How? When? Why? All You Need To Know About 3DS2.0
In the era of e-commerce and online payments, security issues do not become outdated. Hacking schemes progress along with security systems. All the participants of online transactions are interested in multilayer protection, which, however, does not complicate the payment process.
In the circumstances, 3D secure authentication comes as a win-win solution. It provides enhanced security and relieves users of red tape with identity authentication. To back up this reaffirmation with supporting evidence, let’s look at the distinctive features of 3D Secure 2.0 and analyze the impact it may have on your business.
What Are 3DS2.0, SCA, PSD2?
Let’s start from the beginning. PSD stands for the Payment Services Directive in the domestic market of the EU. PSD2 2015/2366 replaced the first edition, continuing the course towards improving the security of user transactions and expanding the ecosystem of financial services in the EU financial market.
Strong Customer Authentication (SCA) is a means of implementing PSD. It provides a new set of rules to regulate payer authentication during a transaction. Among other things, the rules oblige merchants and PSP providers to include one more user verification during the online purchase.
3D Secure2.0 is a second version of the EMV 3DS protocol for the practical implementation of SCA rules. 3D secure verification aims to prevent fraudulent use of credit cards by checking the authenticity of cardholders in transactions that do not require the physical presence of a card.
Key Revamps In 3DS2.0
The first version of the protocol served faithfully for more than ten years, yet, some points no longer fit the modern picture of online transactions. The chief shortcomings of 3DS1.0 are the long authorization process and maladaptation to mobile devices, which led to a large number of intervened transactions.
According to the Baymard research, 68.53% of online shopping baskets remain abandoned, that is, unpaid. One of the main reasons for this situation is the difficulties in the payment process. 3DS2.0 solved this problem. Buyers got the opportunity to make purchases in one click, and sellers relieved themselves of responsibility for fraudulent operations.
Let’s take a closer look at major improvements in 3DS2.0.
3DS2.0 authorizes vendors and their payment providers to send comprehensive transaction data to a card-issuing bank. For comparison, 3DS1.0 allowed sending no more than 15 data points, 3DS2.0 allows 150. Among others, the data includes:
- billing and shipping address
- buyer and seller location
- payment history
- spending pattern
- device ID
Having received the data, the bank estimates the risk.
The transactions with minor risks go under the “frictionless” authentication. It means that the bank does not ask for additional information to verify user identity. The transactions with high risk go under the “challenging” authentication. It means that the bank requests more details to verify user identity. If 3DS2.0 is not supported, the transactions go under the 3DS1.0 protocol.
Effortless User Experience
New 3D identification excludes static passwords and full-page redirects. It uses biometrics and tokens to establish identity. The user makes payment without leaving the company website. It is achieved by embedding the request stream directly into the web and mobile checkout flows. Let’s see the main improvements for users in 3DS2.0 compared to 3DS1.0.
Liability And Special Cases
Even though the acquirers have some freedom in deciding on frictionless or challenging authentication, the last word belongs to the issuer. Unlike 3DS1.0, when the seller had direct responsibility for the transaction, with 3DS 2.0, the card-issuing bank is subject to refund in case of fraud. Yet, some operations go beyond SCA:
- Payments up to 30 euros. But if the system detects a series of small amount payments, it blocks them.
- Subscriptions. You will be asked to verify your identity upon the first payment only.
- Deals with trusted merchants. You can whitelist some companies by contacting the bank.
- Seller-initiated operations. For example, when you add your card to Uber or Lyft.
- Transactions beyond the EEA. When both parties or one of them is not located in the EEA.
When Is The Deadline?
September 14, 2019, is the official date of entry into force of the Revised Payment Services Directive. As you may have noticed, it has already come. Taking into account the fact that most of the merchants appeared not ready for migration, European Bank Authority decided to extend the adaptation period and not impose sanctions on the merchants if they take active steps to implement the new 3DS protocol.
December 31, 2020, is announced the final date for the transition. By that time, all vendors and acquirers have to set up their transactions to go under the 3DS2.0 standard. This decision is made at the legislative level and requires strict adherence to the rules prescribed in the Payment Services Directive.
What If Vendors Are Not Ready?
Marchants fall under the risk of bearing losses if they ignore the Strong Customer Authentication. Most likely, transactions under 3D Secure1.0 will be rejected after the rules become absolute. Moreover, the old protocol will cease to exist shortly. So, you’d better seriously approach the revised Payment Services Directive.
How To Implement 3DS2.0?
To set up online payments that go through the 3DS2.0 protocol, it is necessary to implement the 3DS SDK compatible with the EMV standard. EMV provides well-structured documentation for the web and mobile platforms. If you don’t want to do this on your own, you can delegate the task to a pro team. With rich experience, they will implement the necessary changes in a few days.