3D Secure 2 Frequently Asked Questions

Table of Content

What is 3D Secure?

3D Secure is a security protocol that aims to prevent fraudulent use of credit cards by authenticating cardholders in card-not-present (CNP) transactions. “3D” stands for “3 Domain”, which includes the issuer domain, acquirer domain, and interoperability domain. These are the 3 domains in which the protocol operates in. The protocol is developed and managed by EMVCo, an organization jointly owned by major card brands Visa, Mastercard, American Express, Discover, JCB, and UnionPay.

Why create a new specification even though 3D Secure is already adopted in the industry?

It has been 17 years since 3D secure 1 has been deployed. Although the payments industry in most countries adopted this authentication method quite well, it recognized the need to create the new protocol in regards to the current and future market requirements including adding the support of mobile-based authentication and digital wallets integration. The aim of creating 3D secure 2 specification is to take account of new payment channels and deliver top-notch security and performance to improve the user experience.

What are the main changes in 3D Secure 2?

Rather than static passwords, 3D Secure 2 uses dynamic authentication methods such as biometrics and token-based authentication.

The risk-based analysis can be plausible in establishing the decision of whether to authenticate a transaction, by supporting authentication based on enriched data elements shared through the protocol. Because of removing the original sign-up process and the requirement for cardholders to use static passwords, the user experience can be simplified and improved. Merchants will expect less shopping cart abandonment by customers as a result.

Furthermore, the message interface and challenge flows are made to amenable to mobile platforms (i.e. in-app, mobile, and digital wallet).

Read more about ACS in 3DS1 and 3DS2.

What are the benefits of 3D secure 2?

By removing old pain points from 3D Secure 1, 3D Secure 2 is able to present a faster, more coherent, and unobtrusive authentication solution.

For merchants, cart abandonment rates will improve. 3D Secure 1 always required cardholders to manually enter a password. Many cardholders forget their static password, and others felt it was too tedious a step, and not worth the extra effort. As a result, many cardholders simply give up buying the goods. Through the introduction of Frictionless Flow, this extra manual step is removed, and means more cardholders are more likely to complete their transactions.

From an issuer’s perspective, they are in charge of deciding whether a transaction is likely to be fraudulent or not. And starting in 3D Secure 2, a rich set of data is collected about the cardholder and transaction, and sent to the issuer. This means issuers can use this rich dataset to make better risk decisions than what they could previously do. By empowering issuers to make better decisions, they are less likely to be presented with chargeback cases from cardholders, which then reduces the time and costs associated with resolving such disputes.

And for the end consumer (or “cardholder”), 3D Secure gives them peace of mind that their credit card is not being misused by fraudsters. And in achieving this, 3D Secure 2 presents a much faster, more accurate, and natural way of authentication, as compared to 3D Secure 1.

What is frictionless flow, and how is it achieved?

Frictionless Flow is one of the two authentication flows in 3D Secure 2. The other being Challenge Flow.

Frictionless Flow allows issuers to approve a transaction without requiring any manual input from the cardholder. This is achieved through what’s called “risk-based authentication (RBA)”. RBA works by collecting a set of cardholder data during the transaction, and passing it on to the issuing bank and their ACS, which then compares the collected data with the cardholder’s historical transaction data to output a fraud risk value corresponding to the new transaction. If this fraud risk value is below a predetermined threshold, Frictionless Flow applies. In other words, if fraud risk is sufficiently low, then the issuing bank would not seek additional verification from the cardholder, and deem the cardholder to be authenticated. This cuts out the manual verification step that was always required from cardholders in 3D Secure 1.

If the other case where the fraud risk value is above the predetermined threshold, Challenge Flow applies. For more information about Challenge Flow, like how it works, and how it has improved from 3D Secure 1, please contact us at the bottom of this page.

Do all e-commerce sites use 3D Secure?

No, it is up to each merchant to decide whether to implement 3D Secure or not. However, 3D Secure is mandated in some countries like India and South Africa.

What is the liability shift rule in 3D Secure 2?

Currently, all merchants who attempt 3D Secure 1 authentication may receive liability shift. This applies even if the issuing bank does not support 3D Secure 1, or if the cardholder is not enrolled in the protocol. This is a major benefit of 3D Secure 1, as merchants who simply attempt authentication may relieve themselves of any responsibility if chargebacks are lodged.

3D Secure 2 will also support liability shift. But, as the updated protocol gradually rolls out, different card schemes decide their own rules as to when to implement liability shift. Mastercard will support liability shift starting in October 2018, while Visa will activate liability shift depending on the region the merchant is in. Dates range from April 2019 to April 2020 for various regions. For more information about liability shift, get in touch with us at the bottom of this page.

Have I used 3D Secure before?

You may have seen 3D Secure before without even noticing. If you have been asked to enter a password for your credit card when shopping online, chances are it’s 3D Secure. 3D Secure is implemented by all major card brands, each of whom markets their 3D Secure services with different brand names. Visa market it as “Verified by Visa”, Mastercard brand theirs as “Mastercard Identity Check”, while American Express refer to their 3D Secure services as “American Express SafeKey”. But at the end of the day, they are all achieving the same purpose through the same 3D Secure protocol.