The evolution of the 3D-Secure protocol: from 3DS to 3DS 2.2
New rules for Strong Customer Authentication (SCA) came into effect in most European countries during 2021. Part of this mandate has been to use 3DS to authenticate payments. Since the first version of this technology was created there have been continuous improvements that have started to align security concerns with those of customer friction.
In October 2022, the major schemes have announced, issuers and acquirers will be required to support the enhanced standard for securing online payments (EMV 3DS 2.2) in Europe. Businesses that want to stay ahead of the curve should start considering how it will impact their SCA strategy now.
How will the new standard allow businesses to secure more successful sales, with fewer declines and disputed payments? We explain the background to strong customer authentication and why the new, enhanced 3DS 2.2 version of the standard is a game-changer.
What is strong customer authentication?
Authentication is the process of confirming whether someone is who they say they are. There are different ways to do this for remote shopping or banking transactions.
Typically, authentication factors rely on:
- Something a customer knows (e.g. a PIN or password)
- Something a customer has (e.g. a token or device)
- Something a customer is (e.g. fingerprint)
To increase the security of remote payments, the revised Payment Services Directive (PSD2) in Europe requires two or more factors for so-called strong customer authentication (SCA).
Since 31 December 2020, all electronic transactions processed in the European Economic Area (EEA) have been subject to SCA with only a few exceptions set out below. The UK has an SCA enforcement date of 14 March 2022 with UK banks already starting to soft-decline non-SCA compliant transactions.
Changes in lifestyle, shopping habits and technology are driving more and more remote sales. As such the 3DS standard originally released in the late 1990s has understandably evolved to keep up. 3DS 2.1 extended to mobile payments and alternative authentication methods and collects ten times more data to give a more accurate risk analysis.
The technology has evolved again with EMV 3DS 2.2, which now supports a more seamless checkout experience, as well as more intelligent risk-based decisioning and exemption handling.
What is EMV 3DS 2.2?
EMV 3DS 2.2 is the new, enhanced version of the existing 3DS standard, owned by EMVCo, the global technical body for secure payment transactions.
By connecting the issuer, acquirer and card scheme (the three domains in the 3 Domain Secure protocol), 3DS gives consumers a way to directly authenticate themselves with their card issuer when shopping online. This additional layer of security helps prevent unauthorized use of cards, plus protects ecommerce businesses from exposure to certain types of disputed transactions.
What are the main differences in 3DS 2.2?
Firstly, the new specification is optimized for many more types of devices – mobile, PC, Consoles and even digital television – as well as for in-app payment. So, say goodbye to clunky pop-up windows, particularly on the smaller screen of a mobile device, and hello to a more frictionless checkout flow.
Secondly, it’s now possible for merchants to pass more than 100 data elements to card issuers for more intelligent risk scoring. That’s up from the eight data points typically exchanged as part of a 3DS 1.0 authentication. This improves risk-based authentication, meaning that checkout is friction-free for most low-risk transactions from trusted customers.
CKO Explains: Hard declines vs Soft declines
Hard declines happen when the customer’s issuer rejects the payment. Examples include when the card is expired or reported as stolen. Hard declines are permanent, so the payment should not be retried.
Soft declines account for 80-90% of all declines. Usually, they occur when the issuer wants to authenticate their cardholder before authorizing payment.
Which transactions require strong customer authentication?
All electronic transactions require SCA unless the transaction is out of scope or there’s an exemption applied.
The main out-of-scope scenarios for remote transactions include:
- Merchant initiated transactions (MITs): This is a large group of transactions, including recurring, installment or prepaid payment, credential on file, delayed charges, reauthorizations, among others. SCA may be required to set up such arrangements, mainly if initiated through a remote channel. However, once in place, merchants may initiate subsequent payments without applying SCA requirements.
- Mail order/telephone order: Payments made by mail order or over the phone fall outside the scope of SCA.
- One leg out: When either the card issuer or acquirer are outside the EEA. For example, when a card issued in Japan is used at the website of a German merchant. Authentication should be applied on a best-effort basis, but issuers must not decline one-leg-out authorization requests if they are out of scope.
- Anonymous transactions: For example, prepaid gift cards issued without an identifiable cardholder name.
The four main exemptions to the SCA requirement for those selling online are:
- Transaction Risk Analysis (TRA): This depends on the transaction value and fraud rate of the acquirer.
- Low value transactions: Remote payments less than €30 up to a maximum of five transactions or a cumulative limit of €100.
- Trusted beneficiaries: When customers add merchants to a list of trusted beneficiaries held by their issuers, sometimes known as ‘white listing’. This is useful if customers often shop with particular merchants. A cardholder can list a merchant via the authentication flow after a challenge is completed or via a bank app if that's provided by the issuer.
- Secure corporate payments: Those initiated through secure corporate systems and processes, such as centralized travel management systems, lodge and virtual cards.
To reiterate: SCA is not required for transactions that are out of scope or exempt. But these transactions must be correctly flagged in the authorization message to reduce the chance of issuers soft declining them.
3DS 2.2 supports this frictionless flow, so businesses accepting online payments are advised to work with their acquirers to develop an exemption strategy that fits their circumstances.
Also, keep in mind that issuers have the final say about whether to apply SCA. There are things that only they can know or do. For example, understanding the customer’s typical spending patterns or which merchants are listed as trusted beneficiaries.
If issuers are suspicious about a transaction, they can always request a step-up or challenge authentication via 3DS, even if it’s been flagged as out of scope or exempt from SCA.
How do online businesses make SCA regulations work for them?
To turn SCA regulations into a competitive advantage by:
- identifying when you can apply exemptions
- determining any out-of-scope transactions, which do not require SCA and
- keeping up to date with all the latest developments to 3DS.
Similarly, assess the impact of SCA on customer journeys and processes to maximize the use of exemptions for a frictionless checkout flow. If you’re uncertain whether any of your use cases qualify for exemptions, please contact our payment experts.
Lastly, determine a fraud strategy that reflects your business model. You’ve probably invested heavily in fraud detection and risk management tools over the years. 3DS 2.2 enables your business to leverage that investment.
There’s a balance to be struck between minimizing fraud losses and operational costs, optimizing the customer experience and maximizing revenue. No one says this is easy. But the good news is there is no one right way to balance these factors or devise an exemption strategy. Each business can tailor and tweak their approach depending on their own circumstances for competitive advantage.
Download our guide to find out more.