3D Secure 2 Glossary

Table of Content

What is 3-D Secure 1.0

An XML protocol, designed by Visa, that builds an additional security layer for online credit card transactions. The service is provided to customers as Verified by Visa. This protocol has also been used by Mastercard, JCB, American Express and Diners Club International with the services named SecureCode, J/Secure, SafeKey, and ProtectBuy. 3-D Secure 1.0 is commonly referred to as 3DS1.

What is 3-D Secure 2.0

The system supports the transmission of rich data during transactions, making risk-based decisions possible. Consumer experience will also be enhanced compared to 3-D Secure 1.0 through the elimination of the initial enrolment process and removing the need for cardholders to remember static passwords. This version of the protocol will also include non-payment authentication and native mobile support.

Often abbreviated as 3DS2, the protocol allows the site owner to customize the page and offers authentication methods that suit the customer, such as biometrics, SMS messages, or passwords. 3DS2 is more customer orientated in comparison to 3DS1 and is designed with mobile devices in mind.

What is 3DS Requestor

The party initiating the 3-D Secure 2.0 authentication request, for the purposes of confirming that an account is still available or for cardholder authentication. For example, the requestor may be a merchant or a digital wallet requesting authentication within a purchase flow.

What is 3DS SDK / Mobile SDK

A software that is embedded in a merchant mobile app for facilitating cardholder authentication. When an in-app (mobile) transaction is initiated by the cardholder, the 3DS SDK signals the 3DS Core Components to authenticate the cardholder.

What is 3DS Server

Provides the functional interface between the DS and the 3DS Requestor Environment flows. 3DS Server is responsible for gathering necessary data elements for 3-D Secure messages, authenticating the DS, validating the DS, the 3DS SDK, and the 3DS Requestor, safeguarding the message contents.

What is Access Control Server

Access Control Server (ACS) is in the issuer domain (banks) of 3-D Secure protocols. An ACS which is used to support cardholder authentication is required to be maintained by each card issuer. By providing their username and password, a customer is able to authenticate to the ACS which then signs the result as either a success or a failure. This signature is passed through the customer’s browser and to the Merchant Plug-in (MPI). The MPI verifies the ACS signature and decides whether to proceed with the transaction.

Because the confidentiality of the transaction has to be maintained, the cardholder is redirected to the website of the original bank during the 3-D Secure process. When the information is supplied to the bank, the verification is returned to the MPI which continues to reject or accept the authenticity of the user. The MPI essentially connects the card servers with the merchant servers for authentication.

Find out more about ACS in 3DS1 and 3DS2.

What is Biometric Authentication

A security process with emphasis on the unique biological characteristics such as facial recognition or voice identification to verify an individuals’ identity. Biometric authentication systems compare biometric data captured with the confirmed authentic data in a database. For authentication to be confirmed both samples of the biometric data have to match.

What is Card-Not-Present Fraud

Card-not-present (CNP) fraud occurs when the customer manually enters credit card information without physically presenting the card to the merchant during a transaction. This type of fraud typically takes place online when the fraudulent party acquires the cardholder’s information, for example, their three-digit security code without the cardholder’s consent. CNP fraud is commonly committed through phishing.

What is Card Scheme

Payment networks that set regulations and provide infrastructure to issue cards and process payments made with cards, for example, debit or credit cards. For a payment to be made, both an issuer (bank or financial institution) and an acquirer (merchant or customer) must be members of the same network as the card.

What is Chargeback

The return of funds used to make a purchase to the buyer, initiated by the issuing bank or financial institution. One of the benefits of 3-D Secure 1.0 was that it reduced the possibility of chargebacks. If a chargeback occurs the liability will then lie with the cardholder’s bank.

What is Directory Server

A central archive for storing and managing information such as identity profiles. Information kept in Directory Server can be used for the authentication and authorization of users to ensure secure access to an enterprise, internet services, and applications. Directory Server is expandable, it can be integrated with existing systems and enables the consolidation of employee, customer, supplier, and partner information.

What is EMVCo

Initially named EMV, a global standard for credit and debit payment built on chip card technology. It took its name from the card schemes that established it, Europay, MasterCard, and Visa. The standard is now regulated by EMVCo, a combination of financial institutions including Visa, Mastercard, American Express, China Union Pay, JCB, Discover/Diners Club International, and Rupay. They are also the developers of EMV Three-Domain Secure (3DS). The aim of EMVCo is to facilitate worldwide interoperability and make all online payment transactions as secure as possible.

What is Frictionless Flow

Enables issuers to approve a payment without the requirement to interact with the cardholder, implemented through risk-based authentication performed in the ACS. During an online purchase, as the customer proceeds to confirm the purchase, all their shopping details including device data, item purchased and value are submitted to the ACS to examine the authenticity of the cardholder with risk-based elements. This process is frictionless as it occurs behind the scenes. Customers are directed to the purchase confirmation page, without realizing their transaction was screened.

What is Liability Shift

When the liability from chargeback loss is shifted from the merchant back to the bank. This occurs during eCommerce transactions where the cardholder denies making a transaction, or for fraudulent transactions.

What is Non-Payment User authentication

A category of 3DS messaging that can be utilised to verify identity outside the payment ecosystem, enabling wallet providers and issuers to streamline a secure provisioning and activation process for cardholders.

Learn more about non-payment authentication in 3ds2

What is One Time Passwords

The system provides a mechanism for logging on to a network or service using a unique password which is valid for only one login session or transaction. This prevents certain forms of identity theft by ensuring that a stored user name/password pair cannot be used more than once, providing better protection to online bank accounts, corporate networks, and other systems containing sensitive data.

What is Out Of Band Authentication

Out of band (OOB) authentication represents the protection authentication mechanism that involves the presence of two varied signals from two distinct channels or networks. In an enterprise environment, an out of band channel meets security objectives by generating a request to conduct a secondary verification.

What is Payment Gateway

An eCommerce service that authorizes the transfer of funds between buyers and sellers. It facilitates transactions by transferring information between payment portals, for example, from a website to the bank.

What is Payment Service Directive 2 (PSD2)

A payment service directive. Banks are no longer the only party with control over their customer’s data. PSD2 allows bank customers to share with third parties the permission to acquire their account information from the bank and manage customer’s finances. For example, Facebook could be used to make payments for the customers directly from their bank accounts.

What is Risk-Based Authentication

An identity and access technology which uses a scope of factors from the user. This includes their behaviour, devices they use and other variables to evaluate whether the user is a potential threat. If the user is unable to meet a predetermined standard, they will be prompted to supply supplementary information such as a security question answer or a biometric element for verification.

Find out more about risk-based authentication

What is Strong Customer Authentication (SCA)

A new European regulatory requirement created to make online payments more secure by using biometrics to validate card not present digital transactions. With the PSD2 (Revised Payment Service Directive) regulations, during the time of payment, more information will be needed from the user than just the card number and a CVC verification code. SCA utilizes three types of independent information to verify user identities: 1) Information the user knows: password, PIN, 2) Something the user possesses: card, mobile phone, or 3) Something the user is: fingerprints, facial recognition.

What is Transaction/Cart Abandonment

When a potential eCommerce customer abandons the purchase/shopping cart at the checkout process before completing the payment phase. This can often happen when a customer forgets the added verification requirement from the 3-D Secure process or when the page does not display correctly on mobile devices.

What is Two Factor Authentication (2FA)

A type of multi-factor authentication, which offers a way to verify users’ claimed identities. The method uses two of the three factors to authenticate the transaction: 1) Information the user knows: password, PIN, 2) Something the user possesses: card, mobile phone, or 3) Something the user is: fingerprints, facial recognition.