Acquire natively supports 3D Secure 2.
The 3D Secure standard—often known by its branded names like Visa Secure, Mastercard Identity Check, or American Express SafeKey—aims to reduce fraud and provide added security to online payments.
3D Secure 2 (3DS2) introduces “frictionless authentication” and improves the purchase experience compared to 3D Secure 1. It’s expected to be the main card authentication method used to meet the upcoming Strong Customer Authentication (SCA) requirements in Europe and a key mechanism for businesses to request exemptions to SCA.
3D Secure 2 allows businesses and their payment provider to send more data elements on each transaction to the cardholder’s bank. This includes payment-specific data like the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history.
The cardholder’s bank can use this information to assess the risk level of the transaction and select an appropriate response:
If the data is enough for the bank to trust that the real cardholder is making the purchase, the transaction goes through the “frictionless” flow and the authentication is completed without any additional input from the cardholder.
If the bank decides it needs further proof, the transaction is sent through the “challenge” flow and the customer is asked to provide additional input to authenticate the payment.
Although a limited form of risk-based authentication was already supported with 3D Secure 1, the ability to share more data using 3D Secure 2 aims to increase the number of transactions that can be authenticated without further customer input.
Better user experience
Unlike 3D Secure 1, 3D Secure 2 was designed after the rise of smartphones and makes it easier for banks to offer innovative authentication experiences through their mobile banking apps (sometimes referred to as “out-of-band authentication”). Instead of entering a password or just receiving a text message, the cardholder can authenticate a payment through the banking app by just using their fingerprint, or even facial recognition. We expect many banks to support these smoother authentication experiences with 3D Secure 2.
The second improvement in user experience is that 3D Secure 2 is designed to embed the challenge flow directly within web and mobile checkout flows—without requiring full page redirects. If a customer authenticates on your site or webpage, the 3D Secure prompt now by default appears in a modal on the checkout page (browser flow).
3D Secure 2 and Strong Customer Authentication
The enforcement of Strong Customer Authentication (SCA) in September 2019 makes 3D Secure 2 all the more important if you are doing business in Europe. As this new regulation will require you to apply more authentication on European payments, the improved user experience of 3D Secure 2 can help reduce the negative impact on conversion.
The 3D Secure 2 protocol itself will also allow payment providers to request exemptions to SCA and skip authentication for low-risk payments altogether. Payments that require SCA will need to go through the “challenge” flow, whereas transactions that can be exempted from SCA can be sent through the “frictionless” flow. However, it’s worth noting that if the payment provider requests an exemption for payments requiring SCA and the transaction passes through the “frictionless” flow, it doesn’t benefit from the liability shift.
When will 3D Secure 2 be supported by banks?
The widespread adoption of 3D Secure 2 hinges on individual card issuers supporting the new standard. Although the first banks have started supporting 3D Secure 2 for their cardholders, it’s likely that wider implementation will take time and will vary by country and region.
In Europe, we expect many banks to upgrade to 3D Secure 2 between April and September 2019, to be ready for the enforcement of Strong Customer Authentication. We expect banks in other regions to gradually start supporting 3D Secure 2 in late 2019. While we anticipate that 3D Secure 1 and 3D Secure 2 will coexist until at least 2020, we’re excited for the improvements in customer experience introduced by this new version.
How Acquire is supporting these changes?
Acquire supports the 3D Secure 2 browser flow letting you dynamically activate 3D Secure to high-risk payments to protect your business from fraud. We will apply 3D Secure 2 when it’s supported by the cardholder’s bank, and fall back on 3D Secure 1 when the new version isn’t supported yet