Technology is rapidly evolving year by year. And the payment is not an exclusive case. The updated 3D Secure 2.0 protocol is already taking online security to a whole new level. The protocol provides an opportunity to establish a secure real-time data exchange channel. Adopting this technology allows a more accurate authentication of the online shopper and increased payment speed (since not all transactions will pass authentication with a password). Let’s see how the 3DS-2 transition is affecting businesses.
What is 3D Secure?
3D Secure is a security protocol developed in 1999 and aimed at preventing fraudulent use of credit cards by authenticating cardholders in transactions that do not require the physical presence of a card (aka CNP operations). “3D” means “3 domains” in which the protocol works and which includes:
- Issuer’s domain (the domain of the bank that issued the card),
- Acquirer’s domain (the seller’s and the bank’s domain to which the money is transferred),
- Compatibility domain (the domain provided by the 3D Secure payment protocol support system).
The protocol was developed and managed by EMVCo, an organization jointly owned by major brands Visa, Mastercard, American Express, Discover, JCB, and UnionPay.
The first version of 3D Secure was designed to increase consumer confidence in online payments, which has contributed to the growth of eCommerce.
To protect buyers from fraudulent transactions, 3D Secure adds another authentication step for online payments, which allows merchants and banks to additionally make sure of the identity of a cardholder making the payment. When using 3D Secure 1, the system displays a pop-up window or an embedded form, requiring the user to enter a password so that the bank can authenticate the user. However, the credentials of the popup window generating entity cannot be authenticated.
How Does 3DS-1 Impact Businesses?
For businesses, the benefits of 3D Secure are obvious: requesting additional information provides an additional level of protection against fraud, ensuring that you accept card payments only from trusted customers.
Also, in the case of using 3D Secure, the so-called “Liability Shift” occurs, in which the responsibility for fraud also passes from the seller to the card issuer. Thus, if 3D Secure is not applied, then when the cardholder disputes a fraudulent transaction:
- The seller (merchant) is responsible for the transaction.
- The seller (merchant) must return the buyer money (chargeback)
But, if the vendor implements 3D Secure, responsibility for fraudulent transactions passes to the issuer (the bank that issued the card).
What’s the Difference Between 3D Secure 1.0 and 3D Secure 2.0?
20 years have passed since the development of 3D Secure 1. Although the payment industry in most countries accepted this authentication method pretty well, the need to create a new protocol was recognized to consider the current and future market requirements, including the smartphone footprint on eCommerce payment and digital wallet wide-spreading.
In addition, it was noted that the use of 3D Secure 1 has some disadvantages.
Is 3DS-1 a Conversion Killer?
An additional step necessary to complete the payment hobbles placing an order and may lead to purchase refusing.
A number of banks still require their cardholders to create and remember their own static passwords to complete 3D Secure verification. These passwords are easy to forget, which can also lead to a higher probability of refusing a purchase.
The negative impact on user experience (UX) is especially noticeable in mobile applications. When Visa first introduced the 3D Secure standard, personal computers were the only means available to consumers to shop online. On mobile devices, using 3D Secure can redirect clients from their own application to the bank’s website, which is not optimized for mobile devices.
What Are the Gains Acquired with 3DS-2?
Taking into account the main pain points of 3D Secure, EMVCo recently released a new improved version of the protocol. EMV 3-D Secure (3D Secure 2 or 3DS-2) addresses many of the shortcomings of 3D Secure 1 and provides the following key benefits:
1. Device & Gateway Responsiveness.
It provides a more consistent user interface, including payments made from the mobile phone browser, payments via applications and payments through a digital wallet.
2. Improved User Experience.
It gives merchants an opportunity to better integrate authentication into the purchasing process, providing cardholders with fast, easy and convenient authentication and a high-security level. Unlike static passwords, 3D Secure 2 uses dynamic authentication methods such as biometrics and token-based authentication.
Also, 3D Secure 2 will allow companies to embed a request exchange directly into their web and mobile payment flows – without the need for any redirects. It will no longer require customers to switch to another interface to complete the transaction.
3. Enhanced Data Exchange to Tighten Fraud and Reduce Friction
3D Secure 2 will allow companies and their payment providers to safely send more than 100 payment-related data, such as a delivery address, client device ID or a history of previous transactions to the cardholders’ bank.
Banks can use this information to assess the level of transaction risk of the transaction. If the risk is low enough, the issuing bank will not ask for additional verification from the cardholder. This eliminates the manual verification step that was always required from cardholders in 3D Secure 1.
When Will Payment Systems Support 3D Secure 2.0?
It is likely that the wide technology implementation will be gradual and take several months. For example, the Visa 3DS 2.0 platform is now available and ready to handle 3DS-2 authentication requests. To allow stakeholders for enough time to implement 3DS-2, the full set of program rules will not take effect until the program activation dates indicated below:
- April 2019: valid for Europe
- August 2019: Activation date for Canada, Latin America, and the United States.
- April 2020: Activation date for the Asia Pacific and the Middle East and Africa.
It is also assumed that 3D Secure 1 and 3D Secure 2 will coexist at least until 2020.
For European businesses, the entry into force of a new regulation known as Strong Customer Authentication (SCA) is on September 14, 2019. It will apply to online payments in the European Economic Area (EEA). 3D Secure 2 will be the primary method for adhering to SCA card payment requirements.
What Does Simtech Development Do For CS-Cart Store Owners?
For CS-Cart stores with the Apple and Google Pay Payment Gateway and Stripe Payment Gateway plugins enabled, we updated the functionality to make them compliant with CSA rules and 3DS-2. All the appropriate changes have been successfully released.