Everything you always wanted to know about 3D Secure 2.0

The changes brought on by PSD2 and 3DS2.0 protocol has left businesses with many unanswered questions. Our team answers some of the most important questions that businesses ask.

1. What is 3DS, PSD2 and SCA?

The strong customer authentication requirements under the Second Payment Service Directive (PSD2) come in effect by September 2019 for online payment transactions. This is to ensure the security of online transactions across all devices including mobile payments. Our blogpost, “3DSecure 2: Make it work to your advantage” explains it in detail.

2. How is 3DS2 different from 3DS1

3DS2 is the updated protocol by EMVCo for stronger security of online transactions. The main enhancements of EMV 3DS 2.0 compared to 3DS 1.0 are:

  • Support in-app purchases on mobile phone and other customer devices with better user experience.
  • Businesses1 can now integrate the authentication process into their checkout experiences, for both, app and browser checkouts.
  • 3DS2 allows for improved data sets, this means more detailed data is collected under the 3DS2 protocol helping issuers to perform risk-based decisions on the transactions (RBA- risk-based authentication). Based on RBA, the user can be sent through the frictionless flow when additional authentication is not required.
  • Enables non-payment customer authentication that allows services like identification & Verification (ID&V) for mobile wallets and secure request of tokens for card on file transactions (e.g returning customer and recurring payments).
  • New requirements regarding subscription payments flow.
  • Improved messaging on the flow with information for better decisions on authentication
  • Faster technical communication between the entities for the authentication process.
  • Reduces the risk of unauthenticated payment, even if a cardholder’s card number is stolen or cloned.

As with the earlier version, with 3D Secure 2.0 authentication, the liability for chargebacks due to fraud reasons shifts to the card issuer. However, note that chargeback due to service or technical reasons are excluded from getting any liability shift and merchants remain liable for those.

3. How would the changes affect merchants?

Businesses1 and their payment partners need to comply with PSD2 and the required changes.  EMVCo’s 3DSecure is a solution that can manage the SCA requirements for electronic payments including contactless, remote and mobile payments within the European Economic Area (EEA)2. The strong customer authentication mandate is complemented by some limited exemptions that aim to support a frictionless customer experience for low risk transactions.

3D Secure 2.0 supports the transfer of rich data for transactions enabling risk-based decisions regarding whether to authenticate or not. That is, based on certain criteria the end user may or may not be asked to perform a ‘challenge’ to ensure their authenticity. The consumer experience has also been simplified and enhanced, thanks to the elimination of the preliminary enrolment process and by not requiring the end user to remember as many passwords.


Challenge flow is when a customer is asked for extra authentication to complete the transaction.
Frictionless flow is where the transaction goes on for authorisation without the user’s authentication input.


The payment landscape in Europe is shifting and these are the two sides of the upcoming changes.

Pros Cons
  • More security and better risk management with 3DS2
  • Better UX especially on mobile and in-app payments
  • Improved authorisation rates as a result of improved datasets
  • Exemptions to allow for frictionless authentication.
  • Not all issuers are ready with 3DS2 and it seems that many issuers won’t be ready by the given deadline, raising concerns around transaction authorisations.
  • Uncertainty in the payment industry until everyone in the payment chain is compliant.

 4. Will the conversions take a big hit? What can SafeCharge do about it?

Though there is still uncertainty about how things will evolve, SafeCharge Smart 3DS Service will put merchants ahead of the curve. To support businesses in maximizing their conversions after the enforcement of strong customer authentication, SafeCharge will enable a dynamic implementation of 3D Secure 2. SafeCharge Smart 3DS Service will make real-time intelligent decisions about whether or not to take advantage of exemptions and push for higher conversion. What merchants can do is arm themselves with all the information and work towards implementation of solutions such as SafeCharge Smart 3DS Service.

5. What are exemptions? How can a merchant avail them?

Exemptions are at the core of 3DS 2.2 version. They allow acquirers such as SafeCharge certain flexibility with regards to requesting a frictionless flow when applicable. Yet, the issuer has the final say whether a transaction should go through a frictionless, exemptions or challenge flow. The list of exemptions is as below:

Exemptions / Out of scope:

  • Issuer / Acquirer is out of the EEA: In a case when one of the entities is out of the EEA, this is called a “one leg transaction” and it is descoped from a strong customer authentication.
  • MOTO (mail orders and telephone orders): These are not classified as electronic payments.
  • Secure Corporate payments: This is for B2B businesses that have dedicated network e.g Online Travel Agents.
  • Trusted beneficiaries: They are chosen by customers and placed on a special list overseen by their issuer bank. A cardholder can whitelist a specific merchant via his issuer bank, and from that moment onwards the issuer will not require SCA when the cardholder performs transactions with this specific merchant.
  • Inter-regional transactions: Where the card’s acquirer or issuer is not based in EEA.
  • Recurring transactions and subscriptions worth a set amount for a fixed interval will be exempt after the first payment is made according to SCA regulations. However, if the amount or the interval changes, 3D Secure 2.0 must be used.
  • MIT: Subscription payments and other recurring charges that qualify as ‘merchant-initiated transactions’, meaning they are initiated by the business, and not the cardholder.

A merchant can benefit from SafeCharge Smart 3DS exemptions engine, which can maximize the exemption request whenever possible based on the acquirer and the merchant fraud levels. In order to increase the probability of an exemption, a merchant can share more data points including its own fraud score. SafeCharge’s robust fraud engine will utilize the new data elements as part of the risk based decision engine and pass them on to the issuer bank for the authentication request.

What merchants can also do is relook at their fraud setting because exemptions can be influenced by the merchant’s risk appetite. Going forward, we will use machine learning to recognize the issuers that offer a high percentage of exemptions so as to enable a frictionless payment flow for users whenever possible.


Merchant Tip: In the light of upcoming changes, it is a good idea to relook at your risk profile and modify it to work in sync with the new updates and especially with new technology such as SafeCharge Smart 3DS Service.


6. Why don’t all merchants use 3D Secure?

So far 3D Secure was not mandatory for making a payment and was adopted by merchants who wanted an additional layer of security for their transactions or as a measure to reduce chargebacks. The card schemes are now making it a mandate for EEA2 transactions. Rest of the world is supposed to join and adopt this standard by 2020.

7. What is chargeback liability shift?

When a transaction has been successfully authenticated by the end user via 3DS protocols in version 1.0 or 2.0 and above, the merchant automatically receives chargeback protection if the chargeback falls in the fraud category. In such cases, the liability is shifted to the issuer that authorized the transaction.

8. With 3DS, can a merchant expect to never have a chargeback again?

Just like in 3DS 1.0, merchants who process fully authenticated transactions in 3DS 2.0 or 2.2 will get a liability shift for fraud-related chargebacks. Other chargeback reasons (service failure, technical reasons, etc.) are not covered by the authentication flow, and merchants are still liable for those transactions. This means merchants can get chargebacks even when using 3D Secure with its newer version.

9. What is Transaction Risk Analysis (TRA)?

Under the 3DS2 protocol, more data will be shared during a transaction. This data forms the basis of Transaction Risk Analysis (TRA), which is the fraud analysis that issuers and acquirers can apply for each transaction. It is based on an algorithm built to detect the cardholder’s spending behavioural patterns. Other risk factors analysed include cardholder location, merchant location, monetary threshold, and real-time fraud rates for Card Not Present transactions.

10. How will SafeCharge manage 3DS complexity for merchants?

SafeCharge’s Smart 3DS Service is designed to do just that, reduce the 3DS complexity for merchants. The service dynamically routes transactions via the appropriate 3DS flow. Its online exemption submission engine takes decisions in real-time and based on merchant preferences passes on all the relevant data to the issuer, to facilitate a frictionless flow when possible. With SafeCharge Smart 3DS service various parameters are analysed in a fraction of a second and decisions are made to ensure that the transaction is routed in the most efficient way to maximise conversions.

Our customisable risk engine also works behind the scenes to assess the risk of each transaction based on parameters set by the merchants. Every transaction is scored and goes through our risk engine to maximise the security of transactions, even if the transaction is exempt. To learn more about our solution download our brochure or speak to our team.

11. How is SafeCharge solution to support the new 3DS protocol different?

We believe there are two main points that bring SafeCharge Smart 3DS Service under the spotlight as a great solution to handle the 3DS complexity. First, the fact that our solution is acquirer agnostic and secondly, our easy integration options.

Acquirer Agnostic: An acquirer agnostic solution gives merchants (through its payments partner) control and the flexibility to authenticate transactions across any acquirer or various acquirers in parallel. Merchants using SafeCharge acquiring benefit from the added accuracy thanks to SafeCharge transaction risk scoring.

Ease of Integration: With SafeCharge Smart 3DS Service, businesses can choose from our varied integration solutions such as SafeCharge’s Merchant Plug In (MPI) and our Web SDK.
(more details in the next question) as per their requirements and implementation plan. All our integration solutions offer better control over the UX and UI of the payments journey.

Lastly, the transaction data history can provide insightful details that businesses can analyse to their benefit. Businesses have a clear view and better control over their transaction check statuses in the SafeCharge Control Panel. While the broader benefit of SafeCharge Smart 3DS Service is managing the new 3DS protocol complexity, 3DS2 itself provides important benefits for businesses such as:

  • Better security: Enabled by Strong Customer Authentication
  • Better user experience: Fills the UX gaps left by 3DS1, particularly for mobile payments leading to higher checkout conversions and reduced abandonments.
  • Sales boost: 3DS2 provides diverse data points enabling the issuer to get more information for transaction authentication, leading to higher approval rates.

12. What are the integration options for Smart 3DS Service?

SafeCharge offers various ways to implement Smart 3DS Service including SafeCharge Merchant Plug In, Web SDK, Direct API, Hosted Checkout Page, Direct Gateway, and is planning a mobile SDK for in-app payments. The Web SDK is the easiest integration, but a business can choose any of the above based on their requirements.

In all the above options, a merchant can comply with the PSD2 SCA requirements and offer a smooth and seamless checkout experience to their customers.

Here’s a quick comparison of all the integration options and their benefits:

SafeCharge_3DS_integration_options
13. Will the integration require extensive development or reorganisation of the existing payment infrastructure?

The amount of time required for integration would depend on the type of existing integration and the merchant strategy on implementation. SafeCharge solutions enable easy integration by providing SDKs to simplify the implementations as well as clear documentation. The best way is gauge this would be to connect with our team.

14. What can merchants do to be prepared?

One of the best things a merchant can do is revise SafeCharge’s Integration documentation and start preparing for the implementation of the new 3DS flow and user journeys. Read all about the PSD2 directive and aim to understand its key elements and business logics. You can start by reading our blogpost here.

15. What is requested from merchants to do and when?

All businesses1 need to comply with the 3DS mandate requiring Strong Customer Authentication, ensuring that all the payments on their business platform go through the proper 3DS flow. There has been some talk about extensions on the dates, but it is still unclear on how this situation will evolve. The best advice for all merchants is to prepare for the September deadline.

Regulation Timelines

 

3DS 2.0 3DS 2.2
Europe MasterCard – April 2019

Visa- September 14, 2019

MasterCard – September 2019

Visa – September 14, 2019

Amex – September 14, 2019

Rest of the world End of 2020 End of 2020

16. How will the changes help merchants?

3DSecure 2 protocol and the changes around it should be seen as the growth pains for the payment industry. The evolution of the 3DS protocol was long overdue and the changes will bring better fraud management, better security and improved user-experience for businesses and their highly mobile-friendly customers.

17. What will happen if merchants are not ready?

Merchants who are not ready and their transactions are mandated for a Strong customer authentication might have transaction declined due to non-compliance with the PSD2 regulations. Merchants should prepare for 3DS2 to avoid the risk that some 3DS 1.0 transactions will be declined.  3DS 1.0 is scheduled to be decommissioned in 2020, so not moving to 3DS 2 is not sustainable, even if you ignore the risk of declined transactions.

 

Regulations and new changes are complex, and we know that there may be many more questions that you have around 3DS. Please feel free to contact your account manager or get in touch with us. We’ll be happy to help you.


1 – Businesses/merchants: The word businesses/merchants also imply all the third-party providers such as Payment Service Providers that merchants work with.
2 – Payments in EEA refer to payments processed by Acquirers or issuers based in the EEA area.

SafeCharge Limited is an Electronic Money Institution authorised and regulated by the Central Bank of Cyprus and is a principal member of MasterCard, Visa and Unionpay International (CUP). SafeCharge Financial Services Limited is authorised and regulated by the Financial Conduct Authority as a Payment Institution. Both SafeCharge companies are wholly owned by SafeCharge International Group Limited.