3-D Secure 2.0: what it is and how to introduce it the easy way

April 20, 2021
Enter email and subscribe

Thank you for subscribing to our newsletter

Vadim Pronin
Team Leader of the Key Services Analytics Group

A new version of 3DS authentication protocol is being rolled out. It soon will be mandatory in the EU, and the transition period will get bumpy. Here’s an easy way how your business can introduce the 3DS2 and avoid any disruptions to your payment system.

If you accept or make payments online, you probably have heard of 3DS. It is an additional authentication protocol for card payments that checks the user’s identity before making the payment.

There is a new and updated version of the protocol that is already being rolled out: 3-D Secure 2.0 or 3DS2, and it is about to become mandatory for many transactions.

By the end of 2021, all banks within the EU must apply the new standard to all online payments within the Eurozone. Mastercard is planning to phase out 3DS1 in October 2022, and Visa will discontinue 3DS1 in Europe in October 2021.

What this means is that: if your online business does not switch to 3DS2, it will face a serious increase in rejected payments. What’s more, the transition period is bound to be rocky. Even though the protocol is to be introduced soon, there are still banks that have not done so.

To help you make it through this transition period, there’s Proxy 3DS, the optimal solution for the switch.

What is 3DS2, anyway?

The new version boils down to changes in codes and automatic notification and requests settings that the card issuer uses to check and verify the payment. The new protocol prescribes two payment scenarios: frictionless flow and challenge flow.

3ds challenge flow vs frictionless flow

  • Frictionless flow — the system recognises and verifies the user’s device, and data are exchanged in the background. There are no additional requests from the site to the payment platform. Using the frictionless flow, the issuer can confirm the transaction without entering any data manually.
  • Challenge flow — the system doubts the identity of the user and requires an additional one-time password or biometric verification. The user is redirected to the card issuer’s ACS page to enter the necessary information.

frictionless flow and challenge flow scheme

ACS or Access Control Server is a platform used to control and manage access to the banking system. Among other things, it is used to receive and process the 3D Secure queries.

What does the new 3DS2 protocol mean for business?

The new standard ensures strong security, seamless operation, and a high conversion rate for online businesses. The increased security does not make the user experience more complicated: most payments can be completed with the frictionless flow.

One important feature for businesses is that 3DS2, much like 3DS1, shifts the responsibility for detecting fraudulent payments from the online merchant to the card issuer. Another major benefit is the fact that 3DS2 payments are easily integrated in mobile apps.

How to migrate to 3DS 2.0: the hard way and the easy way

Moving to 3DS2 on your own is a complicated endeavour: you will need a dedicated IT team and several weeks of work, depending on the payment system you already use.

There is a simpler solution. Some payment providers have integrated the 3-D Secure 2.0 support in their own payment systems, which means the businesses do not need any additional changes. The payment scenario for sellers and customers remains the same it was with 3-D Secure 1.

ECOMMPAY calls this service Proxy 3DS; it is classified as the basic authentication scenario. It serves as some kind of an “adapter” between the core of our platform and the Access Control Server (ACS) or the payment server.

Proxy 3DS is a free service. ECOMMPAY clients can already use it, and it is enabled by default in host2host integrations through an API. When integrating through the payment page, the entire payment processing, including 3DS authentication, is handled by the payment provider.

How 3DS 2.0 works: different scenarios

If the cardholder’s card issuer supports the 3-D Secure 2.0 protocol, the platform will form its response to a query in the usual 3-D Secure 1 format. The URL address, however, will redirect the user to our Proxy 3DS service, rather than the ACS.

The Access Control Server manages the authentication processes between the shopper and the card issuer, ensuring successful completion of the payment transactions. To evaluate the fraud risk, the system compares the collected data with the historic data showing the previous cardholder transactions.

When the user is transferred to Proxy 3DS, either frictionless or challenge flow is possible, as described above. The card issuer may choose either one of these scenarios or both scenarios consecutively. If the issuer only supports the old 3DS1 protocol, the platform will imitate one of its queries so that the system recognises the usual authentication scenario.

How to move to 3-D Secure 2 in one step?

Proxy 3DS uses the basic authentication scenario. The service supports the 3-D Secure 2 protocol based on the previous version with few adjustments, but it does require additional user redirection.

The extended scenario is optimised for 3-D Secure 2.0 and excludes any intermediary redirections. However, it assumes that the merchant’s site can already use the frictionless and challenge flow scenarios.

To make moving to the extended version as simple as possible, our team has made the authentication scenarios compatible with each other. The site’s admin only needs to change one parameter in the query. Check our documentation for details.

Authentication workflows. extended workflow

Global adoption of 3DS2 will happen in the nearest future. At this time, however, the new protocol hasn’t been fully implemented even within the European Union. This means that any online business can experience unexpected drops in conversion or frequently declined payments coming from a certain card issuer. Proxy 3DS is an optimal tool for this transition period.

3-D Secure 2 through Proxy 3DS is already enabled for ECOMMPAY clients who integrate the payment gateway through an API and use direct acquiring. This saves them the trouble of integrating the new protocol on their own.

Get in touch with us to learn more how you can move to the new protocol the easy way!

Subscribe to ECOMMPAY Newsletter

Thank you for subscribing to our newsletter

Now you are a part of the ECOMMPAY community.

Subscribe to our Newsletter

Sign up to our bi-monthly newsletter to get the latest fintech news, updates and insights.
Business type*
The information you submit to us by filling this contact form will be processed in accordance with ECOMMPAY's Privacy Policy. We kindly encourage you to read our Privacy Policy carefully.
Thank you!
A confirmation message has been sent to your email address. Please click the link in the email to activate your subscription. If you didn't get the email, please check your spam or bulk email folder.

No results found. Please try searching for different keywords.