What is 3D Secure and why do you need it?
3D Secure or also known as payer authentication, was designed to be an additional security step in payment card transactions during online shopping. This authetication tool was initially developed by Visa and now branded as “Visa Secure”, formerly “Verified by Visa”. Notably, other card networks also have developed their own authentication tools- Mastercard has branded it as “Mastercard Identity Check”, formerly named “Mastercard SecureCode”, American Express as “SafeKey”, Discover as “Discover ProtectBuy”, and JCB Global as “J/Secure”.
How does 3D Secure work?
3D Secure authentication process consists of three parts, in which three parties are engaged: the issuer, the acquirer, and the card network. This process is controlled by a piece of software that is installed on the website of the merchant, known as Merchant Plug In (MPI), which communicates directly with the card networks. The entire purchase transaction process with 3D Secure enabled looks as follows:
- The customer confirms the order and enters the payment card details at the checkout.
- The merchant website requests the directory server of card network via its MPI.
- When there is a new payment request at the payment gateway, the MPI is activated. The Merchant Plug In (MPI) then contacts card network to verify if the card is enlisted for 3D Secure. If the card is not enrolled into 3D Secure, this means that either the financial institution that issued the card is not supporting 3D Secure or it means that the cardholder has not registered for the service. If 3D Secure is enabled, the MPI will redirect to the authentication pop-up window, where the cardholder will then identify himself/herself.
- The buyer is redirected to the website of the issuer and identifies him/herself.
- After the authentication, the buyer is redirected to the merchant website.
- The MPI of the payment gateway verifies the information:
- If the buyer has not authenticated him/herself, the payment is refused.
- If the buyer has authenticated him/herself, the payment gateway proceeds to the authorization request.
- The payment gateway returns the result to the merchant website.
What is 3D Secure 2.0?
In April 2019, Visa and Mastercard deployed 3D Secure 2.0 (3DS2) which was developed by EMVCo. The main goal of the new 3D Secure protocol is to address many of the weaknesses of the previous version by offering less disruptive authentication and a better overall experience. The updated version provides new “Frictionless authentication”. It is expected to be the primary card authentication method to meet the Strong Customer Authentication (SCA) rules in Europe and a key mechanism for businesses to request exemptions to SCA. 3DS2 allows merchants and their payment provider to send more information on each transaction to the cardholder’s issuer. This includes contextual data, such as the customer’s device ID or previous transaction history, as well as payment-specific data like the shipping address.
This information can be used to assess the risk level of the transaction and select an appropriate response:
- The transaction will be sent through “frictionless” flow if the issuer decides that the data provided is enough to trust that the real cardholder is making the purchase and the authentication is completed without any additional authentication.
- The transaction will be sent through the “challenge” flow if the financial institution decides it needs further proof. The customer is then asked to go through additional authentication.
The perspective of 3D Secure 2.0
3D Secure 2.0 was initially designed after the advancement in mobile technologies, making it much easier for financial institutions to offer authentication methods through mobile banking apps. The 3DS2 allows making authentication within the app while looking and feeling like a part of it. The 3DS2 provides the ability to authenticate a transaction with the help of biometric data, which is quite often currently stored on the phone. It can be either the fingerprint scanner or facial recognition software.
3D Secure 2.0 will become mandatory by 31 December 2020 following the new deadlines established by European Banking Authority.
Why do you need payer authentication?
3D Secure allows the merchants to protect their business and for customers to protect themselves against potential payment card fraud in online transactions. It establishes additional steps that guarantee to a greater extent, that the transaction was authorized and therefore adds certainty in the online payments. Not only does 3D Secure reduce fraud, but it also makes shopping and e-commerce safer, sustains brand loyalty, improves overall customer confidence, and increases spending online.
However, 3D Secure has some limitations: (a) not all cards are currently participating in the authentication of the payer scheme, and (b) it does not prevent chargeback occurrence. Even though payments that have been successfully authenticated via 3D Secure cannot be disputed as fraudulent with an immediate chargeback, issuers may initiate a retrieval request, which is essentially a request for information. The issuers are allowed to process a financial chargeback if the merchant does not respond to the retrieval request, known as a no-reply chargeback. Therefore, it is vital that the merchant provides a timely and comprehensive response to the retrieval requests and include information about what exactly was ordered, how it was shipped or supplied, and to whom it was delivered (whenever goods or services).
How PSP Lab can help you?
If you wish to learn more about 3D Secure and how to properly implement it within your processes you can reach out to us. At PSP Lab we know how to streamline the processes in order to remain compliant while easing the hassle and customer journey.