3-D Secure 2.0: what it is and how to introduce it the easy way

If you accept or make payments online, you probably have heard of 3DS. It is an additional authentication protocol for card payments that checks the user’s identity before making the payment.

An updated version of the protocol was rolled out several years ago. 3-D Secure 2.0 or 3DS2 has become the only version of the protocol in use. As for 3DS1, it was discontinued by the payment networks on the following dates:

• October 15, 2022 (Visa) Visa;
• October 18, 2022 (Mastercard);
• October 13, 2022 (American Express).

The update boils down to changes in codes and automatic notification and requests settings that the card issuer uses to check and verify the payment. The protocol prescribes two payment scenarios: frictionless flow and challenge flow.

• Frictionless flow — the system recognises and verifies the user’s device, and data are exchanged in the background. There are no additional requests from the site to the payment platform. Using the frictionless flow, the issuer can confirm the transaction without entering any data manually.
• Challenge flow — the system doubts the identity of the user and requires an additional one-time password or biometric verification. The user is redirected to the card issuer’s ACS page to enter the necessary information.

The updated standard ensures strong security, seamless operation, and a high conversion rate for online businesses. The increased security does not make the user experience more complicated: most payments can be completed with the frictionless flow.

One important feature for businesses is that 3DS2, much like 3DS1, shifts the responsibility for detecting fraudulent payments from the online merchant to the card issuer. Another major benefit is the fact that 3DS2 payments are easily integrated in mobile apps.

If the cardholder’s card issuer supports the 3-D Secure 2.0 protocol, the platform will form its response to a query in the usual 3-D Secure 1 format. The URL address, however, will redirect the user to our Proxy 3DS service, rather than the ACS.

The Access Control Server manages the authentication processes between the shopper and the card issuer, ensuring successful completion of the payment transactions. To evaluate the fraud risk, the system compares the collected data with the historic data showing the previous cardholder transactions.

When the user is transferred to Proxy 3DS, either frictionless or challenge flow is possible, as described above. The card issuer may choose either one of these scenarios or both scenarios consecutively. If the issuer only supports the old 3DS1 protocol, the platform will imitate one of its queries so that the system recognises the usual authentication scenario.

Proxy 3DS uses the basic authentication scenario. The service supports the 3-D Secure 2 protocol based on the previous version with few adjustments, but it does require additional user redirection.

The extended scenario is optimised for 3-D Secure 2.0 and excludes any intermediary redirections. However, it assumes that the merchant’s site can already use the frictionless and challenge flow scenarios.

To make moving to the extended version as simple as possible, our team has made the authentication scenarios compatible with each other. The site’s admin only needs to change one parameter in the query. Check our documentation for details.

Global adoption of 3DS2 will happen in the nearest future. At this time, however, the new protocol hasn’t been fully implemented even within the European Union. This means that any online business can experience unexpected drops in conversion or frequently declined payments coming from a certain card issuer. Proxy 3DS is an optimal tool for this transition period.

3-D Secure 2 through Proxy 3DS is already enabled for Ecommpay clients who integrate the payment gateway through an API and use direct acquiring. This saves them the trouble of integrating the new protocol on their own.

Get in touch with us to learn more how you can move to the new protocol the easy way!