Card Networks are Sunsetting Older Versions of 3-D Secure. Here’s Why.
As we explained in our main article on the topic, 3-D Secure technology (often shortened to just 3DS) is an XML-based protocol, designed to help block fraudulent card use online. Introduced nearly 20 years ago, 3DS exists under many different brands that are proprietary to different card networks, including Verified by Visa, Mastercard SecureCode, and more.
The tool basically works like a PIN code for card-not-present transactions. To illustrate, let’s say a cardholder signs up for 3DS technology with their bank. The cardholder either creates a unique personal identification number or provides a phone number to receive one-time passcodes. From then on, the customer would be prompted to enter their code during the checkout process of an eCommerce purchase.
The goal is to protect consumers against fraud by adding an additional layer of verification at checkout. While this means more friction, it offers advantages for you as a merchant, too. Liability for transactions protected by 3DS technology falls on the issuer's side. In other words, if you properly deploy 3DS during checkout, you will not be held liable for fraud on a transaction.
The End of Support for 3DS Version 1.0?
It’s important to remember that fraud protection is never a guarantee. Everything depends on the proper deployment of 3-D Secure technology. Using the correct version of 3-D Secure is an important part of this.
There are numerous different versions of 3DS technology available. Using out-of-date technology could mean transactions are not as protected as they should be. To encourage merchants to update, elements of the older technology are deprecated.
The term “deprecate,” in this scenario, refers to the discouragement of the use of some process or technology. Deprecated technology is out of date or is no longer considered efficient or safe. Often, these products are no longer supported by the developers.
On October 15, 2021, Visa will deprecate the attempt server used as part of 3DS version 1.0.2. This will effectively “sunset” the original version of 3-D Secure technology. The company scheduled this move in advance of a matching industrywide deprecation set to take place in October 2022. Mastercard is going to take similar steps effective October 2021 as well.
New Liability Standards for 3DS
The deprecation will be accomplished through a liability shift. In short, both Visa and Mastercard will shift the fraud liability for any transactions processed using the older, 3-D Secure protocol version 1.0.2. That means you could be held liable for fraud that occurs, even on 3DS-protected transactions, if you’re still using 3DS 1.0.2 for Visa or Mastercard transactions after October 2021.
Visa explained the liability change in a press release announcing the decision back in February. Basically, if an issuer still supports 3DS version 1.0.2 after October 16, 2021, and responds positively to a merchant’s authentication request, then the merchant will have fraud liability protection. Liability for fraud in this scenario would fall to the issuer.
What if the issuer uses a more up-to-date version of 3DS technology, though? In this case, the liability shift applies. So, if you (as a merchant) submit a 3DS 1.0.2 request with a non-participating issuer, and the transaction turns out to be fraudulent, the liability “shifts” to you.
|Scenario||Liability Goes to…|
|The merchant attempts 3DS 1.0.2 verification, and the issuer fully supports 3DS 1.0.2||
|The merchant attempts 3DS 1.0.2 verification, but the issuer supports 3DS 2.1 or later||
|The merchant attempts verification using 3DS 2.1 or later||
Why are Visa and Mastercard doing this?
The main reason is to encourage faster adoption of EMV-enabled 3-D Secure transactions. As Visa explains, newer versions of 3DS offer:
- A more seamless user experience
- Better data exchange for enhanced fraud management and authorization decision making
- Support across multiple payment channels and devices
The bottom line: it’s in your best interest to ensure you’re using the most recent version of 3DS. Using an outdated version of 3-D Secure after the deadline could result in you facing liability for more fraudulent charges.
We strongly recommend staying current with upgrades to 3-D Secure technology. It will protect you against liability for fraud in certain circumstances. Plus, newer versions of 3DS technology offer additional benefits to you as a merchant.
Other Advantages of Upgrading
The card networks offer conditional chargeback protection for merchants who deploy 3-D Secure 2.1 technology. Merchants can also offer 3DS 2.1 on app-based, mobile purchases. This is the preferred shopping channel for a fast-growing number of consumers.
Other merchant-facing benefits of the 3DS upgrade include:
- More intelligent, informed, and faster risk-based decisioning
- More options for authentication beyond passcode
- Seamless checkout integration
3DS 2.1 also addresses one of the key complaints about earlier versions of the technology: avoidable friction. With 3-D Secure 2.1 and later, the customer doesn’t need to enter a passcode upfront. The tool uses risk-based decisioning to classify a transaction as high- or low-risk. With a high-risk sale, the transaction bounces back, prompting the customer to enter their code for authorization.
Upgrading to the latest version of 3DS technology is in your best interest. It will protect you against greater risk exposure, save time, and allow you to deliver a better customer experience.
The 2021 Chargeback Field Report
The 2021 Chargeback Field Report is now available. Based on a survey of over 400 US and UK merchants, the report presents a comprehensive, cross-vertical look at the current state of chargebacks and chargeback management.Free Download
Just One Part of a Dynamic Strategy
Remember, though: while 3-D Secure 2.1 is vastly improved compared to the original version, it’s still just one part of a larger strategy.
Guarding against chargeback liability is contingent on whether you abide by best practices. This calls for the use of a multilayer solution to defend against fraud and abuse, incorporating:
- CVV Verification
- Proxy Piercing
- Device Fingerprinting
- Address Verification Service (AVS)
- Velocity Limits
- Fraud Blacklists
…among others. You should complement these with intelligent fraud scoring, a tool that calculates the probabilities of potential fraud. For each transaction, scores of fraud indicators are examined through machine-learning technology to deliver simplified, up-or-down decisioning.
Of course, there are some threats that none of these tools—3DS technology included—can successfully address. Friendly fraud, for instance, doesn’t appear to be fraud until the moment the cardholder files a chargeback. That’s why we also recommend professional chargeback management as a part of any dynamic strategy. Click here to learn more.
Staying up to date on technological developments, as well as changes to industry rules, needs to be part of your ongoing business strategy. In the fight against fraud, you can’t afford to fall behind.
What is 3-D Secure Protocol?
3-D Secure technology (often shortened to just 3DS) is an XML-based protocol, designed to help block fraudulent card use online. The tool basically works like a PIN code for card-not-present transactions, offering a second layer of verification.
What is 3D Secure 2.0 authentication?
3-D Secure 2.0, as well as later versions, are the updated version of 3-D Secure technology. 3DS 2.0 offers advantages including more dynamic, informed, and faster risk-based decisioning, more options for authentication beyond passcode, and integration for seamless checkout.
Am I required to upgrade 3-D Secure?
No, you’re not required to upgrade to the most recent version of 3DS. However, failing to do so means you’ll face more liability for fraud, even on transactions deploying 3DS technology.