3D Secure 2: Stronger Authentication & Support for Mobile Customers
3D Secure authentication gives an extra layer of protection to card payment transactions. The initial version of 3DS, which was introduced in 1999, became known for its lowered conversion rates. With 3D Secure 2 (3DS2) that has changed for the better — it now comes with an improved, frictionless customer experience used widely by retailers.
What is 3D Secure?
The term 3D Secure refers to three domains — the three parties involved in the authentication process:
- The merchant/acquirer domain
- The issuing bank domain
- The interoperability domain (technology that processes the transactions).
The 3D Secure protocol provides an extra layer of security for online credit card transactions. Moreover, because the issuing bank verifies the cardholder, it protects merchants against fraudulent chargebacks.
It’s the primary authentication mechanism for card payment transactions. However, while it is effective in preventing fraud, the previous version, which used a static password, added friction to the checkout process. Poor customer experience, as you might expect, resulted in increased cart abandonment rates, which drained merchant revenues.
EMVCo and the major credit card schemes introduced 3DS2 in 2015, a new authentication version (the details of which you will find below), to address this issue. PSD2, the Second EU Payments Service Directive, requires Strong Customer Authentication (SCA), which 3DS2 supports.
The Benefits of 3D Secure
Even though the early 3D Secure versions could have been more user-friendly, the authentication benefits merchants and customers. Below are some of the main reasons why using 3D Secure to authenticate online and mobile transactions is worthwhile.
Fraud Prevention and Enhanced Security
The main advantage of 3D Secure is that it minimizes fraud risk in online credit card transactions. The extra security layer and secure transactions through SSL encryption mean fewer disputed transactions.
Strong Customer Authentication (SCA) Compliance Under PSD2
Strong Customer Authentication, a PSD2 requirement, requires businesses to use multilevel authentication to verify payments. 3DS2 is the primary solution to comply with the European SCA regulation.
Liability Shift
When a customer authenticates a payment with 3D Secure, the liability for fraud-related chargebacks on the transaction is shifted to the issuing bank. This protects merchants from fraudulent chargebacks.
Fewer Disputed Transactions
As 3DS aims to reduce fraud causes, it helps merchants decrease the number of disputed transactions, allowing them to achieve better sales results.
Greater Customer Satisfaction
When customers know that the payment process on a particular website is secure, they’re more likely to complete the transaction.
No Extra Costs
You won’t be charged additional fees for incorporating 3D Secure into your payment flow when you work with a reputable payment partner.
3D Secure 2: The Main Changes
As previously stated, the first version of 3D Secure could have been more user-friendly and had ongoing compatibility issues, particularly on mobile devices. The main differences between the first and second 3D Secure versions are:
- Stronger authentication — Static passwords are replaced with tokens and biometrics.
- Enhanced customer experience — The customer journey is more fluid, particularly with mobile applications.
- Better conversion — Reduced transactional friction aids in customer conversion.
- Support for mobile customers — Merchants can provide protection across multiple platforms.
- Management of exemptions — Strengthens frictionless experience (small amounts, trusted beneficiary, fraud rate monitoring, etc.).
Let’s delve a little deeper into the specifics of the significant changes.
Exemptions allow the issuer and merchant to decide whether to continue 3D Secure authentication steps based on additional data received at the time of the transaction. The transaction is screened for risk to alert the system to the need to activate other safeguards.
The risk-based elements that form the basis for this decision are the transaction value, transactional history, information about new or existing customers, behavioral history, and device information.
As a result, if the customer is new to the store and has no transactional history, the risk may be greater than if the user’s card is already in the system. In such cases, the merchant may decide that 3DS authentication is required, while 3D Secure can be bypassed for returning customers.
Frictionless Flow
Frictionless flow is the most significant improvement to the protocol, as the risk-based authentication performed in the access control server (ACS) makes the entire process more customer-friendly. ACS collects device data, information about the purchased item, and its value to screen the purchase for potential risks. If it’s set too low, the customer can be background authenticated without further verification. The process takes place behind the scenes, so genuine customers aren’t inconvenienced.
It’s beneficial for frequent customers because it means they don’t have to go through an extra authentication process, which was previously presented as annoying pop-up windows that required entering static passwords. It’s a win-win situation for issuers because they can approve a transaction without having to interact with the cardholder.
As you can see, the goal of this new method is to remove friction from the checkout process, which significantly improves the customer experience. What matters is that if the risk is high, the merchant’s platform will still require additional authentication, ensuring that security is never compromised. It’s a significant improvement on the original version, which left many customers feeling inconvenienced or even irritated when asked for further information. Now, only a small percentage of the highest-risk transactions will be handled by 3DS2.
Better UX on Mobile Devices
Less friction during online payments means a better customer experience, and mobile transactions are no exception. Merchants can natively integrate 3D Secure 2 authentication into their mobile applications thanks to an SDK (for iOS and Android).
This means that mobile customers get a more fluid journey without the friction with which they’ve struggled. The new 3D Secure version has a significantly improved design and is now fully compatible with in-app transactions. If the risk is indicated as low, the authentication process will be invisible to the cardholder, similar to the online process.
If the risk is deemed high, a customer will be verified in a more friendly manner, such as with biometric authentication (fingerprints or facial ID readers), enhanced one-time password (OTP: a text message with a temporary password), or out-of-band authentication (OOBA: authentication via mobile banking app).
Non-Payment Authentication
Non-payment authentication contributes to a safer customer environment while remaining compliant with PSD2 requirements. 3DS2 authentication can be used for more than just online transactions, allowing customers to be authenticated even if they don’t make a purchase, such as to validate their credit card.
Non-payment authentication is a 3DS2 feature that allows merchants to conduct authentication in the mobile application when the cardholder enters their information for later use. A user’s authenticity is verified by an issuing bank using a 3DS Server and a mobile SDK.
Higher Security Level
With 3DS2, static passwords are replaced by tokens and biometrics, and authentication occurs while the user is still on the merchant’s website or app. This means that both ecommerce shoppers and app users will have a much better checkout experience.
Richer data enables merchants to provide protection across multiple platforms, with each transaction sending ten times more data to issuers than the previous 3DS version. Device information, cardholder purchase data, fraud and chargeback data, and geolocation are just a few examples. This insight gives merchants a much better chance of determining whether a particular customer is a legitimate cardholder.
No Redirections
Redirections (also known as redirects) and strange-looking popup windows make users suspicious and less likely to complete transactions, resulting in checkout abandonment. Customers were also irritated by the extra steps and abandoned the purchase before making payment. The authentication process is now consistent with the merchant’s website or application, making the checkout flow appear more professional and increasing customer confidence.
Shift4 clients should already be familiar with 3DS2, as we have provided them with non-invasive 3D Secure, eliminating the need to redirect customers to another page to confirm their payment.
Faster Shopping
When the merchant’s platform only requires additional authentication if the risk is high, the shopping process becomes much faster, especially for returning customers.
It’s a well-known fact that slow page loading causes customer frustration, which can lead to checkout abandonment. By requiring authentication only for a small percentage of transactions, the user experience is greatly improved.
Most of the above benefits were available to Shift4 clients before the introduction of 3D Secure version 2, as we provided non-invasive 3D Secure solutions from the beginning.
Mobile 3DS2 SDK: Seamless Authentication Flow Embedded in Your App
Merchants must use an EMVCo certified 3D Secure 2 SDK to embed the authentication into the checkout so that it is automatically rendered for the device in use. Payment platforms’ native mobile SDKs provide merchants with many more options for payment authentication.
The ease of integration into the merchant’s system and the ability to customize the interface within the application allow online businesses to provide additional security across multiple platforms.
Because customer experience is at the forefront of sales, merchants can now offer 3D Secure benefits in their mobile applications, which gives them a chance to reach more people.
How Shift4 Can Help
In the context of SCA, 3D Secure version 2 is significant because it extends frictionless authentication to multiple platforms, including mobile environments. The combination of frictionless flow and faster and more secure payments reduces cart abandonment rates and ensures a better user experience.
Shift4 offers EMVCo-certified mobile 3DS2 SDK, providing numerous benefits to you and your customers. Frictionless flow, an excellent user experience, and heightened security measures let you offer convenient payments that match the complex regulations of PSD2. Besides improving your sales performance, Shift4 can help you to reduce fraud and get the most out of all 3D Secure benefits.