The development of 3DS 2 originates from PSD2 and the mandate for secure transactions. PSD2 requires customer initiated transactions (e-Commerce) to support Strong Customer Authentication (SCA). The aim for SCA is to provide more secure and customer friendly authentication to card based transactions. SCA is defined as the authentication of your customers through at least two out of the following three factors:
- something only your customer knows (e.g., password or PIN)
- something only your customer possesses (e.g., mobile phone, token)
- something your customer is (biometrics, e.g., fingerprint, facial, iris or eye vein)
To accommodate these new mandates the industry has developed a new version of the 3D Secure protocol: 3DS 2
3DS 1.0
3DS 1.0 already uses the principle of Two-Factor Authentication whereby your customer has to authenticate with an extra step. With 3DS 1.0, cardholders had to create and remember their own static passwords and that had some drawbacks. Many transactions are abandoned by the customer because they do not know their password, or are prompted to enroll during checkout. 3DS 1.0 was only designed for cardholder authentication by standard web browsers and it was not optimized for mobile devices. The current 3DS 1.0 was originally designed to be used for web browsers whereas 3DS 2 is also designed to be used on mobile phones, in-app payments and for other devices.
3DS 2
3DS 2 will use even more factors to authenticate cardholders based on the three factors above, and it does so by using ‘enriched data’. Compared to 3DS 1.0 there is at least 10 times more data and over 130 elements are collected on each transaction and send by your PSP to the cardholder’s bank. This data includes information and behavior of your customer; name, addresses (email, shipping), telephone numbers, web browser, device used, purchase count, etc.
Not all data fields are mandatory, but the more information is shared, the easier it is for the cardholders bank to identify your customer and approve the transaction. The expectation is that in many cases the issuing bank will decide that the provided information is already enough and that no SCA session is required. We call this the frictionless flow.
And although 3DS 2 seems to be more complicated, it is designed for a more frictionless experience at the checkout. Especially the use of biometrics will drive conversion and approval rates up. The use of a (static) password is no longer needed and there will be a wide variety of new authentication factors. For example, it will be possible for a customer to confirm the transaction and identity simply with an app on a mobile using a fingerprint.
3DS 2 will be available from early April and the PSD2 mandate will be in effect as of 14 September 2019. From that date it is required by law to use SCA for e-Commerce transactions and banks will decline payments that require SCA and don’t meet these criteria. This does not apply for transactions with Non-European cards and MOTO transactions. It is important to be ready as soon as possible to make the transition as smooth as possible and avoid unnecessary authorization declines. 3DS 1.0 will remain active as a fallback for cards that are not ready for 3DS 2.
What does this entail for you?
3DS 2 will require changes on your website. The expected impact depends on technical design of your website.
Do you have an online payment solution from EMS? We will keep you updated on the changes you need to make.
Do you have a online payment solution via another PSP? Your PSP will help you to make the necessary changes on your website.