With the surge in eCommerce and online shopping comes a disturbing trend of rising fraud. Shockingly, payment fraud on eCommerce platforms cost USD 41 billion in 2022 and is projected to increase to USD 48 billion by 2023. The gravity of such losses necessitates high-security features for merchants to provide a secure payment experience for their esteemed customers. Web Technology Expert is here to shed light on 3DS or 3D Secure, one notable security measure that enables merchants to achieve this objective.
In this blog, we’ll delve into the world of 3DS (3D Secure) and explore its evolution over the years. We’ll explain how it enhances online payment security, and what benefits it offers to online merchants. If you’re interested in a deep dive into 3DS and related terms like SCA and PDS2, read on.
What Is 3D Secure?
3D Secure, or 3DS, is a security protocol developed by CA Technologies (formerly Arcot Systems) in 1999, during the early days of eCommerce. Its primary purpose is to add an extra layer of security and reduce the risk of fraud during card-not-present (CNP) transactions.
3DS is built on a 3-domain model, hence the name “3D Secure.” These three domains represent the parties involved in the authentication process:
Acquirer Domain: This is the merchant’s bank account.
Issuer Domain: This entity issues the card to the customer.
Interoperability Domain: This domain represents systems that support 3DS.
3DS1 (or 3DS version 1) was adopted by card brands in 2001, such as Mastercard (Identity Check) and Visa (Verified). Over the years, 3DS gained popularity for helping merchants process transactions securely and comply with PSD2 guidelines. However, it also had its downsides, such as transaction declines, limited transaction data access, and poor mobile compatibility.
Enter 3D Secure Authentication 2.0.
What is 3D Secure Authentication 2.0?
3DS 2.0, or 3D Secure authentication 2.0, was the much-needed upgrade of 3DS launched back in 2018. This version addresses the limitations of 3DS1:
Users can authenticate using biometrics and OTPs, reducing unnecessary steps.
It offers a consistent experience across all types of devices, improving the overall customer experience.
For merchants, 3DS 2.0 shifts the liability for chargebacks to the issuer. The further updated version, 3DS 2.1, provides merchants access to over 100 elements that they can send to the issuer to assess potential risks.
3DS2 has several advantages over its predecessor:
Seamless customer experience across all devices.
Less friction in transactions, with 95% being frictionless.
Access to a wealth of data elements (over 100) for enhanced security.
Suitable for both domestic and international transactions.
Better compliance with PSD2 SCA requirements.
Why Should Merchants Care About 3D Secure Payments?
Implementing 3D Secure payments offers a range of benefits for both customers and merchants:
An Additional Layer of Security: 3DS authentication adds an extra layer of security to payments, ensuring that merchants process payments only from legitimate sources.
Consistent Customer Experience: Unlike 3DS 1.0, 3DS 2.0 works well across all devices and offers a seamless, faster, and more consistent customer experience.
Increased Brand Loyalty: Secure payments reduce the risk of data theft or fraud, leading to more confident customers who are loyal to your brand.
Chargeback Liability Shift: With 3DS 2.0, the liability for chargebacks in fraud cases shifts to the issuer, saving merchants hassle and fees.
Enhanced Compliance: 3DS ensures compliance with PSD2 SCA regulations, making your business more compliant and valid.
Increased Authorization Rates: 3DS 2.0 allows merchants to access and share more data points with the issuer, leading to better authorization rates.
Faster Transaction Time: Transactions can be up to 85% faster with 3DS 2.0.
Fewer Abandoned Carts: A seamless payment process with less friction leads to fewer cart abandonments, boosting sales.
What’s Up With the 3DS Update?
The 3DS protocol has seen several updates over time, each making the protocol more robust and secure:
3DS 1.0: The initial version of the 3DS protocol aimed to facilitate secure online purchases via computers. Users had to enroll in 3DS 1.0 and use a static password to authenticate themselves.
3DS 2.0: This version introduced an SDK for mobile integration, a seamless user experience, and better authentication methods like biometrics and OTPs.
3DS 2.1: With this update, merchants can access about 100 data elements, a significant increase from the 15 available in previous versions. This allows merchants to send more data to issuers for a risk-based approach to authentication.
3DS 2.2: This update further extends merchants’ capabilities by allowing them to request exemptions and perform authentication outside the payment flow.
What Is the Revised Payment Services Directive (PSD2)?
The Revised Payment Services Directive (PSD2) is a European regulation designed to enhance online payments and create an integrated payments market in Europe. It’s the updated version of PSD (PSD1) adopted in 2007 by the European Union (EU).
PSD2 requires multi-factor authentication (MFA) for electronic payments and aims to make cross-border or international payments as efficient, easy, and secure as domestic payments.
What Is Strong Customer Authentication (SCA)?
SCA is a regulatory requirement under PSD2 that mandates multi-factor authentication (MFA) for all electronic payments. SCA requires verifying customers using at least two of the following components:
Compromised authentication elements
- Transaction amount
- Any fraud scenario during payment
- Signs of a malware attack during authentication
- Use of software or device provided to the PSP
- SCA is mandatory within the UK and the European Economic Area (EEA) and optional elsewhere.
Here are some Strong Customer Authentication (SCA) FAQs:
Is SCA Required Everywhere?
SCA is mandatory in the UK and EEA and optional in other regions. Non-compliance can lead to lower authorization rates, more declines, cart abandonments, and potential penalties.
What Are the Risks of SCA/PSD2 Non-Compliance?
Non-compliance can result in lower authorization rates, cart abandonments, penalties, and the liability staying with the merchant in case of chargebacks.
Are there any other types of SCA Besides 3DS 2.0?
While 3DS 2.0 is a popular method for authenticating online payments, several digital wallets like Google Pay and Apple Pay offer built-in authentication layers.
Which Transactions Require Strong Customer Authentication (SCA)?
SCA applies to all transactions initiated by the customer. Recurring transactions are exempt from SCA.
What Transactions Don’t Require SCA Authentication?
Merchants can avoid SCA in certain scenarios like contactless payments, unattended parking or transport terminals, trusted beneficiaries, recurring payments, low-value transactions, and secure corporate payments.
Unfolding the Relationship between SCA, PSD2, and 3DS 2.0
PSD2 requires SCA, and 3DS 2.0 is a security protocol that satisfies PSD2’s SCA requirements. Implementing 3DS 2.0 ensures compliance with PSD2 regulations and enhances payment security.
How Can Merchants Address 3DS Drop-off?
To address issues related to 3DS drop-offs, merchants can implement 3DS2, a more flexible and user-friendly protocol. 3DS2 allows merchants to decide whether to perform authentication, offers seamless cross-device support, and significantly reduces declines.
How Can Web Technology Expert Help with Compliance and Payment Optimization?
Web Technology Expert is a payment aggregator that offers end-to-end payment management, connecting you with various payment gateways and methods to expand your business and improve customer experience. Here’s how we can help:
Delegated Authentication: We enable merchants to integrate with payment gateways supporting 3rd party authentication, offering a friction-free authentication experience to customers and helping you stay compliant with SCA.
Optimization of Exemption Rules: We help you analyze transaction data and identify high and low-risk customers, allowing you to whitelist low-risk customers and process their transactions without authentication.
Switching Acquirers and 3rd Party Vendors: You gain the flexibility to choose reliable acquirers for every transaction and leverage 3rd party 3DS vendors to enhance payment security and fraud prevention.
Managing Retries: We provide a reliable retry mechanism based on response messages and error codes, ensuring better authorization rates.
Payment Routing: Our intelligent payment routing feature allows you to route transactions based on parameters such as success rate, transaction fee, and 3DS support, ensuring 24/7 uptime for customers.
What’s Next?
Now that you understand what 3DS is and the benefits of its upgraded version, 3DS2, consider implementing it in your business. Even if you’re not in the European Economic Area or the UK, integrating 3DS2 can enhance your online payment security, reduce cart abandonment, create a seamless payment flow, and deliver a better customer experience.