Visa and Mastercard are discontinuing support for 3DS1, the legacy authentication protocol, and all related technology from 15 October 2022.
Card issuers, acquirers and payment service providers are being encouraged to move to the latest version 3DS2.x. This means merchants who remain on the 3DS1 protocol may be liable for fraud, even on 3DS-protected transactions, after the October 2022 sunset date.
So, how can businesses prepare, and what should they expect in the coming months?
In this article, we consider
- The main differences between 3DS1 and 3DS2
- How the card schemes are facilitating the transition
- How the sunsetting of 3DS1 will impact businesses
- How Checkout.com is supporting customers to prepare for 3DS2
What is the difference between 3DS1 and 3DS2?
3DS1 was originally released in the browser-based era of the 1990s. Since then changes in lifestyle, shopping habits and technology have driven more and more mobile sales The new EMV 3DS2 standard supports a more seamless checkout experience, as well as more secure transactions based on intelligent risk-based decisioning.
3DS2 is optimized for mobile and in-app payment. So, it effectively addresses today’s omnichannel experience on mobile, PC and even digital television but also anticipates support for future channels and form factors.
3DS2 also enables the passing of more than 100 data elements between merchants and issuers to enhance approvals. That’s up from the eight data points typically exchanged as part of a 3DS1 authentication. This improves risk-based authentication, meaning a frictionless flow for most low-risk transactions from trusted customers.,[object Object],
Moreover, 3DS2.2 enables ‘soft declines’ not supported by 3DS1. This means that if the issuer receives an authorization request and wants to authenticate their cardholder before approving the payment, 3DS2.2 enables this. With 3DS1, issuers would have to ‘hard decline' the transaction.
How are the schemes encouraging the transition?
The card schemes are taking different approaches to encourage the shift from 3DS1 to 3DS2.
Visa is taking the approach of removing fraud liability protection on transactions that are authenticated with 3DS1. Thus merchants are encouraged to authenticate using 3DS2 and avoid chargebacks. Issuers are also incentivized to implement 3DS2 promptly to avoid risk, as merchants will have fraud liability protection on 3DS2 transactions even if European issuers are not live on 3DS2.
Mastercard, on the other hand, has sought to penalize acquirers when 3DS2-ready merchants authenticate with 3DS1. Additionally, issuers that have BINs not enrolled with 3DS2 will be penalized. Mastercard will also double 3DS1 authentication fees so that 3DS2 transactions are more cost-effective.
How will the sunsetting of 3DS1 impact Checkout.com merchants?
The overwhelming majority of Checkout.com customers, who deploy strong customer authentication (SCA) , already use the newest version of the protocol. Checkout.com is automatically upgrading customers who use our authentication solution. So, customers do not need to undertake these changes themselves.
There are a couple of scenarios where businesses should engage with their providers now to prepare for the sunsetting of 3DS1.
These are businesses who
- Use third-party merchant plug-in providers — when a company other than Checkout.com handles authentication
- Use acquirers and payment service providers in addition to Checkout.com
In these cases, businesses should engage with their providers to ask how they’re preparing.
Any transaction submitted with 3DS1 after 15 October 2022 will fail. The buyer will see an error message, and the merchant will likely lose the sale, as their customer will assume the checkout is broken.
How is Checkout.com supporting customers to prepare for 3DS2?
Checkout.com has proactively engaged with affected merchants in good time to prepare for the sunsetting of 3DS1. Plus, merchants that are using Checkout.com’s authentication solution have been automatically upgraded to the new version of the 3DS protocol. This upgrade will not require any developer changes.
Checkout.com is also implementing a ‘soft’ retirement of 3DS1 to identify and remediate any issues ahead of the 15 October 2022 card scheme deadline.
Take a look at the Checkout.com Authentication Solution and ensure that your business is ready to sunset 3DS1 and any other changing regulations.