3DS 2.0 Information Hub
EMV 3-D Secure, or 3D Secure 2.0 (3DS2) - respectively named at Visa and MasterCard as Visa Secure and MasterCard Identity Check - is the very latest version of the 3-D Secure protocol and is currently ready for integration at PXP Financial. This section will provide all up-to-date information regarding the new protocol and provide integration instructions to our merchants.
A brief overview of 3DS
- EMV® 3-D (Three-Domain) Secure is a messaging protocol developed by EMVCo to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP (Card not present transaction) transactions and protects the merchant from CNP exposure to fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (e.g. Payment Systems).
- EMVCo - collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa - is responsible for the development of the EMV 3-D Secure 2.0 Specification. More information can be found on their website at https://www.emvco.com/emv-technologies/3d-secure/
- Since it's introduction in 2001, 3DS 1.0 (3DS1) provided the basic framework for additional cardholder security and merchant liability shift. By the mid 2010s, with the advent of smartphone ubiquity, a heightened focus on privacy and data protection, as well as more advanced technology, the time was ripe for a more enhanced solution to be introduced to the market and with EMV 3DS, this is precisely what has happened.
- PXP Financial will be supporting the 3D Secure (3DS) 2.0 Framework provided by EMVCo in order to both secure the benefits of each new generation of 3DS, and to be prepared to meet the Payment Service Directive 2 (PSD2) regulations that will come into effect in the EU in September 2019.
3DS 2.0 Support at PXP Financial
3DS Version | Card Schemes Supported |
---|---|
1.02 | 3DS 1.0 is no longer supported following a global sunset in October 2022 and October 2023 (for India/Bangladesh) |
2.1 | Visa, MasterCard, Amex, Diners. 3DS 2.1 will be deprecated as of September 2024 |
2.2 | Visa, MasterCard |
2.3.1.1 | Not yet available |
3DS 2.0: A better way - enhancements and advantages
3DS2 is a game-changer - a custom-built protocol ready to address the regulatory challenges of the future and to fit seamlessly into the current technological landscape. Among the advantages it brings perhaps the most beneficial is the possibility for frictionless authentication to take place without further cardholder intervention, among others:
- Better User Experience: offering a smoother authentication experience, while maintaining best-in-class security
- Data-richness: The set of data points provided for 3DS 2.0 Authentication is substantially larger than that of 3DS1. Data pertaining to cardholder key information and browser details will enable much more accurate risk-based fraud screening by Issuers, allowing for a higher approval rate and protecting merchants from chargebacks
- Multiple channel support: 3DS2 can be processed across a variety of form factors, including in-app purchases and mobile wallet payments, providing cardholders with the possibility to interact across multiple device types
- PSD 2 Strong Customer Authentication Support: The PSD2 Regulatory Technical Standards (RTS) will be fully supported by 3DS2
PSD 2 and 3DS 2.0
The role of the European Union (EU) Payment Services Directive (PSD) is to ensure consumers' security and rights are protected when paying online. The new PSD2 regulation will introduce Strong Customer Authentication (SCA) to the online payment world and will be in force for the entire European Economic Area (EEA) payment eco-system.
Merchants in the EEA should expect authentication to be a default part of the payment experience. The good news is, 3DS2 is built to conform to the PSD 2 SCA requirements, and take benefit of exemptions that can be applied in certain cases to bypass SCA. In order to fully take advantage of the available exemptions, merchants should integrate 3DS2 as soon as possible.
The following exemptions apply to payments which are in-scope for PSD 2 RTS:
- Low value transactions
- Low risk transactions/Transaction Risk Analysis
- Recurring transactions
- Whitelisted benficiaries
- Corporate payments
The following types of payments are out of scope of PSD 2:
- Mail Order and Telephone order (MOTO) transactions
- Inter-regional transactions
- Anonymous prepaid cards
- Merchant-initiated transactions
Please refer to the PSD 2 Information Hub for more information on how PXP Financial is supporting our merchants with the directive.
3DS 2.0 Authentication Flows
3DS2 enhances the original 3DS1 protocol by using a wider range of data and a better cardholder experience than its predecessor. Before a payment is authorised, the 3DS2 authentication must take place.
This 3DS2 authentication can take place through either a cardholder-less, "invisible", frictionless flow, or a challenge flow which requires cardholder interaction for identification purposes.
Chargeback liability shift applies to those transactions which are subsequently classified as fully 3DS2-authenticated.
Frictionless Flow
The new Risk Based Authentication model applied for 3DS2 works by collecting a set of cardholder data during the transaction, and via the card issuer, using that data combined with other cardholder data (historical for example) and computing a fraud risk value for the transaction. If this value is sufficiently low, the Frictionless Flow will apply.
Challenge Flow
Where the computed risk value for a transaction is deemed to be high, a challenge flow will be triggered. This means an additional verification step is required by the Issuer in order to fully authenticate the transaction. This necessitates an additional step by the merchant in order to complete the payment.
3DS 1 Fallback
In flows where 3DS 2.0 is not supported by an Issuer, a 3DS 1.0 flow will automatically be triggered.
Use Cases
PXP Financial's 3DS Server can be used as part of the authorisation flow in a number of different integration scenarios. These are highlighted below in this section.
Please take note of the following:
- For a normal payment, a 3DS2 authentication takes place before authorisation. Authorisation is automatic for a fully authenticated transaction.
- An end-to-end implementation of the 3DS2 flow will need to take into account both the frictionless and challenge flows.
- A back-end to back-end merchant integration will require specific enhancements to the standard Initiate Payment request, as well as specific follow-on actions to be performed, and the implementation of two listeners, in order to have a full 3DS2 integration with PXP Financial.
3DS 2.0 App-based integrations
Please note that the App-based flows are currently not integrated by PXP Financial. If you are currently operating a native (Android or iOS) based application please contact our customer support.
Full 3DS 2.0 Authentication (Browser-based)
For instructions on how to make full use of the PXP Financial 3DS Server for an existing backend-to-backend integration, where you host your own customers in a browser environment and invoke the backend-to-backend InitiatePayment Request refer to Browser-based flow for 3DS 2.0.
Authentication only transaction
PXP Financial will extend its system to allow also for an authentication only transaction to take place. These will cover scenarios where only the 3DS 2.0 check is required from PXP Financial, for instance, where the authorisation will take place with a third-party Acquirer or Gateway, or a Card Verification payment. Refer to Browser-based flow for 3DS 2.0 - Authentication-Only payments.
Pass through 3DS payment
In cases where a payment has already been authenticated through a third-party 3DS Server and you wish to send an authorisation with the 3DS verification data, this is also supported. Please refer to the 3DS 2.0 Pass through payments page.
Checkout
The PXP Financial Checkout will support 3DS 2.0 out of the box. Please refer to the 3DS 2.0 in Checkout page.
Updated 9 months ago
Review our Browser-based flow documentation for the technical requirements on performing SCA.