If an unauthorized individual obtains sensitive payment card data, including the CVV code, they can pay online without the card owner’s permission.
Banks, payment processors, and merchants must work together and introduce new verification tools to prevent fraudulent transactions.
Find out how 3D Secure works and how it ties in with strong customer authentication.
What Is 3D Secure 2?
3D Secure is a verification method used to confirm that an online card transaction is being initiated by the cardholder.
Three domains (3D) exchange, cross-reference, and verify the payment data before authorizing the transaction. These include:
- The card issuer (customer’s bank).
- Payment acquirers such as banks receiving the payment, payment gateways, and merchant plugins.
- Interoperability solutions like directory servers and authentication history servers.
A typical 3DS payment flow requires customers to verify their identity by entering a one-time password (OTP) or submitting biometric data, like a fingerprint scan. For example:
- A customer enters payment card details on the payment form.
- An OTP is delivered to the phone number connected with the customer’s bank account. Alternatively, if a bank stores client biometric data, customers are asked to provide a fingerprint scan in their banking app.
- A pop-up screen appears and asks the customer to enter the OTP.
- After submitting the OTP, the customer’s bank approves or declines the transaction based on the authentication results.
3D Secure 2 is a newer 3DS version designed to be less intrusive than earlier protocols. It enables merchants, card issuers, and payment service providers to share contextual information like the customer’s payment history, behavioral patterns, and mailing addresses.
Participants in the payment process can use this data to calculate risk factors and require customer input only for specific transactions, for example, unusually large payments or other high-risk transactions.
3D Secure 2 has several clear benefits:
- Payments that include 3DS verification are more secure, which is invaluable for merchants with a high-risk business model.
- 3DS2 can substantially reduce account takeover fraud and friendly fraud attempts.
- Payment flows no longer need to redirect customers to third-party pages or pop-up windows. Banks can verify transactions via customer banking apps or by using biometric authentication.
- Merchants do not need to store customer passwords or other personally identifiable data in the long term.
- Customers need to provide card details and have access to their mobile phone to complete the payment making 3D Secure a strong authentication method.
- Many customers are used to this type of authentication and even expect and appreciate the added layer of security.
Merchants need to consider a few additional factors before implementing 3DS2:
- Using 3DS2 to verify payments may disrupt the payment flow and increase abandonment rates. This is especially true in markets where customers are not accustomed to this type of verification.
- Several verification systems working in conjunction increase the chance of technical failures. An undelivered SMS or an unresponsive server can prevent the customer from completing a payment.
- A customer might consider the process too complicated or fail to complete the transaction in the predefined timeframe.
- Some customers may be suspicious of redirections or third-party pop-up windows and consider them potentially fraudulent.
Here are the answers to the most common questions related to 3D Secure 2.
Is 3D Secure 2 Mandatory?
The 3D Secure protocol is not a prerequisite for accepting online payments. However, it is a cost-effective and easy-to-implement strong customer authentication (SCA) method.
Many countries are introducing legislation that makes SCA mandatory for card-not-present transactions. The most prominent example is the Revised Payment Services Directive (PSD2) in the European Economic Area.
Note: Learn more about PSD2 and Strong Customer Authentication.
Is 3DS2 a Strong Customer Authentication method?
3DS2 is a strong customer authentication method because:
- Customers must enter their card details (knowledge).
- The card owner needs access to the SIM card associated with their phone number (possession).
- Customers can also verify their identity by providing biometric data (inherence).
Does 3DS Meet PSD2 Requirements?
3D Secure 2 is compliant with PSD2 strong customer authentication mandates. Merchants who accept card payments from EU customers can implement 3DS as their SCA solution.
How To Implement 3DS2?
Merchants who want to implement 3DS2 verification on their websites need to integrate their system with a third-party 3DS vendor. It is vital to research vendors and ensure they are certified by major payment card brands.
Established payment service providers (PSP) often integrate 3DS solutions into their payment platforms. When choosing a payment gateway, check what type of authentication and verification services they offer and if 3DS is included.
How Much Does It Cost?
The cost of implementing and using the services of a third-party 3DS solution varies and can include monthly fees, setup fees, and per-transaction charges.
If your PSP (Payment Service Provider) offers payment forms with built-in 3DS authentication or advanced payment API solutions as part of their service, this helps reduce 3DS implementation and management costs.
Does Every Customer Undergo 3DS Verification?
3DS2 allows banks, PSPs, and card networks to share contextual information about the customer’s payment and card usage history. In many cases, transactions are verified without requesting manual input from the customer.
Depending on the 3DS solution, merchants can set the preconditions for the verification process. These parameters can include:
- The county of the customer’s bank (card issuer).
- The country where the payment is being made.
- The transaction amount. Merchants can request manual verification for transactions above a certain threshold.
- The type of card being used (debit or credit card).
Does 3DS2 Reduce Chargeback Rates?
3DS2 does not prevent chargeback requests, but if the card issuer approves an SCA transaction, they may accept liability in case of a dispute, such as a fraud-related chargeback.
You know how 3D Secure 2 works and why it is an important advance in the payments industry.
Many merchants fear that excessive verification is going to ruin the customer’s experience and negatively impact KPIs. However, 3DS2 has also jumpstarted innovation and encouraged third-party providers to automate and streamline the verification process.