this?
How do 3DS and 3DS 2.0 Authentication Work?
3DS 1.0 Flow
Here's how a typical transaction proceeds via 3DS 1.0:
- The customer visits a merchant's website and enters their payment information.
- The payment gateway sends the details and a 3DS verification request to the issuing bank.
- The issuer checks if the card is registered for 3D Secure services.
- If the card is registered, the issuer will send a URL to the ACS platform and a verification response to the merchant.
- The merchant will get the respective response if the card needs to be registered/enrolled. The merchant can decide whether to continue without 3D Secure authentication or stop the transaction.
- The merchant will then direct the customer to the issuer's ACS platform using the URL. The customer will be asked to verify their identity, which usually happens via a static password, security question, etc.
- Upon successful verification, the customer will be redirected to the website, completing the payment flow.
3DS 2.0 Flow
Here's how a typical transaction proceeds via 3DS 2.0:
- A customer visits a merchant's website and enters their card details.
- The merchant's payment gateway sends the transaction data and 3DS 2.0 verification request to the customer's issuing bank.
- The issuing bank then checks its records to determine whether the customer is enrolled with 3DS 1.0 or 2.0 services.
- If the card is registered in 3DS 1.0, the issuing bank will initiate the workflow explained above.
- If the card is registered in 3DS 2.0, the issuer starts the 3DS 2.0 authentication flow, described below.
- If the card is not enrolled, the merchants decide if they want to process the transaction.
- The transaction poses a lower risk, and frictionless authentication can happen; they run a risk assessment and fraud screening in the background.
- The transaction poses a high risk, and processing a frictionless authentication isn't possible; it initiates a challenge authentication (static passcode or a question), just like in 3DS 1.0.
- After that, the cardholder gets a confirmation message on the merchant's website, completing the workflow.
Difference Between the 3DS1 Vs. 3DS2
Here’s how 3DS 1.0 is different from 3DS 2.0
3D SECURE 1.0
3D SECURE 2.0
The user has to enter static passwords.
Users can enter dynamic passwords or biometrics.
Meant to Work on computer browsers.
Works on both mobiles and computers.
There’s friction in 100% of the transactions.
95% of transactions are frictionless.
Data access is limited to 15 elements.
Offers access to more than 100 data elements.
Suited for domestic transactions.
Supports both domestic & international transactions.
Poor and clumsy experience.
Seamless customer experience.
Low chances of decline and abandonment.
Not enough for PSD2 SCA compliance.
Helps meet PSD2 SCA requirements.
Why Should Merchants Care About 3D Secure Payments?
3D Secure payments bring substantial benefits both for the customers and merchants, such as:
1. An Additional Layer of Security
3DS authentication adds an additional layer of security when it comes to making payments. It helps ensure that merchants only process the payments initiated by legitimate sources. And this makes payments secure.
In addition, merchants can access numerous data points, which enables issuers to assess their risk better and thus improve security.
2. Consistent Customer Experience
Unlike 3DS 1.0, the 3DS 2.0 protocol supports and works well across all devices. Also, the loading speed is better, and the interface is more seamless than ever. All this amounts to a more consistent customer experience, as customers can shop from any device securely.
3. Increased Brand Loyalty
3DS 2.0 protocol safeguards and securely processes customer payment information, minimizing data theft or fraud risk. This level of security offers customers relief when shopping from your brand, translating to lower cart abandonment and increased brand loyalty.
4. Chargeback Liability Shift (Form Merchants to Issuers)
Traditionally, if there was fraud, merchants were liable for investigating the issue and paying a fee. However, with 3DS 2.0, the entire liability of a chargeback in fraud shifts to the issuer. This saves the merchant a lot of hassle and fees.
5. Enhanced Compliance
PSD2 has SCA (strong customer authentication) requirements that merchants must follow to comply with the regulation. However, if you implement 3DS, you automatically comply with the PSD2 regulations making you more compliant and valid.
6. Increased Authorization Rates
3DS 2.0 allows merchants to access and share more data points with the issuer. This enables the issuer to assess the risk better, approve more transactions, and avoid false positives.
7. Faster Transaction Time
Opting for 3DS2.0 can make transactions substantially faster, up to 85% faster than transactions processed using 3DS1.
8. Fewer Abandoned Carts
If the payment process is faster and fewer steps are involved, customers are more likely to complete purchases and abandon fewer carts. This will help reduce the cart abandonment rate and improve sales.
What's up With the 3DS Update?
The 3DS protocol has been updated over time. And every update has made the protocol more robust and better. Let's learn how.
- 3DS 1.0 – This initial version of the 3DS protocol was crafted to facilitate secure online purchases via computers. The consumers had to enroll in 3DS 1.0 and use a static password to authenticate themselves.
- 3DS 2.0 – This version comes with an SDK enabling mobile integration and offering a seamless experience to customers. In addition, this version offers better authentication methods, such as face or voice recognition and OTP, making payments frictionless and safe simultaneously.
- 3DS 2.1: With this update, merchants can access about 100 data elements, a massive jump from just 15 in previous versions. This way, merchants can send more details to issuers to authenticate the transactions using a risk-based approach.
- 3DS 2.2: This update further offers merchants more privileges. It allows merchants to put forward an exemption through the issuer and acquirer for using 3rd parties for delegated authentication. Also, it will enable users to conduct authentication outside the payment flow.
What Is the Revised Payment Services Directive (PSD2)?
Revised Payment Services Directive, popularly known as PSD2, is a European regulation crafted to fortify online payments and create an integrated payments market in Europe. However, PSD2 is the updated version of PSD or PSD1 adopted in 2007 by the European Union (EU).
As per the European Commission, PSD offers a legal foundation to establish more innovative and safer payment services across the EU. It also aims to make cross-border or international payments efficient, easy, and secure, similar to the payments within a member state.
What Is Strong Customer Authentication (SCA)?
Strong customer authentication (SCA) is a regulatory requirement of PDS2 regulation which mandates that merchants use multi-factor authentication (MFA) for all electronic payments. To comply with PSD2 SCA regulations, the PSPSs need to verify customers using at least 2 of the below components:
- Compromised authentication elements
- Transaction amount
- Any fraud scenario when making a payment
- Signs of a malware attack during authentication
- Use of software or device provided to the PSP
Here are some Strong Customer Authentication (SCA) FAQs to deepen your understanding of the subject.
1. Is SCA Required Everywhere?
Complying with SCA is mandatory for all countries within the U.K. and the European Economic Area (EEA). For other countries, it's optional.
2. What Are the Risks of SCA/PSD2 Non-Compliance?
Non-compliance with SCA in the countries where it's mandatory can lead to lower authorization rates, more declines, cart abandonments, and, eventually, loss of revenue. Furthermore, the liability stays with the merchant, which can result in penalties and unnecessary hassle in case of chargebacks.
3. Are there any other types of SCA Besides 3DS 2.0?
3DS 2.0 is a popular method for authenticating online payments and complying with PSD2's SCA regulations. However, it's not the only one. Several digital wallets, such as Google Pay and Apple Pay, have built-in authentication layers that help authenticate customers.
4. Which transactions Require Strong Customer Authentication (SCA)?
Strong customer authentication (SCA) applies to all transactions initiated by the customer. For instance, most online bank transfers and card payments require strong customer authentication (SCA). However, merchant-initiated transactions, such as recurring payments, don't need SCA.
Read along to learn more about the payments that don't need SCA.
5. What Transactions don't require SCA Authentication?
If merchants enable 3DS 2.0, they can avoid strong customer authentication in the following scenarios:
- Contactless Payments: Merchants can avoid authentication if the transaction amount is less than €50. However, the cumulative limit of consecutive transactions shouldn't exceed €150, or the number of consecutive transactions must be less than 5.
- Unattended Parking and Transport Terminals: no authentication is required at parking or transport terminals.
- Trusted Beneficiaries: If the payer has designated the merchant as a trusted beneficiary with the issuer, merchants can bypass authentication.
- Recurring Transactions: Authentication can be avoided if a payment of the same amount is made to the same payee multiple times, i.e., recurring payments.
- Low-Value Transactions: Merchants can avoid authentication if velocity limits are met, and the transactions don't surpass €30.
- Secure Corporate Payments: Merchants can avoid authentication if payments are made using corporate protocols and processes.
Let's Unfold the Relationship between SCA, PSD2, and 3DS 2.0
PSD2 is a directive by European Union to make online payments more secure. This directive or regulation has a strong customer authentication (SCA) requirement, which mandates merchants to enable multi-factor authentication (MFA) for all payments.
3DS 2.0 is a security protocol that satisfies PDS2's SCA requirements. If a business adds 3DS 2.0 to its payment workflow, they automatically comply with SCA requirements listed by PSD2 and operate securely.
What Are the Benefits of Implementing SCA?
Implementing SCA makes you PSD2 complaint and experience the following benefits:
SCA adds an additional layer of security by authenticating customers. This helps ensure the payers are who they claim to be, thus preventing fraud.
Better Conversion Rates
The payment flow becomes more seamless when merchants comply with SCA via 3DS 2.0 or other methods. And when the payment flow is seamless and free of hurdles, it improves the customer experience, reducing cart abandonments.
With SCA in place, stealing card information and executing fraud becomes hard. And this reduces the instances of chargebacks.
Improved Customer Confidence
Complying with SCA means better security and reduced fraud. This translates to more confident customers who're loyal to your business.
What are the Various Factors that Increase Customer Drop off Rate?
The 3DS 1.0 has several disadvantages as well that lead to customers dropping off, such as:
- Lack of flexibility: The merchants must use 3DS for all the transactions where 3DS was supported, even if they didn't want to. This adds unnecessary steps to the customer checkout process leading to drop-offs.
- Poor implementation: Implementation can be challenging for merchants, leading to missed steps and failed transactions, impacting the customer experience and thus causing a drop-off.
- Checkout Flow is limited to a web browser: 3DS 1.0 was created to support computer web browsers. Because of this, merchants cannot offer a universal experience across different devices, especially mobile phones, that's more relevant these days.
- Liability Shift: While there is a liability shift from the merchant to the issuer, it's not as beneficial as it seems. Issuing banks play it safe and decline transactions more frequently, which leads to drop-offs.
How can Merchants Handle 3DS Drop-off?
Improve your online payment system with the adoption of the 3DS2 protocol. 3DS2 protocol is flexible and allows the merchant to decide whether to perform authentication. It's easy to implement and works on all devices seamlessly. Plus, it has more data points to share with the issuer, meaning fewer declines and, eventually, lower drop-offs.
How can inai Help you with Compliance and Optimize the Payments Experience for your Customers?
inai is a payment aggregator that can help you with end-to-end payment management. Our platform connects you with 30+ payment gateways and 300+ payment methods, allowing you to expand your business and boost your customer experience (as you can offer customers their favorite payment methods).
Here’s how inai can help enhance the payment experience for your customers:
1. Delegated Authentication
Using inai, merchants can integrate with payment gateways that support delegated 3rd party authentication. This way, merchants can offer a friction-free authentication experience to customers, access the entire transaction data and stay compliant with SCA without having to worry about authentication.
2. Optimization of Exemption Rules
If the customer has to follow authentication steps each time they make a purchase, it can ruin the customer experience, leading to cart abandonments.
However, with inai, you can analyze transaction data and identify high and low-risk customers based on different factors. You can then whitelist low-risk customers and process their transactions without authentication (exemption). This will help ensure you stay compliant and reduce the hiccups for customers when making payments.
Moreover, you can determine how exemption rules are impacting your authorization rates and act accordingly.
3. Switching Acquirers and Leveraging 3rd Party 3Ds Vendors
Merchants get the ability to choose the most reliable acquirer for every transaction. The more transactions merchants process through an acquirer, the better the relationship gets, which further improves the transaction authorization rate.
As stated above, merchants can also leverage 3rd party 3DS vendors for authentication. In addition to taking the authentication load off the merchant’s shoulders, 3rd party vendors also improve payment security and fraud prevention.
4. Managing Retries
Not having a reliable retry mechanism might lead to customers abandoning carts after a transaction fails to go through. However, with inai, you can implement retry mechanisms based on response messages and error codes. You can further set a threshold for maximum retries to ensure better authorization rates.
5. Payment Routing
Yet another benefit of inai is intelligent payment routing. Using this feature, you can route every transaction based on parameters such as success rate, transaction fee, 3DS enabled, etc. This way, merchants can ensure every transaction goes through the best possible PSP and offer 24/7 uptime for customers.
Now that you know what 3DS is and what benefits its upgraded version 3DS2 brings, you must implement it in your business. While this security protocol is not mandated across the globe, you must recognize the benefits it brings.
So, even if you don't lie within the European Economic Area (EEA) and the UK, you should still integrate 3DS2. Doing this will help you secure online payments, shift chargeback liability to issuers, reduce cart abandonments, create a seamless payment workflow, and deliver a better customer experience.
Anta Pattabiraman is the co-founder and CEO of Inai, a global payment stack simplifying native payments within a single integration. Over the last 5 years, he has worked with 200+ businesses ranging from SMEs to Bigtechs.