3DS 2.0 Information Hub
EMV 3-D Secure, or 3D Secure 2.0 (3DS 2.0) - respectively named at Visa and MasterCard as Visa Secure and MasterCard Identity Check - is the very latest version of the 3D Secure protocol and is currently ready for integration at PXP Financial. This section will provide all up-to-date information regarding the new protocol and provide integration instructions to our merchants.
A brief overview of 3DS
- EMV® 3-D Secure Three-Domain Secure is a messaging protocol developed by EMVCo to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP (Card not present transaction) transactions and protects the merchant from CNP exposure to fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (e.g. Payment Systems).
- PXP Financial will be supporting the 3D Secure (3DS) 2.0 Framework provided by EMVCo in order to both secure the benefits of the new generation of 3DS, and to be prepared to meet the Payment Service Directive 2 (PSD2) regulations that will come into effect in the EU in September 2019.
- 3DS 1.0 will be supported for the foreseeable future, but going forward 3DS 2.0 will be used wherever it is available
- EMVCo, collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, is responsible for the development of the EMV 3-D Secure 2.0 Specification. More information can be found on their website at https://www.emvco.com/emv-technologies/3d-secure/
Limitations of 3DS 1
The extra layer of protection afforded to merchants by the 3DS 1.0 Protocol (Verified By Visa and MasterCard SecureCode) by providing a liability shift for authenticated transactions is offset by a number of limitations:
- Lower data quality: Issuers are only presented with a few data points to verify a cardholder and base an authentication decision on
- Cardholder abandonment: Due to the complex process behind enrolling and authenticating for a 3DS 1.0 transaction the result is a higher rate of abandonment when compared to a traditional Ecom transaction
- Static passwords: The requirement for cardholders to remember a specific password when authenticating results in a higher risk of frustration in the case of it being forgotten
Not to mention, that the previous version of 3DS (1.0.2) is over 16 years old and in a world of strong customer authentication and mobile devices, in dire need of an upgrade for some time.
With the advent of smartphone ubiquity, a heightened focus on privacy and data protection, as well as more advanced technology, the time is ripe for a more enhanced solution to be introduced to the market and with EMV 3DS, this is precisely what has happened.
3DS 2.0: A better way - enhancements and advantages
3DS 2.0 is a game-changer - a custom-built protocol ready to address the regulatory challenges of the future and to fit seamlessly into the current technological landscape. Among the advantages it brings perhaps the most beneficial is the possibility for frictionless authentication to take place without further cardholder intervention, among others:
- Better User Experience: offering a smoother authentication experience, while maintaining best-in-class security
- Data-richness: The set of data points provided for 3DS 2.0 Authentication is substantially larger than that of 3DS 1. Data pertaining to cardholder key information and browser details will enable much more accurate risk-based fraud screening by Issuers, allowing for a higher approval rate and protecting merchants from chargebacks
- Multiple channel support: 3DS 2.0 can be processed across a variety of form factors, including in-app purchases and mobile wallet payments, providing cardholders with the possibility to interact across multiple device types
- PSD 2 Strong Customer Authentication Support: The new regulations taking effect as of September 2019 will be fully supported by 3DS 2.0
PSD 2 and 3DS 2.0 - More changes ahead...
The role of the Payment Services Directive (PSD) is to ensure consumers' security and rights are protected when paying online. The new PSD 2 regulation will introduce Strong Customer Authentication (SCA) to the online payment world and will be in force for the entire EU payment eco-system.
Merchants should expect authentication to be a default part of the payment experience. The good news is, 3DS2 is built to conform to the PSD 2 SCA requirements, and take benefit of exemptions that can be applied in certain cases to bypass SCA. In order to fully take advantage of the available exemptions, merchants should integrate 3DS2 as soon as possible.
Key Compliance date for PSD 2 - Moved from September 2019
Following a decision by the European Banking Authority, the PSD2 enforcement deadline has been approved for a transition period by various National Competent Authorities across the EU, with the exception of Sweden, which has adopted a case-by-case approach for card payments. This transition period varies across different member states, but is expected to be 18 months. The picture is continually evolving and more information will be provided as it becomes available.
The following exemptions apply to payments which are in-scope for PSD 2 RTS:
- Low value transactions
- Low risk transactions
- Recurring transactions
- Whitelisted benficiaries
- Corporate payments
The following types of payments are out of scope of PSD 2:
- Mail Order and Telephone order (MOTO) transactions
- Inter-regional transactions
- Anonymous prepaid cards
- Merchant-initiated transactions
When it is made available, our sub-page on PSD 2 will cover this topic in more detail, including advice on how PXP Financial will enable you to meet the PSD 2 requirements or alternatively. how to manage your PSD 2 setup and payment flows yourself if desired.
3DS 1 Fallback
PSD 2 will still allow for 3DS 1 authentication to suffice for SCA where 3DS 2.0 is unavailable.
3DS 2.0 Authentication Flows
3DS 2 enhances the original 3DS 1 protocol by using a wider range of data and a better cardholder experience than its predecessor. Before a payment is authorised, the 3DS 2 authentication must take place.
This 3DS 2 authentication can take place through either a cardholder-less, "invisible", frictionless flow, or a challenge flow which requires cardholder interaction for identification purposes.
Chargeback liability shift applies to those transactions which are subsequently classified as 3DS 2 authenticated.
The new Risk Based Authentication model applied for 3DS 2 works by collecting a set of cardholder data during the transaction, and using that data combined with other cardholder data (historical for example) and computing a fraud risk value for the transaction. If this value is sufficiently low, the Frictionless Flow will apply.
Where the computed risk value for a transaction is deemed to be high, a challenge flow will be triggered. This means an additional verification step is required by the Issuer in order to fully authenticate the transaction. This necessitates an additional step by the merchant in order to complete the payment.
3DS 1 Fallback
In flows where 3DS 2.0 is not supported by an Issuer, a 3DS 1.0 flow will automatically be triggered.
PXP Financial's 3DS Server can be used as part of the authorisation flow in a number of different integration scenarios. These are highlighted below in this section.
Please take note of the following:
- For a normal payment, a 3DS 2.0 authentication takes place before authorisation. Authorisation is automatic for a fully authenticated transaction
- An end-to-end implementation of the 3DS 2.0 flow will need to take into account both the frictionless and challenge flows
- A back-end to back-end merchant integration will require specific enhancements to the standard Initiate Payment request, as well as specific follow-on actions to be performed, and the implementation of two listeners, in order to have a full 3DS 2.0 integration with PXP Financial.
3DS 2.0 App-based integrations
Please note that the App-based flows are currently not integrated by PXP Financial. If you are currently operating a native (Android or iOS) based application please contact our customer support.
Full 3DS 2.0 Authentication (Browser-based)
For instructions on how to make full use of the PXP Financial 3DS Server for an existing backend-to-backend integration, where you host your own customers in a browser environment and invoke the backend-to-backend InitiatePayment Request refer to Browser-based flow for 3DS 2.0.
Authentication only transaction
PXP Financial will extend its system to allow also for an authentication only transaction to take place. These will cover scenarios where only the 3DS 2.0 check is required from PXP Financial, for instance, where the authorisation will take place with a third-party Acquirer or Gateway, or a Card Verification payment.
Pass through 3DS payment
In cases where a payment has already been authenticated through a third-party 3DS Server and you wish to send an authorisation with the 3DS verification data, this is also supported. Please refer to the 3DS 2.0 Pass through payments page.
PXP Financial's Checkout will support 3DS 2.0 out of the box. Please refer to the 3DS 2.0 in Checkout page.
Updated over 3 years ago