More security and customer-friendly authentication through 3D Secure 2 and Strong Customer Authentication (SCA)

The development of 3DS 2 stems from PSD2 and the legal obligation to offer secure transactions. PSD2 requires that transactions initiated by your customer (e-Commerce) support strong authentication. This is known as Strong Customer Authentication (SCA). The aim of this is to combat online fraud and to offer a customer-friendly experience in online transactions. SCA is defined as authentication by at least two of the following three factors:

  • something only your customer knows (e.g. password or PIN)
  • something that only your customer owns (e.g. mobile phone, token)
  • something that your customer is (biometrics, e.g. fingerprint, voice or facial recognition)

A new version of the 3D Secure protocol has been developed to meet these requirements: 3DS 2.

3DS 1.0

3DS 1.0 already uses two-step verification; a method where your customer has to authenticate with an extra step. With 3DS 1.0 cardholders had to create and remember their own passwords and that has its limitations. Many transactions are not completed by the customer because they do not know the password or because a password has to be created at checkout. The current 3DS 1.0 was originally designed for use in web browsers, while 3DS 2 is also suitable for use on mobile phones, in-app payments and other devices.

3DS 2

3DS 2 uses even more data to authenticate cardholders on the basis of the three factors mentioned above by using "enriched data". Compared to 3DS 1.0, there is at least 10 times more data and more than 130 elements are collected per transaction. These elements are sent by your PSP to the cardholder's bank. These data include information about your customer such as name, e-mail, shipping address, telephone number, web browser used, IP address. But also information about your customer's behaviour such as the device used for the purchase and purchasing behaviour, etc.  

Not all this data is mandatory, but the more information is shared, the easier it is to identify your customer and have the transaction approved by the cardholder's bank. It is expected that in many cases the issuing bank will decide that the information provided is already sufficient and that no SCA session is needed. We call this the 'Frictionless Flow'.

Although 3DS 2 seems to be more complicated, it is designed to make payments as easy as possible. In particular, the use of biometrics will lead to more authorised transactions. The use of a (static) password is no longer necessary and there will be many different new authentication factors. For example, it will be possible for your customer to confirm the identity during the transaction with an app on a mobile phone and a fingerprint.

From 1 January 2021, SCA is mandatory

3DS 2 - SCA is compulsory as of January 1st 2021. From that date, banks will refuse payments that do not comply with this obligation. SCA is not required for payments with non-European card orders where you must enter your customer's card details yourself (MOTO -Mail Order Telephone Order and MIT - Merchant Initiated Transactions).

It is important to be prepared for SCA as soon as possible in order to make the transition as smooth as possible and avoid unnecessary authorisation rejections. 3DS 1.0 remains active as a fallback option for cards that are not ready for 3DS 2.