The 3D Secure (3DS) security protocols for the protection of online purchases are a payment protection system conceived and developed by the leading international circuits like Visa and Mastercard in order to improve the level of security of online transactions with credit and debit cards.
The protocols are applied through the activation of Verified by Visa and Mastercard Identity Check (recent evolution of Mastercard Securecode, 2020) on payment cards which, to complete online payments, need authentication from the purchaser, minimising the risk of use of the instrument by third parties.
Thanks to the introduction of 3D Secure protocols, which dates back to the start of the 2000s¹, the Ecommerce ecosystem has witnessed an increase in the level of security of online payments and, as a direct result, consumer confidence has also gradually grown in a world that was still the preserve of a few first movers.
The security services have introduced the concept of process authentication: to complete a payment, it was no longer enough to insert just the card details - typically name and surname, PAN, expiry date and CVV - but it became necessary to type a password that the purchaser had chosen during the service activation phase or a temporary code received via sms or generated by a device provided by the bank.
Developments have been minimal over the years and mostly related to the authentication solution with convergence towards sms, thanks in particular to the constant increase in the use of mobile telephones. However, in 2018, the European PSD2 regulation on payments introduced the concept of Strong Customer Authentication and important changes regarding 3DS protocols, with the objective of making online payments even more secure, also through a more structured authentication process.
With the new protocol, username and password are no longer sufficient from a security point of view, but you must authenticate yourself with at least two of the following types of elements:
Information that only the customer knows (KNOWLEDGE)
Something held only by the customer (POSSESSION)
Something that distinguishes the customer (INHERENCE)
Voice recognition or iris scan
The most significant change is the introduction of biometrics for the identification of the buyer, a technology now widely available on most smartphones sold and which has improved both the security of access to the device and that of many available actions, for example, purchases from app stores.
The introduction of the 3DS authentication has drastically reduced the risk of fraudulent use of cards by third parties, by inserting an element known only by the card-holder. The new European regulation, with the second version of the protocols, which will be implemented by the end of 2020, will further reduce the risks of fraud, making the protocols mandatory, whose management by merchants has actually been optional up until today.
Activation of the 3DS services of circuits of credit and debit cards is the responsibility of the issuers; in fact, they activate the functionality on the cards of acquirers, while for the merchant, the reference contact is the acquirer that, before the advent of PSD2, could grant the merchant the deactivation of the protocols that enhance security but may reduce the conversion rate.
In fact, the merchant has always had the possibility to ask the acquirer to disable the protocols, actually accepting payments from its customers without insertion of the authentication code, to the detriment of security but favouring a greater probability of the payment being successful, considering that, without inserting the authentication code, the customer has one step less to complete. The new 3DS2 protocols instead shift to the issuer (that issued the payment card) the decision whether or not to apply authentication with two or more factors on each transaction, therefore, the acquirer and the merchant become "passive" subjects in the application of authentication, an integral part of the customer journey during the payment phase.
The new protocols require, in particular, the insertion of more pieces of information in the payment requests connected with the transaction and the acquirer, which enable the issuer to conduct a more accurate analysis of fraud risk and, consequently, meaning a lower probability of authentication being requested for transactions inserted effectively by the holder of the payment instrument.
Although there are exceptions and exemptions to the application of Strong Customer Authentication, the management of new 3DS2 protocols becomes essential for the merchant who would not be compliant with the regulation and would see the payment requests rejected in the event of non-implementation.
The 2.0 protocols offer the merchant the opportunity to insert some additional optional fields to provide a set of additional data to the issuer and help reduce the likelihood of SCA being applied to the transactions. In order to do this, it may be necessary to review the customer journey of the site, by adding fields for collecting data, and therefore, may increase the complexity of integration.
In order to provide clarity on PSD2 and protocols, this infographic analyses the changes introduced by the regulation and the functioning of the Strong Customer Authentication in depth; in addition, it contains a comparative table which compares the old and new 3DS for the protection of online purchases, in order to provide an overview of the substantial changes.
For the optimal management of the new rules of authentication on the Axerve Ecommerce Solutions gateway, it is possible to access the section of the documentation dedicated to the management of the 3DS2 protocols and conduct an in-depth analysis of the initiatives needed to be able to manage the imminent introduction.
¹May 2001: announcement of the collaboration between VISA and Arcot Systems which developed one of the first 3D Secure solutions.
The genesis of the concept of open banking stems from the introduction of PSD2, the EU initiative to contribute to the development of a more open and collaborative financial ecosystem. But what exactly are we talking about when we use this expression?
The credit card is an electronic payment instrument, usually a standard size plastic card or in rare cases metallic, issued by an authorised company, often a bank, called an Issuer, that offers card-holders the opportunity to make payments that will be charged with different methods depending on the type of card issued.