3D Secure 2.0 Explained

6 min readJun 22, 2017

What is 3D-Secure?

3D-Secure is a fraud prevention system designed for e-commerce sites to facilitate secure online transactions by authenticating a cardholder’s identity at the time of purchase. Verified by Visa, MasterCard SecureCode and American Express SafeKey are three of the most widely used 3D-Secure protocols and each one relies on a three-domain — hence the name — communication process. This process consists of the ‘issuer domain’ (the bank/company of the card being used), the ‘acquirer domain’ (the bank of the merchant to which payment is to be made), and the ‘interoperability domain’ (3D-Secure infrastructure) provided by the credit card organisation. More details, including info on 3D-Secure 2.0, can be found here.

The only difference the customer will be aware of is the ‘interoperability domain’ process because this requires direct input from them. What usually happens is an additional dialogue box, hosted by one the 3-D Secure protocols, either pops up or is embedded in the merchant site and asks for a pin and password of the customer’s choosing. Upon first-use, the customer will be prompted to create these. This provides an extra layer of security and is fast becoming an industry standard due to ever-increasing instances of cybercrime, along with the eagerness of online merchants to alleviate themselves of liability in cases of chargebacks and fraud.

A Merchant plug-in (MPI) is also required to facilitate authentication (if the ‘payment gateway’ wants to utilise 3D-Secure), identifying the account number in question and querying the card issuer servers to determine whether the card is enrolled in a 3D-Secure program or not; if it is, the MPI fetches the URL of the issuer’s access control server (ACS) to enable authentication. To protect both the online merchant and the customer, 3D Secure protocols require authentication — a password, usually, tied to a specific card or, alternatively, a one-time code can be sent to a user’s mobile device — from the customer at the time of purchase. 3D-Secure shifts liability from the merchant to the ‘acquiring bank’, protecting merchants against fraudulent payments and, in some cases, even chargebacks.

Need for improvement

There are a few problems with the 3D-Secure system which can discourage merchants from enrolling, despite the clear security benefits detailed above.

Many customers are either unaware of or brush aside the fact that rates of cybercrime are increasing at a worrying rate with each passing year; this is likely because they themselves have never been affected by online fraud and, as a result, underestimate the threat.

Unfortunately, 3D-Secure can cause customers to become confused and irritated — especially if they haven’t encountered the process before — and, as we all know, the longer the payment process lasts, the more likely the customer is to abandon the transaction altogether.

Obviously, conversation rates are everybody’s number one priority, so a security protocol which scares customers away is, for good reason, likely to be shunned by merchants as well as customers.

Indeed, many merchants reported higher cart abandonment rates after enrolling in 3D-Secure for this very reason, so this is a serious issue. It’s no good having a secure payment system if you aren’t receiving any payments.

Without wanting to sound ageist, it is possible that older customers, who were perhaps late adopters of modern technology and, as such, are relatively new to online shopping, may be thrown off by anything strange or unfamiliar during the payment process.

Moreover, even if the customer, having struggled with the authentication process, eventually manages to complete the transaction, it is likely their experience will have been tarnished by the presence of 3D-Secure, which will, in turn, reduce the probability of them recommending or even reusing the merchant in question.

Online fraud statistics

However, the fact remains: online fraud is a growing problem which will get worse, not better, so e-commerce sites will eventually be forced to address this problem, sooner or later, if they want to retain the trust of their customers. Here are just a few online fraud statistics from 2016, to help convey the scope of the problem:

There were 27 attacks for every 1,000 transactions conducted in 2015 Q4; that’s 11% more than were reported in 2015 Q3, and a 215% increase from 2015 Q1
The attack rate more than quadrupled for digital goods, and nearly doubled for luxury goods, between Q4 of 2015 and Q1 of 2016
$4.79 out of every $100 of sales are at risk, up $2.90 (150%) out of $100 from 2015 Q1
Online fraud rates have increased every year and show no sign of letting up with 2017 on track to be the worst year yet

SOURCE: PYMNTS.com

3D-Secure 2.0

The good news is the 3D-Secure protocol has been vastly improved and updated in its second iteration. 3D-Secure 2.0 aims to facilitate ‘frictionless shopping’ which incorporates the ease and speed of ‘old school’ transactions with the security of 3D-Secure by offering multi-factor authentication which, once set up, means transactions (even card-not-present transactions) are ‘a walk in the park’ for consumers. Additionally, merchants have the peace of mind of knowing they are not at risk. So, the customer is happy because the authentication process is straightforward and the merchant is happy because, if there are any issues with security/payment, it’s the acquiring bank, not them, that is liable: everybody wins.

MPI or 3DS Server

There are a handful of MPIs that are helping to bring cross-platform 3D secure authentication to the table: cross-platform meaning they’ll merge with numerous payment gateways with ease, giving merchants and customers a stress-free, secure, and cost-efficient solution to the growing problem of online fraud. 3D Secure 2.0 introduces 3DS Server as the replacement for Merchant Plug-ins which allows for in-app & API enabled authentication requests. The following is a simple diagram which depicts the basic 3D Secure 2.0 authentication flow through 3DS Server.

ACS

Additionally, new Access Control Servers (ACSs) will support multi-factor authentication, 3D Secure authentication and non-3DS authentication so everybody’s covered. Issuers will need to implement an ACS that will support 3D Secure 2.0 protocol.

The following diagram depicts the flow of 3D Secure 2.0 enabled authentication:

Key benefits of 3D Secure 2.0:

Merchants will be able to offer a consistent, easy-to-use service across multiple payment gateway platforms and digital media during transaction authentication. This will help improve the consumer experience for cardholders and address the 3D-Secure issue of high cart abandonment rates.
Issuers can improve ‘frictionless authentication’ by way of richer data exchanges enabling smarter decisions for risk assessment to challenge the cardholder or not. Additionally, cardholders will be able to choose their preferred medium for making purchases — thanks to multi-factor authentication functionality — without compromising on security.
Consumers want a convenient and secure service regardless of the device on which they are making e-commerce payments. 3D-Secure 2.0, along with the corresponding 3DS Server and ACS technology, will provide these benefits, adding efficiency with little to no impact on applications and payment gateways that customers are already familiar with.

Act now!

With rising online fraud, cybercrime, and bots to contend with, 3DS and 3DS 2.0 will very soon become the standard for e-commerce fraud prevention. Consumers will expect it, payment gateways must facilitate it and, as such, merchants are wise to address the problem sooner rather than later because, as the statistics demonstrate, online fraud certainly isn’t going away. So, for merchants who want the highest conversion rates, along with protection from fraud and chargebacks, the time to act is now!