3D Secure

eCommerce popularity has increased constantly over the last ten years. 3D Secure is a protocol designed for increased security during online payments using credit and debit cards (Card-Not-Present transactions). The main purpose of 3D Secure is to authenticate the cardholder during online payment on the internet or mobile purchasing. To make a parallel with in-store payment, the cardholder is authenticated either with signature or PIN, which are not applicable during online payment.

The concept of 3D Secure is based on the 'Three-Domain' model, including all participants involved in the financial transaction. All three domains participate in the authentication process, and compliance in all three domains results in a 100% secure transaction. Non-compliance under any of the domains moves the liability shift towards the weaker party. The three domains are: Acquirer domain (where 3D Secure transactions are initiated), Interoperability domain (where transactions are switched between Acquirer and Issuer domains), and Issuer domain (where transactions are authenticated).

For Issuers, the most relevant component is the Access Control Server (ACS). Additionally, depending on the chosen authentication method, the Issuer should have an authentication solution integrated with ACS, and the solution needs to be certified by card schemes. For Acquirers, the most relevant component is the Merchant Plug-In (MPI). In 3D Secure 2.0, instead of MPI, a 3DS Server is introduced, along with SDK components for mobile purchase applications.

3D Secure 2 specifications by EMVCo, as well as card scheme 3D Secure 2 programs (MC Identity Check, Verified By Visa, etc.), are aligned with PSD2 requirements. When deploying 3D Secure 2, Issuers/Acquirers are aligned with PSD2 for Card-Not-Present online payments. Note that it covers only Card-Not-Present online payments, not account-to-account payments and other PSD2 relevant scopes.

Instead of purchasing ACS products to be implemented on bank premises, Issuing banks can use third-party service providers to outsource the 3D Secure process. Card schemes certify and approve service providers who can provide this service to the Issuing bank. ASEE has been certified as a MasterCard and VerifiedByVisa ACS service provider. By using this service, Issuing institutions minimize time to market, reduce investment and operational costs, and provide their customers with ultimate fraud protection during online payment.

3D Secure 2.0 contains two authentication flows: Frictionless flow and Challenge flow. Frictionless flow enables cardholders to process online payments without demanding any manual input in order to authenticate the transaction. This is possible because of Risk-Based Authentication, a mechanism that assesses the risk level of a particular transaction based on historical data, including transaction history and provided cardholder information. If a transaction is deemed low risk, frictionless flow is applied, eliminating the need for additional authentication steps from the cardholder.

3D Secure 2.0 contains two authentication flows: Frictionless flow and Challenge flow. Challenge flow is applied in cases where the Issuer's ACS deems a transaction as risky. In such cases, the cardholders are required to verify their identity using an appropriate authentication method (e.g., OTP, fingerprint, face recognition).

Trides ACS enables Issuers to provide 3D Secure processing with MasterCard, VISA, Amex, JCB, and Mir cards with two-factor strong authentication in compliance with 3D Secure v1.0.2 and the new 3D Secure v2.1 protocol. Trides MPI v1.0.2 and Trides 3DS Server v2.1.0 with Android and iOS SDK enable Acquirers and Merchants to integrate web and mobile purchase applications with multiple interoperability domains and initiate online payments within 3D Secure scheme. ASEE also offers 3DS Mobile SDK implementation.

With 3D Secure mobile SDK, the merchants are able to build in all 3D Secure screens into their mobile purchase application to provide a faster and smoother checkout experience. Without it, the cardholders need to switch to the web browser during 3D Secure authentication, which disturbs the checkout process.

If you have any additional questions regarding 3D Secure solutions or hosting services, need advice or support related to 3D Secure online fraud protection for your customers, contact your ASEE Key Account Manager, Sales Representative or send an email at trides@asseco-see.hr.

Deadlines vary depending on the card scheme. VISA announced a deadline for card issuers and merchants to migrate to 3DS v2.0 of October 2022, worldwide. MasterCard shared its expected deadline of October 2022.

MasterCard and Visa plan the shutting down of 3DS 1.0 in October 2022. After that, the service won't be available; hence all participants should switch to 3DS 2.0.

This is a transition period, and Issuers are able to time their implementation. However, since regulations are defined, all market participants will pursue implementation of 3D Secure solutions, narrowing down the window for fraudulent transactions. Non-ACS Issuers will be even more vulnerable to fraud during the transition period, as they will be targeted by criminals due to lack of security. In short, the sooner the implementation, the lower the risk.

Issuers who have 3D Secure 1.0.2 deployed should apply the following guidelines from EMVCo: (1) Abandon user activation or activation during shopping by activating all cards enrolled in the 3D Secure scheme. (2) Deploy two-factor strong authentication methods instead of static passwords. (3) Deploy simplified risk assessment and Risk-Based authentication to process low-risk transactions without cardholder authentication.

When banks implement 3D Secure 2, if they already supported 3D Secure 1.0.2, they should continue to support 3D Secure 1.0.2 until October 2022. That means that in this period, two schemes will coexist. MasterCard requires running both versions in the transition period.

The most convenient method to migrate from 3D Secure 1.0.2 to 3D Secure 2.0/2.1 is by outsourcing 3D Secure infrastructure and service. Issuers who use ACS hosting services do not have any technical impacts when upgrading to the latest version/platform. There is only paperwork related to enrolling 3D Secure 2.x and integration certification (PIT), mostly done by the hosting provider.

The strategy for deploying 3D Secure is mainly driven by the fact that it reduces fraud, and consequently reduces potential for chargeback liability for the Issuer. Milestones for 3DS v2.x are not clearly announced, and test cases and certifications for vendors are not finalized, so vendors cannot provide certified 3DS 2.0/2.1 solutions. In order to protect cardholders from fraudulent online transactions, Issuers can deploy proven 3D Secure v1.0.2 solutions while EMVCo provided guidelines on how to deploy or upgrade the existing 3D Secure process to ensure a smooth transition.

The authentication method is left for choice to each Issuer. In the previous version, 3D Secure v1.0.2, static passwords were allowed. As of early 2015, ECB issued guidelines for strong authentication on eCommerce transactions. Since January 2016, when PSD2 became official, such guidelines became mandatory with up to two years for adjustment. The new specification for 3D Secure 2.1 strongly recommends two-factor strong authentication methods such as One Time Password, biometric authentication (fingerprint, face or voice recognition), etc.

3D Secure allows methods aligned with PSD2 requirements, i.e., all methods that are Strong Customer Authentication (SCA) or two-factor authentication methods. Most common methods include One Time Passwords generated by HW or SW tokens, fingerprint or face recognition biometry methods, and push notifications.

Yes. When the user goes to checkout, ACS presents a screen with an option to choose the authentication method via radio button.

The SCA requirements officially came into effect on 14 September 2019. However, on 16 October 2019, the European Banking Authority (EBA) published an Opinion allowing national regulators to delay enforcement of SCA until 31 December 2020. Most European regulators aligned with this roadmap, though timelines vary by country.

Issuing banks should check national regulations, national bank guidelines, and national PSD2 directives. Some national regulations do not accept this method as a two-factor SCA authentication method. To mitigate such requirements, an additional password or PIN can be added to OTP by SMS, making it an SCA method. Card schemes suggest using more confident methods such as fingerprint.

No. Card scheme 3D Secure programs encourage banks to apply frictionless authentication in as many cases as possible, up to 90%. Transactions should be analyzed in order to apply for SCA exemptions as defined in PSD2 requirements. Exemptions can be based on low-risk assessment, low transaction value considering counter limits, or for recurring transactions with the same amount and payee.

When choosing the most suitable authentication method, the issuing bank should consider: whether cardholders are familiar with the method, necessary resources available to their cardholders, customer segment and willingness to download mobile applications, and applicable regulations including PSD2 and local regulations. The best approach is to offer a minimum of two authentication methods and allow cardholders to select their preferred one. The best authentication rate is achieved when 3D Secure and digital channels use the same authentication methods.

(1) 3DS Requestor Initiated (3RI) payments – enabling a merchant to initiate a transaction even if the cardholder is offline. (2) Decoupled authentication – allowing cardholder authentication to occur even if the cardholder is offline. (3) Expansion of existing data elements to promote communication of pre-checkout authentication events and associated data as part of the EMV 3DS transaction from systems such as those supporting the FIDO Alliance standards.

3D Secure 2.0, released in October 2016, is designed to create a frictionless online payment experience by facilitating richer data exchange and allowing Risk-Based Authentication for low-risk transactions. It supports authentication of App-based transactions on mobile and other consumer devices, and introduces state-of-the-art authentication methods such as fingerprint, face recognition, and voice recognition. Key benefits include: mobile device web browser purchasing, integration with mobile apps, simplified user experience, elimination of sign-up process during shopping, modern biometric authentication, Risk Scoring and Risk-Based Authentication, frictionless/silent authentication, and increased conversion rate.

By using the ASEE Trides solution, Issuers are able to provide added value to their cardholders such as a user portal or mobile application which enables the cardholder to monitor their 3D Secure online transactions, maintain risk parameters such as online purchase limits, geographical restrictions, setup of SMS/push warnings in cases of unexpected purchase, lock/unlock card, define preferred authentication method, change language, etc.

First, the buyer will feel more confident knowing that additional fraud prevention was deployed. Secondly, even in case of fraud, card schemes (VISA, MasterCard) granted the so-called Liability shift for the merchant. This means that the issuing bank is liable for fraud and dispute costs, and the merchant won't suffer any losses.

In order to have efficient protection with 3D Secure, it must be implemented on the Issuer and on the Acquirer domain. Therefore, Issuers (financial institutions who issue payment cards), Acquirers, and Merchants who accept cards have to deploy the protocol.

This depends on the card scheme (VISA, MC, AMEX, Diners, etc.). Each can have different requirements and milestone deadlines, also considering geo-location. VISA does not mandate the VerifiedByVISA program, but MasterCard mandates MasterCard IdentityCheck in the EU region. However, in the EU region, PSD2 requires SCA authentication for mCommerce and eCommerce payments. By applying 3D Secure, this mandatory requirement is met.

Yes. After the transition period, latest on October 2022, 3D Secure v1.0.2 will no longer be supported by card schemes. Therefore, banks need to migrate to the new version.

Within the 3D Secure environment, even if two-factor strong authentication is applied (as required by PSD2 and 3D Secure 2.1), the Issuer is liable for chargebacks for fraudulent transactions. However, if a cardholder has to pass through another layer of authentication, it is less likely that the card is being used in a fraudulent manner. 3D Secure reduces the number of fraudulent online transactions and potential chargebacks.

Issuers must be aware that card schemes (VISA, MasterCard, etc.) are stakeholders of 3D Secure and promote its acceptance. Through 3D Secure, card schemes introduce liability shift as the main benefit for Merchants and Acquirers. This means that when a Merchant proves a transaction to be fraudulent, and the Issuer is enrolled in 3D Secure (or that particular type of card is enrolled), the Issuer is liable for the chargeback.

If you are a part of any domain, yes, you should implement a solution covering 3D Secure authentication. Cards from Issuers that do not use ACS are more often used in card-not-present transactions simply because fraudulent entities are targeting the weaker part of the chain.