3D Secure (3DS) is a security protocol that was created to help reduce the risk of fraud in online card transactions. The latest version of the protocol, 3D Secure 2 (3DS2), was released in 2016 and offers several improvements over the previous version, 3D Secure 1 (3DS1).
3DS2 is designed to make online card transactions more secure by adding an additional layer of authentication to the process. When a customer makes a purchase online using a credit or debit card, the card issuer will use the 3DS2 protocol to verify the customer’s identity before the transaction is approved. This helps to prevent fraud by ensuring that the person making the purchase is the actual cardholder.
One of the main differences between 3DS1 and 3DS2 is that 3DS2 uses more advanced authentication methods. This includes the use of biometric data, such as fingerprints or facial recognition, as well as out-of-band (OOB) authentication, which uses a separate channel, such as SMS or email, to verify the customer’s identity. This makes it more difficult for fraudsters to impersonate the cardholder and helps to reduce the risk of fraud.
Another improvement in 3DS2 is that it allows for a more seamless customer experience. In 3DS1, customers are often redirected to the card issuer’s ACS (Access Control Server) to enter their authentication information. 3DS2 allows for decoupled authentication, which means that the authentication can be performed by a different entity than the issuer, providing a more flexible and efficient way of authenticating the cardholder.
Also, the directory servers in 3DS2 provide more detailed information than in 3DS1 where the directory servers provide a list of all the available ACS for a given card scheme, however, in 3DS2, the directory servers provide a list of all the available 3DS2 protocols and corresponding ACS for a given card scheme.
In 3DS2, the directory servers also provide key information such as the version of the protocol, the type of the ACS, and the supported message types, that can be used by the merchant to redirect the cardholder to the appropriate ACS for authentication.
In addition, 3DS2 also includes a risk-based authentication (RBA) feature that allows for a more tailored approach to authentication. This means that the level of authentication required will depend on the level of risk associated with the transaction. For example, a low-risk transaction may only require a one-time passcode sent via SMS, while a high-risk transaction may require biometric authentication.
It also includes a fraud detection feature that helps merchants to detect suspicious transactions in real-time. This allows them to take appropriate action, such as halting the transaction or requesting additional authentication, to prevent fraud.
The main steps of 3DS2
The main steps in a 3D Secure 2 (3DS2) authentication process are as follows:
- Initial Request: The customer initiates a purchase on the merchant’s website. The merchant then sends an initial request to the card issuer, which includes information about the customer and the transaction.
- Risk Assessment: The issuer performs a risk assessment on the transaction, evaluating factors such as the customer’s account history and the transaction’s amount and location. Based on this assessment, the issuer will determine the level of authentication required for the transaction.
- Authentication Request: The issuer sends an authentication request to the customer, which may include a request for additional information or for the customer to complete an authentication step, such as entering a one-time passcode sent via SMS, or providing biometric data.
- Authentication Response: The customer provides the requested information or completes the authentication step. This information is then sent back to the issuer for verification.
- Authentication Result: The issuer verifies the customer’s identity and sends the authentication result back to the merchant. If the customer’s identity is successfully verified, the transaction is approved and the payment is processed. If the customer’s identity is not successfully verified, the transaction is declined.
- Fraud Detection: The issuer, the merchant or both, will use a fraud detection feature that helps detect suspicious transactions in real-time. This allows them to take appropriate action, such as halting the transaction or requesting additional authentication, to prevent fraud.
Note that some of the steps may be optional or skipped depending on the merchant’s and issuer’s policies, risk assessment and the frictionless flow.
Frictionless flow
Frictionless flow is a feature of 3D Secure 2 (3DS2) that allows customers to complete transactions without having to go through the full authentication process, in certain conditions.
It works by allowing merchants and issuers to make a risk assessment on the transaction and the customer, if the risk is deemed low, the customer will not be prompted for additional authentication. This can happen in real-time as the customer is making the purchase, or it can happen later, as part of the issuer’s fraud monitoring process.
The key component of the 3DS2 protocol that allows for the assessment of the risk associated with a transaction is the TRA (Transaction Risk Assessment)
The goal of the TRA is to determine the level of authentication required for a given transaction, based on the risk associated with it. The risk assessment is performed by the issuer and is based on a combination of factors such as the customer’s account history, the transaction’s amount and location, the device being used, and other information that the merchant and issuer may have about the customer.
Once the risk assessment is complete, the issuer will send a message to the merchant indicating whether the transaction is eligible for a frictionless flow (low risk) or if the customer needs to complete additional authentication steps (high risk).
TRA is an essential component of 3DS2 protocol, as it allows the protocol to balance security and customer experience and also to comply with the PSD2 and SCA requirements of multi-factor authentication.
The frictionless flow feature is designed to improve the customer experience by reducing the number of steps required to complete a transaction, while still maintaining a high level of security. It also allows the merchants to increase their conversion rate, as some customers may abandon a purchase if they are prompted for additional authentication.
It’s important to note that frictionless flow is not mandatory, and merchants and issuers can choose to always use the full authentication process, or to use it only under certain conditions.
Benefits for merchants
There are several benefits of 3D Secure 2 (3DS2) for merchants in comparison with 3D Secure 1 (3DS1):
- Reduced friction: 3DS2 allows for the authentication process to take place within the merchant’s website, making the process quicker and more convenient for the customer. This can help to reduce the number of abandoned transactions, which can be caused by customers being redirected to the card issuer’s website.
- Increased conversion rates: 3DS2 includes a frictionless flow that allows customers to complete transactions without having to go through the full authentication process, in certain conditions. This can help to increase conversion rates by reducing the number of steps required to complete a transaction.
- Improved customer experience: 3DS2 offers more advanced authentication methods, such as biometric data, and out-of-band (OOB) authentication, which can provide a more seamless customer experience. This can help to increase customer satisfaction and loyalty.
- Better fraud detection: 3DS2 includes a fraud detection feature that helps merchants to detect suspicious transactions in real-time. This allows them to take appropriate action, such as halting the transaction or requesting additional authentication, to prevent fraud.
- Compliance with regulations: 3DS2 is compliant with the European Union’s Payment Services Directive 2 (PSD2) and the Strong Customer Authentication (SCA) requirements, which mandate the use of multi-factor authentication for certain types of transactions. This can help merchants to comply with regulations and avoid penalties.
- Risk-based authentication: 3DS2 includes a risk-based authentication (RBA) feature that allows for a more tailored approach to authentication. This means that the level of authentication required will depend on the level of risk associated with the transaction, reducing the friction for low-risk transactions.
Overall, 3DS2 provides a more efficient, secure and compliant way for merchants to process online payments, while improving the customer’s experience, reducing the risk of fraud and complying with regulatory requirements.
Implementation challenges
While 3D Secure 2 (3DS2) offers several benefits over 3D Secure 1 (3DS1), there are also some challenges that merchants and issuers may face when implementing and using it:
- Implementation: Implementing 3DS2 can be complex and may require significant changes to a merchant’s or issuer’s existing systems and processes. This can be time-consuming and costly.
- Authentication methods: Some customers may not have access to or be comfortable using the advanced authentication methods offered by 3DS2, such as biometric data or out-of-band (OOB) authentication. This can make it difficult for these customers to complete transactions using 3DS2.
- False declines: 3DS2 includes a risk-based authentication (RBA) feature that allows for a more tailored approach to authentication. However, if the risk assessment is not accurate, it may lead to false declines, when a legitimate transaction is declined due to a perceived high risk.
- Complexity: 3DS2 includes multiple protocols, data sharing, and different actors to authenticate a transaction, this can be complex to manage and implement.
- Limited acceptance: Some merchants may not be able to use 3DS2 because it is not yet available in their region or because they are not able to meet the requirements for its implementation, such as the PCI DSS compliance.
These challenges can be mitigated by proper planning, implementation, and testing before going live with 3DS2 and also with the support of specialists.
Growth potential
3DS2 is an important step forward in the evolution of online payment security and it’s expected to play a key role in the future of online payments.
The global market for 3D Secure payment authentication is forecasted to experience significant growth, with a projected CAGR of 12.0% from 2022 to 2028. The market was valued at USD 1.12 billion in 2022.
The popularity of 3D Secure payment authentication is on the rise, driven by its ability to offer a range of benefits for customers such as reducing the risk of card payment fraud and providing a secure authentication step before online shopping. This is a key factor driving the growth of the global market.
The popularity of 3D Secure payment authentication is on the rise, driven by its ability to offer a range of benefits for customers such as biometric data, out-of-band (OOB) authentication, risk-based authentication (RBA), frictionless flow, and real-time fraud detection.
3DS2 also complies with the EU’s PSD2 and SCA requirements, which can help merchants to comply with regulations and avoid penalties.
These are key factors driving the growth of the adoption of 3D Secure in its latest versions.
In addition, The COVID-19 pandemic has had a significant impact on the growth of the 3D Secure payment authentication market, as the rapid emergence of the virus, led to an exponential increase in the e-commerce share of retail across the globe which led to a spike in online fraud scams, impacting both consumers and businesses. According to the Federal Trade Commission, consumers in the United States lost around USD 246 million in 2020 due to online shopping frauds.
The future of online payment security is likely to see continued innovation and development in security protocols, with the adoption of emerging technologies such as biometrics, artificial intelligence, and blockchain. These technologies can help to improve the user experience, increase security, and reduce fraud.
As payment methods evolve, e-commerce usage rises, and access to internet and new technologies increases, especially in emerging nations, the demand for online payments is on the rise, driving the need for advanced 3DS authentication systems worldwide.
Although SCA and 3DS2 have significantly improved authentication, they can still lead to friction and abandoned purchases. To address this, merchants, payment providers, and issuers need to collaborate to implement a multi-layered approach to authentication that balances security, user experience, and risk which will open up new opportunities for merchants to increase customer loyalty and revenue.