3DS 2 – understand the basics of the new authentication protocol


3D Secure 2 is an authentication protocol that aims to reduce fraud and improve security in online card payments.

3D Secure 2 provides a seamless process to authenticate customers while addressing the shortcomings of the existing 3DS 1. Most significant improvements include adding support for mobile applications and a less disturbing biometric authentication.

A brief history of 3DS1

3D Secure 1 was the first version of 3D Secure protocol. Visa created the protocol and introduced it in 1999 in order to provide more secure card-not-present transactions. During this time, consumers could only use computers for their online shopping. 3D Secure 1 was designed for desktop browser authentication, as smartphones were not prevalent at that time.

Cardholders would enrol in the card issuer’s 3D Secure programme. Each card scheme have their branded 3D Secure programme; Verified by Visa, Mastercard SecureCode or American Express SafeKey so to speak. Each user associated their payment card with a static password.

After the enrolment, any subsequent online transaction would initiate a redirection to a bank-branded page and prompt cardholders to authenticate themselves by providing their 3D Secure pin.

The key benefit is the liability shift towards the issuing bank of the customer. However, this key selling point came with major pain points. Consumers consistently abandoned their carts as 3DS1 lacked native mobile and in-app flows. This was reasonable, considering the fact that at the time it was developed, the prevalent device for eCommerce were desktop computers. Additionally, static 3DS1 passwords were hard-to-remember, causing more friction, increased cart abandonment rates, as well as extra operational costs for issuers due to customers calling the support centre to reset their passwords.

3DS 2, a new seamless way to authenticate online payments

3D Secure 2 is the updated version of 3D Secure 1. In a nutshell, 3D Secure 2 has addressed these issues by introducing new ways of frictionless authentication and a better user experience across devices. In other words, most authentication activity happens in the background, being invisible to the cardholder.

3D Secure 2 enables merchants and issuing banks to share rich contextual cardholder data to quickly authenticate transactions behind the scenes. The update protocol eliminates the additional consumer verification steps that used to cause friction during checkout (i.e, authentication redirects, entering static passwords that could be forgotten).

Banks can now access over 100 data points are processed during the authentication request. More enriched data allows issuing banks to better-determine the risk level of the transaction. With 3D Secure 2, the majority of low-risk transactions can be authenticated without requiring additional verification from the consumer, paving the way to a safe, efficient, and frictionless checkout experience.

Major card schemes such as Visa recommend that issuers and merchants support both 3DS1 and 3DS2 so that stakeholders can respond to each message version and increase successful transactions for customers.

3DS2 and SCA

Is 3D Secure 2 mandatory as part of PSD2? PSD2 is an EU mandate that regulates the payments market in the EEA. It introduces SCA (Strong Customer Authentication), an updated security measure to authenticate online payments. A combination of a minimum of two of the authentication factors is required for a successful transaction:

  • Something the consumer only knows: OTP, SMS code, PIN, password, security question etc
  • Something the consumer only owns: Credit or debit card, key fob, mobile device, or wearable device etc
  • Something the consumer only is: Biometric data like a fingerprint, iris scan, facial or voice recognition.

With that being said, merchants who apply 3D Secure 2 to authenticate online payments satisfies all of the above SCA requirements, unless the transaction falls under an exemption rule.

Key takeaways

3D Secure 2 is an up-to-date authentication protocol that provides seamless checkout experiences and shifts liability to the consumer’s bank. The enforcement of SCA requirements under PSD2 is a big driver for merchants and issuing banks to implement 3DS2.