How 3D Secure 2.0 can help you make better risk decisions, create online experiences customers will love and increase conversions.
Updated May 2019
Poor security negatively impacts your business and customers, so keeping customers secure when they’re paying online is a must. With many new ways to pay and new regulations coming to light such as PSD2, it’s time to get to know customer authentication beyond the regulatory standards.
So, let’s cut through the noise on 3D Secure 2.0 (3DS 2.0) and explore the opportunities it can create.
The first edition: 3D Secure 1.0
If you’ve shopped online in the last decade then chances are you’ve experienced 3DS 1.0. It’s that moment you get sent to an often clunky page from your bank to confirm who you are. In completing this step, issuing banks, not the business you’re buying from, become liable to fraudulent chargebacks. It’s a consistent security step, but not great for your customers.
It’s this point of friction, combined with confusing web redirect experiences which made 3DS 1.0 fail customers and businesses. Not only did 3DS 1.0 lack native in-app and web flows, but it also introduced confusing and difficult-to-remember authentication prompts. This resulted in legitimate customers dropping out of the payment flow.
International businesses also faced many challenges with 3DS 1.0. This is mainly due to the way payments are processed in different markets. Every region has different security requirements and legislation, and adoption of the 3DS 1.0 protocol in general was inconsistent from bank to bank and country to country.
To handle these problems, we released tools like Dynamic 3D Secure to use 3D Secure where it made sense and avoid when it didn’t. This helped businesses use 3DS 1.0 where it could be trusted. But it didn’t address the underlying issues of the protocol itself.
That’s enough about the problems though, let’s explore the opportunity now that the next generation of 3D Secure is here - version 2.0.
The second edition: 3D Secure 2.0
3DS 2.0 is a new standard introduced by EMVCo and the major credit card schemes. It brings a new approach to authentication through a wider range of data, biometric authentication and an improved online experience. This new protocol addresses many of 1.0’s issues, while bringing benefits across a wider set of use cases for businesses all over the world.
Increasing authorization rates with data sharing
3DS 2.0 is much more than a redirect. The combination of certified SDKs in the checkout flow, paired with data sharing APIs, means that 3DS 2.0 can be used as a tool to share rich data between businesses and banks. Over 100 potential data points are shared with issuing banks, meaning that the information you and card issuers know about your mutual customers can be used to make better risk decisions. The more information you have to support authentication cases, the higher the chances of authorizations.
With 3DS 2.0 it is possible to share data between banks and merchants silently in the background. Authorization rates can be increased with no perceivable change to the checkout flow by customers. Our Dynamic 3DS service will help businesses decide when to send additional data to banks, automatically targeting transactions that are likely to see an uplift if data is shared.
This is interesting for businesses that don’t need to use 3DS 2.0 for fraud prevention. A business which has low fraud rates, but wants to achieve the authorization uplift benefits of 3DS 2.0 can implement data sharing. This is without changing the seamless checkout flow their customers currently enjoy.
Superior authentication experiences for customers
In many cases device information is enough to authenticate without an extra step for the customer. However, some transactions that have higher risk or regulations such as PSD2 require active approval. Our 3D Secure SDKs help you build these flows and there are three primary types to consider:
Passive - The SDK and servers exchange all necessary information in the background. The customer sees nothing.
Two-Factor - The user is asked to provide a two-factor authentication code sent via email or SMS.
Biometric - An app-switch to an issuing-bank app is facilitated by the SDK. The user can use their fingerprint or face in the issuing bank app.
By offering more authentication flows, customers will be able to choose their authentication method of choice. And this means increasing security while reducing drop-off rates seen in older solutions that were based on static passwords. What's more, our 3DS 2.0 SDK will help you easily build these authentication flows natively into your apps and websites.
The different authentication flows with 3DS 2.0 offer more flexibility so banks can continue to innovate in the future, continuing to make authentication simple and more secure. This is good news for businesses who are more vulnerable to fraud, and who already use 3D Secure. It's also a plus for businesses operating in regions that are introducing authentication requirements, an example of this being PSD2 in Europe.
Managed compliance with Dynamic 3D Secure
We’ll be the first to admit that the EU PSD2/SCA regulatory frameworks can be confusing, and global enterprise businesses will be looking for solutions to identify which transactions require authentication and which don’t.
3D Secure 2.0 is the main way that businesses can prepare for PSD2. Most regions that already have authentication mandates are expected to adopt the protocol quickly.
In addition, businesses will need tools to know where and when authentication is required, where it isn’t required but can increase authorization rates, or where it isn’t required and may harm performance if used.
Adyen’s Dynamic 3D Secure solution can play a key role in managing PSD2 compliance on your behalf. We will take care of triggering the PSD2 and SCA exceptions when applicable so you can focus on your core business. These compliance rules will work in tandem with other Dynamic 3DS rules targeting fraud-prevention and performance optimization to ensure that you are always using 3DS when it makes sense and avoiding it when it doesn’t. Below is the flow:
A unified authentication solution
Integration with our 3DS 2.0 authentication platform works with any partner that follows the 3DS 2.0 specifications. This way, businesses can have their authentication solution in one place, while keeping the flexibility and freedom around which partners they choose.
Read on for the technical and implementation information of our 3DS 2.0 solution.
The technical details
When setting up 3DS 2.0, there are two core components of the integration to consider: The front-end libraries and the 3D Secure server.
The job of the libraries is to securely collect and transmit device information, as well as to display authentication flows. As a result there is a strict certification process on these libraries with EMVCo and the Schemes, which Adyen takes care of. Libraries were not a component of 3DS 1.0, so businesses migrating from 1.0 to 2.0 will need to introduce them into their frontend payment flows.
The 3DS libraries work together with our 3D Secure server to exchange information and request authentication. You can see more information on how these calls work in our documentation.
See our libraries on GitHub.
Prepare for Strong Customer Authentication with 3DS 2.0
The biggest driver for business and issuing banks to implement 3DS 2.0 is the upcoming enforcement of Strong customer authentication (SCA) requirements under PSD2. This law goes live in Europe on September 14, 2019.
As for the rest of the world, both Brazil and Australia have mandates in place which will encourage the adoption of 3D Secure 2.0 from mid 2019.
We’re starting to say goodbye to 3D Secure 1.0, so be the first to use this opportunity to use the additional information available with version 2.0. Take advantage now to increase your authorization rates, improve authentication and create a better experience for your customers.