How Does 3D Secure 2.0 Work? How Did it Improve on Earlier Versions of the Technology?
3-D Secure (often shortened to just 3DS) is a security protocol designed to protect consumers from online payment card fraud.
The technology was been somewhat effective at fighting fraud in two two-plus decades since it was first introduced. However, early versions of the technology were plagued by complaints about lower conversion rates and customer frustration.
This is all against the backdrop of a fast-growing global fraud problem. Mastercard data shows that global chargeback volume hit 615 million in 2021.
These concerns led to the rollout of 3-D Secure 2.0, beginning in 2016. The newer product addressed many of the issues with the original 3DS, while also offering new features, too. In this post, we’ll look at how 3DS2 works, how it improved on 3DS version 1.0, and why for some merchants, upgrading is an absolute necessity.
Recommended reading
- What is Geolocation? A Key Anti-Fraud Tool for 2024
- What are Velocity Checks? How Do They Stop Fraud Attacks?
- ECI Indicators: How to Understand 3DS Response Codes
- Proxy Piercing: How Merchants Can Use it to Prevent Fraud
- The Top 10 Fraud Detection Tools You Need to Have in 2024
- Card Verification Values: What Are CVVs & How Do They Work?
What is 3D Secure 2.0?
- 3D Secure 2.0
3D Secure 2.0 is an advanced security protocol designed to enhance the authentication process for online card transactions. It is similar to an online PIN at checkout, helping reduce fraud and improve the user experience.
[noun]/THrē • dē • sə • kur • to͞o • point • ō/
In simple terms, 3D Secure 2.0 is designed to provide an additional layer of security for online credit and debit card transactions.
What sets 3DS2 apart from its predecessor is how it enhances the user experience. 3DS2 leverages biometric authentication tools, like fingerprint and facial recognition, to help identify buyers. It also offers more seamless integration across devices, including smartphones and tablets.
By collecting and sharing more data points between the merchant, card issuer, and payment gateway, 3DS2 allows for more accurate and efficient risk assessment. This reduces friction during the checkout process, leading to higher conversion rates and improved customer satisfaction.
Ultimately, 3DS2 aims to strike a balance between fortifying security and enhancing the consumer’s purchasing experience.
Learn more about 3DS technologyHow 3D Secure 2.0 Differs From 3DS 1.0
Like we mentioned, 3-D Secure 2.0 was introduced in 2016. The newer version is less of an upgrade, and more like an entirely new product, developed with input from other major credit card brands.
This side-by-side comparison shows some of the key differences you’ll see in 3DS2:
Compared to earlier versions of 3DS, the newer 3D Secure 2.0 collects roughly 10 times more data during the authentication process. It looks at a combination of indicators from the merchant’s site or app, plus input from the customer’s device.
The potential risk level of the transaction is assessed, automatically and in real time. Some users will be instructed to enter a passcode for additional identification. However, an estimated 90-95% of transactions pass into a “frictionless flow,” which allows the transaction to progress unchallenged. In other words, the result of the risk-based assessment provides enough authentication to approve most purchases with no additional input from the buyer.
In other words: 3DS2 provides a smoother, faster, and much more accurate checkout experience, letting you get 3DS responses while benefitting from more conversions and less churn.
3D Secure 2.0 & SCA Requirements
If we’re talking about 3DS2, we also need to talk a little about Strong Customer Authentication, or SCA.
SCA is an online payment security requirement mandated by the Payment Services Directive (PSD2). This regulation affects everyone doing business in the European Economic Area (EEA).
Under SCA, many payment transactions now require two-factor authentication. In simple terms, customers must be able to supply two out of three secure elements:
Deploying 3DS2 lets merchants meet SCA requirements, while minimizing the amount of friction faced by customers. There are also several exemptions to SCA. For example, transactions below a certain dollar value, or in which transaction risk analysis is deployed, are not required to meet SCA standards. 3DS1 did not support any of these exemptions, but 3DS2 works with any SCA exemptions that may apply.
Learn more about Strong Customer AuthenticationHow Does 3D Secure 2.0 Work?
The static passcodes used by 3SD1 are better than no authentication at all. However, they offered minimal security. Consumers often forget passwords, or may use ones that are easily circumvented.
When a transaction is initiated using 3DS2 technology, however, 3DS2 will first conduct risk analysis. As mentioned above, most buyers can be verified with no additional input needed. 3SD2 lets the merchant share a lot more data than the original protocol. This can include:
- Shopper’s established buying patterns
- Shopper’s geo-location
- Device ID and IP address
- Previous history with merchant
- Shipping, billing, & email addresses
If the buyer needs to provide more information to validate a purchase, then the merchant's website or app sends a request to the issuer. The bank then triggers the authentication process.
The cardholder may receive a single-use password or SMS code, be asked to use a biometric identifier such as a fingerprint or facial recognition, or confirm the transaction through a secure app on their mobile device. This multi-layered security approach ensures that only the legitimate cardholder can authorize the transaction, significantly reducing the risk of fraud. Once the authentication is successful, the transaction proceeds as usual, providing a seamless yet secure shopping experience for the customer.
The Value of 3DS2
3D Secure 2.0 helps detect and decline fraudulent transactions. But, another feature of 3-D Secure 2.0 is the increased amount of data that it collects and shares, and how issuers can leverage that information to fine-tune the authentication process.
The more data shared between merchants and issuers, the better the fraud assessments, and the lower the rate of false declines.
The collected data has value beyond just a one-time authentication. 3DS2 allows customer profiles to evolve with the cardholder, changing dynamically over time. New information feeds machine learning, creating a more complete picture of the cardholder. Banks can better-identify deviations from previous purchase patterns.
The information is standardized, and the customer’s profile is updated, as new patterns are incorporated into the profile. This could potentially allow the cardholder to skip the secondary authentication step in future transactions.
Visa discontinued support for 3D Secure 1.0 back in October 2022. All merchants using 3DS technology must now use 3D Secure 2.0 or later.
Native Mobile Integration and Payment Options
The original 3DS only supported browser-based transactions. It was never designed to work with mobile commerce. When 3DS protocols were attempted on mobile devices, there were issues with the pop-up window, page load speeds, and more. Some users found they were unable to access the 3DS authentication page at all.
3D Secure 2.0 lets merchants integrate the 3DS interface seamlessly into pre-existing mobile apps. Native authentication screens help maintain the look and feel of the user experience across the entire process. This, in turn, assures the cardholder that identification requests are a valid security measure.
3DS 2.0 also works with mobile wallet payment tools like Apple Pay or Google Pay. These work in addition to accepting standard payment cards.
Fraud Liability Shift Parameters
Merchants also benefit from a liability shift on qualifying 3D Secure transactions. Under normal circumstances, the liability for fraudulent transactions lies with the merchant. After all, you accepted the purchase, so you are responsible for it.
Things change when the cardholder is enrolled with 3DS2, though. If the issuer successfully authenticates the customer, liability transfers (or “shifts”) to the issuer.
Even if the customer claims the merchant charged them for an unauthorized transaction, the issuer will almost always be liable for the fraud. This does not mean, however, that merchants are off the hook: if the customer disputes a transaction using a non-fraud-related reason code, liability will remain with the seller.
3DS2 also allows sellers to activate a “non-challenge” mode. In situations where one prefers to use their own risk assessment mechanism, they can opt out of the authentication system. Here again, liability will remain with the merchant if the transaction involved ends up being fraudulent.
A More Complete Strategy
If there’s a disadvantage to 3D Secure, it’s the fact that the program does nothing to prevent friendly fraud.
Friendly fraud attacks make up the bulk of most merchants’ chargebacks. And, friendly fraud happens post-transaction; authenticating the customer prior to purchase doesn’t help if the fraud doesn’t occur until after the fact.
The 3D Secure authentication method does offer valuable protection against fraud. For true chargeback prevention, however, most merchants need a customized, end-to-end solution. They need to be able to separate chargebacks by source — criminal fraud, friendly fraud, and merchant error — then deploy the most effective tools where they will do the most good.
Chargebacks911® can help merchants prevent up to 90% of chargebacks before they happen. Ready to get started? Click below to speak with one of our experts today.
FAQs
Is 3D Secure 2.0 mandatory?
No, 3D Secure 2.0 is not mandatory for all merchants, but many payment processors and credit card networks strongly encourage its adoption to enhance security. Implementing 3DS2 can significantly reduce fraud risk and shift liability to issuers under specific circumstances, making it a valuable tool for many businesses.
What is the latest version of 3D Secure?
The latest version of 3D Secure is 3D Secure 2.0 (3DS2). It offers enhanced security features and a more seamless user experience compared to the original 3D Secure technology.
Is 3D Secure outdated?
3D Secure is not outdated; it has evolved into 3D Secure 2.0, which offers enhanced security features and a more user-friendly experience. Implementing 3DS2 can help reduce fraud and improve transaction safety, making it a relevant and valuable tool for modern merchants.
Which US banks use 3D Secure?
The majority of major US banks, including Bank of America, Chase, and Wells Fargo, support the use of 3D Secure technology to enhance transaction security. Adoption of 3D Secure by these banks helps protect consumers against fraud and provides additional layers of authentication for online purchases.
Do all cards support 3D Secure?
Not all cards support 3D Secure technology, as its availability depends on the specific card issuer and network. However, many major credit card networks and issuers are increasingly adopting 3DS2 to enhance transaction security and provide a more seamless user experience.