Spiderman’s Peter Parker Principle states that ‘with great power, comes great responsibility’. The triarchy of payment systems: American Express, Mastercard, and Visa certainly hold a lot of power and they take their responsibilities seriously. In 1999 (lead by Visa) they decided to improve the security of internet payments with 3D Secure.
This article will walk you through everything you need to know about 3D Secure and explain why you need to care. You’ll learn:
What 3D Secure is
Why 3D Secure matters
The difference between 3DS1 and 3DS2
The benefits of Dynamic 3D Secure
How to implement 3D Secure 2
What is 3D Secure?
Traditionally, 3D Secure was that additional authentication step where a customer is directed to a page hosted by their bank. They’d enter a code or trigger an SMS to complete the purchase and were then redirected back to the merchant’s site. Things have moved on since then, which we’ll explore below.
Which card schemes support 3D Secure?
3D Secure is supported by most of the major schemes including Visa, Mastercard, Amex, Discover, JCB, and UnionPay.
Why is 3D Secure important?
3D Secure has always been a powerful means for helping prevent fraud. But now, withPSD2ramping up the authentication standards enforced by issuers in the EU, 3D Secure is essential. Note: There are someexemption categories.
The first iteration of 3D Secure was the redirect to Verified-by-Visa or Mastercard SecureCode. Over the years, it’s helped make online shopping much safer and reduced fraudulent chargebacks. But, like any new protocol, it’s had a mixed reception.
Before 3D secure, an online payment process looked like this:
Issuers could still run a check on the card’s three-digit CVC and shopper address, but they were weak and tended to be information fraudsters had access to. So, if the card was stolen, fraudsters could run riot. 3D Secure brought the issuer into the process by hosting the authorisation on their domain. So, as well as keeping fraudsters in check, 3D Secure has the added benefit of shifting the liability from the seller to the card issuer.
Cardholders hated it. The extra step in the process was clunky, and no one could ever remember their 3D Secure code. Consequently, 3D Secure was quickly dubbed the ‘conversion-killer’. Plus, the simplistic web pages were easy to copy and customers couldn’t tell the difference between a legitimate 3D Secure authorisation page or a phishing site.
Enter 3D Secure 2.0
3D Secure 2 (3DS2) brings a new approach to authentication with a wider range of data points, biometric authentication, and an improved experience (optimised for mobile). It not only addresses the many issues of 3D Secure 1, it brings a whole host of new benefits.
With 3DS2, device information is enough to authenticate a customer and in most cases authentication is ‘passive’ with all necessary information exchanged in the background.
Example of passive authentication
However, some transactions are higher risk, or are subject to regulations like PSD2. In this case, the issuer may choose to ramp up the authentication with one of the following methods: This comes in several forms, for example:
Two-Factor- The user is asked to provide a two-factor authentication code sent via email or SMS.
Biometric- An app-switch to an issuing-bank app is facilitated by the SDK. The user can use their fingerprint or face in the issuing bank app.
Better authorisation rates
As well as authentication, 3DS2 can also be used as a tool to share up to 100 data points with the issuer. This can be used alongside your risk engine to make better risk decisions and boost authorisation rates.
Managing compliance with Dynamic 3D Secure
Regulatory frameworks like PSD2 can be confusing, especially when different countries have different deadlines. And, if you're operating across several regions, you’ll need to know which transactions fall within regulated areas and which don’t. You’ll also need to know in which regions 3DS2 will help boost your authorisation rates and in which it will damage your conversions.
The best approach is to apply Dynamic 3D Secure. This works in real-time to apply or avoid 3D Secure based on conditions like: payment method, transaction value, and location of the shopper. Below is the flow:
Adyen's Dynamic 3D Secure flow
How to implement 3D Secure 2 with Adyen
OurAuthentication Enginecan help you build authentication flows natively into your apps and will automatically apply the correct authentication to comply with regulations such as PSD2.
The technical bit
When setting up 3DS2, there are two core components of the integration to consider: The front-end SDK and the 3D Secure server.
The job of the SDK is to securely collect and transmit device information and display authentication flows. As a result there is a strict certification process on these libraries with EMVCo and the Schemes, which we’ll take care of. The SDKs weren’t a component of 3DS1 so, if you’re migrating from 1 to 2, you’ll need to introduce them into your frontend payment flows.
The 3DS2 SDK works together with our 3D Secure server (3DSS) to exchange information and request authentication. You can see more information on how these calls work inour documentation.