3-D Secure 2.0Here’s Why the Upgrade to 3DS2 was Necessary

How Does 3D Secure 2.0 Work? How Did it Improve on Earlier Versions of the Technology?

3-D Secure (often shortened to just 3DS) is a security protocol designed to protect consumers from online payment card fraud.

The technology was been somewhat effective at fighting fraud in two two-plus decades since it was first introduced. However, early versions of the technology were plagued by complaints about lower conversion rates and customer frustration.

This is all against the backdrop of a fast-growing global fraud problem. Mastercard data shows that global chargeback volume hit 615 million in 2021.

These concerns led to the rollout of 3-D Secure 2.0, beginning in 2016. The newer product addressed many of the issues with the original 3DS, while also offering new features, too. In this post, we’ll look at how 3DS2 works, how it improved on 3DS version 1.0, and why for some merchants, upgrading is an absolute necessity.

What is 3D Secure 2.0?

3D Secure 2.0

[noun]/THrē • dē • sə • kur • to͞o • point • ō/

3D Secure 2.0 is an advanced security protocol designed to enhance the authentication process for online card transactions. It is similar to an online PIN at checkout, helping reduce fraud and improve the user experience.

In simple terms, 3D Secure 2.0 is designed to provide an additional layer of security for online credit and debit card transactions.

What sets 3DS2 apart from its predecessor is how it enhances the user experience. 3DS2 leverages biometric authentication tools, like fingerprint and facial recognition, to help identify buyers. It also offers more seamless integration across devices, including smartphones and tablets.

By collecting and sharing more data points between the merchant, card issuer, and payment gateway, 3DS2 allows for more accurate and efficient risk assessment. This reduces friction during the checkout process, leading to higher conversion rates and improved customer satisfaction.

Ultimately, 3DS2 aims to strike a balance between fortifying security and enhancing the consumer’s purchasing experience.

Learn more about 3DS technology

How 3D Secure 2.0 Differs From 3DS 1.0

Like we mentioned, 3-D Secure 2.0 was introduced in 2016. The newer version is less of an upgrade, and more like an entirely new product, developed with input from other major credit card brands.

This side-by-side comparison shows some of the key differences you’ll see in 3DS2:

Compared to earlier versions of 3DS, the newer 3D Secure 2.0 collects roughly 10 times more data during the authentication process. It looks at a combination of indicators from the merchant’s site or app, plus input from the customer’s device.

The potential risk level of the transaction is assessed, automatically and in real time. Some users will be instructed to enter a passcode for additional identification. However, an estimated 90-95% of transactions pass into a “frictionless flow,” which allows the transaction to progress unchallenged. In other words, the result of the risk-based assessment provides enough authentication to approve most purchases with no additional input from the buyer.

In other words: 3DS2 provides a smoother, faster, and much more accurate checkout experience, letting you get 3DS responses while benefitting from more conversions and less churn.

3D Secure 2.0 & SCA Requirements

If we’re talking about 3DS2, we also need to talk a little about Strong Customer Authentication, or SCA.

SCA is an online payment security requirement mandated by the Payment Services Directive (PSD2). This regulation affects everyone doing business in the European Economic Area (EEA).

Under SCA, many payment transactions now require two-factor authentication. In simple terms, customers must be able to supply two out of three secure elements:

Deploying 3DS2 lets merchants meet SCA requirements, while minimizing the amount of friction faced by customers. There are also several exemptions to SCA. For example, transactions below a certain dollar value, or in which transaction risk analysis is deployed, are not required to meet SCA standards. 3DS1 did not support any of these exemptions, but 3DS2 works with any SCA exemptions that may apply. 

Learn more about Strong Customer Authentication

How Does 3D Secure 2.0 Work?

The static passcodes used by 3SD1 are better than no authentication at all. However, they offered minimal security. Consumers often forget passwords, or may use ones that are easily circumvented.

When a transaction is initiated using 3DS2 technology, however, 3DS2 will first conduct risk analysis. As mentioned above, most buyers can be verified with no additional input needed. 3SD2 lets the merchant share a lot more data than the original protocol. This can include:

• Shopper’s established buying patterns
• Shopper’s geo-location
• Device ID and IP address
• Previous history with merchant
• Shipping, billing, & email addresses

If the buyer needs to provide more information to validate a purchase, then the merchant's website or app sends a request to the issuer. The bank then triggers the authentication process.

The cardholder may receive a single-use password or SMS code, be asked to use a biometric identifier such as a fingerprint or facial recognition, or confirm the transaction through a secure app on their mobile device. This multi-layered security approach ensures that only the legitimate cardholder can authorize the transaction, significantly reducing the risk of fraud. Once the authentication is successful, the transaction proceeds as usual, providing a seamless yet secure shopping experience for the customer.

The Value of 3DS2

3D Secure 2.0 helps detect and decline fraudulent transactions. But, another feature of 3-D Secure 2.0 is the increased amount of data that it collects and shares, and how issuers can leverage that information to fine-tune the authentication process.

The more data shared between merchants and issuers, the better the fraud assessments, and the lower the rate of false declines.

The collected data has value beyond just a one-time authentication. 3DS2 allows customer profiles to evolve with the cardholder, changing dynamically over time. New information feeds machine learning, creating a more complete picture of the cardholder. Banks can better-identify deviations from previous purchase patterns.

The information is standardized, and the customer’s profile is updated, as new patterns are incorporated into the profile. This could potentially allow the cardholder to skip the secondary authentication step in future transactions.

Native Mobile Integration and Payment Options

The original 3DS only supported browser-based transactions. It was never designed to work with mobile commerce. When 3DS protocols were attempted on mobile devices, there were issues with the pop-up window, page load speeds, and more. Some users found they were unable to access the 3DS authentication page at all.

3D Secure 2.0 lets merchants integrate the 3DS interface seamlessly into pre-existing mobile apps. Native authentication screens help maintain the look and feel of the user experience across the entire process. This, in turn, assures the cardholder that identification requests are a valid security measure.

3DS 2.0 also works with mobile wallet payment tools like Apple Pay or Google Pay. These work in addition to accepting standard payment cards.

Fraud Liability Shift Parameters

Merchants also benefit from a liability shift on qualifying 3D Secure transactions. Under normal circumstances, the liability for fraudulent transactions lies with the merchant. After all, you accepted the purchase, so you are responsible for it.

Things change when the cardholder is enrolled with 3DS2, though. If the issuer successfully authenticates the customer, liability transfers (or “shifts”) to the issuer.

Even if the customer claims the merchant charged them for an unauthorized transaction, the issuer will almost always be liable for the fraud. This does not mean, however, that merchants are off the hook: if the customer disputes a transaction using a non-fraud-related reason code, liability will remain with the seller.

3DS2 also allows sellers to activate a “non-challenge” mode. In situations where one prefers to use their own risk assessment mechanism, they can opt out of the authentication system. Here again, liability will remain with the merchant if the transaction involved ends up being fraudulent.

A More Complete Strategy

If there’s a disadvantage to 3D Secure, it’s the fact that the program does nothing to prevent friendly fraud.

Friendly fraud attacks make up the bulk of most merchants’ chargebacks. And, friendly fraud happens post-transaction; authenticating the customer prior to purchase doesn’t help if the fraud doesn’t occur until after the fact.

The 3D Secure authentication method does offer valuable protection against fraud. For true chargeback prevention, however, most merchants need a customized, end-to-end solution. They need to be able to separate chargebacks by source — criminal fraud, friendly fraud, and merchant error — then deploy the most effective tools where they will do the most good.

Chargebacks911® can help merchants prevent up to 90% of chargebacks before they happen. Ready to get started? Click below to speak with one of our experts today.