What is 3DS2 (3D Secure 2.0)?

3D Secure 2.0 is an authentication protocol that aims to reduce fraud and enhance security for online card payments. 

In this article you will find

As the number of online sales continues to increase, so too do the counts of fraud. In 2023, there were US $48 billion worth of eCommerce payment fraud losses on a global scale, according to Statista.

It’s paramount for businesses to have the right fraud measures in place to help safeguard customer transactions and protect your business against chargebacks. One such technology is 3D Secure 2.0 – a protocol designed to provide an additional security layer for online card payments worldwide. However, it’s especially important for merchants accepting payments in the EEA, Monaco and/or UK region, as it adheres to the Strong Customer Authentication (SCA) requirement set by the EU Payment Services Directive 2 (PSD2).

In this article, we’ll delve into what 3DS2 is, how it works, how it differs to 3D Secure 1 (3DS1) and how it can benefit your business’ transaction security.

What is 3DS2?

3DS2 (also known as Three-Domain Secure 2.0 or 3DS2) is an authentication protocol that banks and financial institutions use to authenticate online transactions. Specifically, it involves the exchange of information between three domains (acquirer, card schemes and issuer) to authenticate an online payment. This measure introduces an extra level of security for transactions by requiring the issuer to verify the identity of the cardholder. Further to this, it provides greater security and usability than 3DS1 (we’ll explore this later on).

Watch our latest video to discover the benefits of optimising 3DS2 for improved acceptance rates.

How does 3DS2 authentication work?

If 3DS2 is needed for a transaction, it will go through an authentication flow, which is based on the issuer’s requirements. This can be separated into the following:

  • Frictionless flow: This is a streamlined authentication process, where the customer is authenticated without any further inputs or actions needed on their end. 
  • Challenge flow: For this type of flow, a customer must provide additional information like an OTP in order for the transaction to take place. This tends to occur when a transaction is high-risk or when a customer’s transaction cannot be authenticated through a frictionless flow. Consumers may also be required to do this when they’ve consented to their payment details being used for subsequent purchases like recurring payments.

What is the purpose of 3DS2?

As mentioned previously, 3DS2 is a security protocol used across the world but is particularly relevant for online card payments made in the UK, Monaco and/or EEA. Specifically, it can be used to meet the PSD2’s mandatory SCA requirement and is utilised to authenticate any initial or one-off online card payments taking place in these regions.

For 3DS2, a combination of a minimum of two of the following authentication factors is required for a successful transaction:

  • Something the consumer knows: OTP, SMS code, PIN, password, security question, etc. 
  • Something the consumer owns: Credit or debit card, key fob, mobile device, wearable device, etc. 
  • Something the consumer is: Biometric data like a fingerprint, iris scan, facial or voice recognition. 

It should be noted that the above authentication factors should be independent such that if one factor is compromised, the reliability of the other factor remains intact. Moreover, the choice of factors to be used is dependent on the issuer, which can be determined using a Merchant Plugin (MPI).

A quick history of 3DS2 – how is it different to 3DS1?

As mentioned earlier, 3DS2 is the updated version of 3D Secure 1, which is no longer supported by card schemes and issuers. When Visa first introduced the protocol in the 90s, computers were the only available devices for online shopping. The first version was designed for desktop browser authentication, as smartphones were not prevalent at that time.

Additionally, some issuers required cardholders to enrol for the 3D Secure service by associating a static password with their payment card.

However, it arrived with certain drawbacks. Consumers consistently dropped out of the payment flow, as 3DS1 lacked native in-app and mobile flows. Static passwords were hard to remember, causing friction as well as extra operational costs for issuers due to customers contacting support to reset static passwords. 3DS2 is an upgrade of the global standard for card authentication and addresses several pain points of 3DS1. This extra layer of protection also offers the merchant a full liability shift towards the issuer, which provides greater protection against chargebacks.

3D Secure authentication failure and what it means

A 3D Secure authentication failure typically occurs when the transaction cannot be processed and the customer is not charged. Here are the reasons why a 3D Secure authentication might fail:

  1. The shopper has entered the wrong 3D Secure details and failed authentication. During a 3D Secure transaction, the customer is redirected to a page controlled by the issuer to complete the required authentication, such as an OTP or by providing an approval through an authentication app. If the authentication fails due to incorrect details being entered, the transaction cannot be processed through the merchant’s account. 
  2. The customer’s issuer does not support 3D Secure authentication. Banks across territories may comply with other authentication protocols rather than 3D Secure. When 3D Secure authentication is applied by default for every transaction, the rule cannot differentiate between issuers that are a part of 3D Secure and those that are not. 
  3. There’s a technical issue with 3D Secure during the authentication process. There may be occasions when the 3D Secure protocol is not available, therefore the transaction cannot be authenticated and processed. 

What are the benefits of 3DS2?

3D Secure 2 is a powerful authentication protocol with several benefits for merchants and consumers. Better user experience and increased security are among the most prevalent advantages, along with other benefits listed below:

  • Increased fraud protection – Over 100 pieces of data are transmitted from the merchant to the issuer. This includes the merchant’s contextual data, which suggests an advanced layer of fraud protection, while the issuers have more information to determine how risky the transaction is and whether it requires additional authentication.
  • Improved payment experience – It enables payments to be processed natively, without any redirects and supports non-browser payments, making the shopping experience more seamless.
  • Minimised friction – The whole authentication process becomes easier for consumers, including the use of biometrics or one-time passwords (OTPs) directly on the checkout page. With this level of convenience, merchants are better placed to increase their conversion rates and boost their profitability.
  • Improved chargeback management: Under 3DS2, the liability shifts from the merchant to the issuer, which means the merchant won’t be liable for any associated chargebacks.

How emerchantpay can help

emerchantpay supports the 3DS2 browser flow on our payments APIs, letting you apply 3D Secure to high-risk payments and protect your business from fraud. Businesses are advised to consult with their payment service provider and decide on the best strategy to implement 3DS2 as part of their SCA strategy.

Learn more about emerchantpay’s payments APIs to get started with 3DS2 or get in touch with our team to discuss your options.

Related articles

How to combat credit card fraud and stay safe

In today's world, card payments offer unmatched convenience, but they also come with hidden security risks. This makes it essential for [Read more]

5 steps to safeguard your business from payment fraud

Payment fraud is a growing threat in the world of eCommerce, putting revenue and customer trust at risk. In today’s fast-evolving [Read more]

PSD3 and PSR: Insights for merchants on upcoming payments regulation

The Payment Service Directive 3 (PSD3) and Payment Services Regulation (PSR) was announced in June 2023 by the European Commission. For [Read more]

We are using cookies to give you the best experience on our site. By continuing to use our website without changing the settings, you are agreeing to our use of cookies. For more information, check out our Cookie policy.
Change settings