What is 3DS2 and how will it impact online payments?

The 3D Secure standard (3DS) aims to reduce fraud by providing an extra layer of security when shoppers make an online payment using a debit or credit card.

People who shop online regularly will probably be familiar with the pop-up that appears after they have entered their card details. It is commonly known by one of its brand terms, which include Mastercard Secure Code, Visa Secure and American Express SafeKey.

An updated version of the standard, known as 3D Secure 2 (3DS2), was rolled out in response to the need for enhanced security and the introduction of the EU Payments Services Directive (PSD2). The new model takes into account the prevalence of m-commerce and delivers a more frictionless experience for shoppers. It’s expected to be the main method of card authentication to meet the new Strong Customer Authentication (SCA) requirements under PSD2.

What is 3D Secure?

The original version of 3D Secure was introduced by the major card networks in 1999 to provide an extra layer of security for merchants taking online card payments. It asks the shopper for additional information before the payment is accepted – for example, the customer might have to enter a password or pin code that only they know.

What are the limitations with 3DS1?

3DS1 was introduced when ecommerce was still relatively new, and before smartphones had become ubiquitous. This means that 3DS1 no longer provides a good user experience in today’s mobile-enabled world.

For example, 3DS1 relies on pop-up windows that were designed for desktop internet browsers, so they can be difficult to use on a smartphone screen. Furthermore, banks often require customers to remember a static password to complete 3DS1 verification. These passwords can be easy to forget at the checkout and can potentially lead to basket abandonment.

What’s new with 3DS2?

The updated version of the protocol represents a new approach to payment security – one that’s in keeping with today’s online and mobile world. It also anticipates future ways for shoppers to authenticate themselves.

The main benefits are:

1. Improved use of data

3DS2 gives card issuers access to more data on each online payment, which should lead to a more targeted selection of which transactions need to be ‘stepped up’ for further authentication.

Compared to 3DS2, 3DS1 limits the fraud assessment ability due to rudimentary data. 3DS2 uses more than 100 data points to analyse whether a transaction is likely to be fraudulent, including information such as the shopper’s shipping address and device ID.

If the card issuer is satisfied that the payment data proves that the cardholder is genuine, then the transaction goes through frictionless flow and the payment is completed without the need to ask for any additional information from the cardholder.

2. Better user experience

3DS2 has been designed with mobile commerce in mind, so it will provide a better customer experience and could reduce the likelihood of basket abandonment when shoppers are asked for additional information at the checkout. For example, 3DS2 doesn’t use pop-up windows, which can distract from the website’s checkout journey and are not always properly supported on mobile.

Merchants will now be able to embed the authentication process within their existing checkout flow to create a more seamless payment experience for customers. The updated standard relies on multi-factor authentication, which will mean a more fortified defence from fraud while maintaining a smooth checkout experience. 

The likes of fingerprint and facial recognition will carry on as some of the most commonly-used biometric authentication methods for SCA. 3DSv2 can provide the technical backdrop to allow for Issuers to capture these verifications in the payment journey. However, while biometrics can help to provide a more seamless payment journey, SCA still requires that transactions must meet two-factor authentication – and so biometrics alone is not enough.

Under SCA, in order to make a payment, customers will be required to provide two of three of the following forms of ID:

• Something the customer knows, such as a PIN or password
• Something the customer has, such as a mobile phone or payment card
• Something the customer is, such as their fingerprint or voice pattern

The improved user experience and data capabilities of 3DS2 mean that it is widely seen as the best solution for merchants to satisfy the SCA requirements while also minimising impact on customers. These improvements to the user experience should have a positive impact for merchants, as customers are less likely to become frustrated and abandon their purchase.

How can Barclaycard help?

While biometrics will play a key role in allowing customers to authenticate transactions under 3DS2, it’s inevitable that there will be additional friction in the customer journey as a result of SCA.

Barclaycard recommends that merchants:

• Get 3DS-ready as soon as possible. We recommend the updated 3DS2.
• Take a balanced view to imposing authentications on transactions by leveraging SCA exemptions. Learn how Barclaycard Transact could help.