Results for

icon-search-large No search results yet
Enter your search query above

3-D Secure version 2

3-D Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

To reflect current and future market requirements, EMVco recognized the need to create a new 3-D Secure specification that would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. This led to the development and publication of the EMV® 3-D Secure – Protocol and Core Functions Specification. The specification takes into account these new payment channels and supports the delivery of industry leading security, performance and user experience.

Besides the major global card brands we also see that some local card brands are also looking to adopt similar/identical means of authentication as defined in the 3-D Secure version 2 specifications.

Why a new version

Version 1 of 3-D Secure results in redirects for consumers, to pages that aren't always optimized for the device that the consumer is using. This increases the drop-off rate of the consumers during your checkout. Next to this, the way the consumer has to authenticate isn't always the best way from a usability point of view, again increasing the drop-off even further. Due to the drop-off impact not all merchants have adopted 3-D Secure, so consumers aren't always familiar with the flow and this again leads to increased drop-off. In short the user experience leaves a lot to desire and you are faced with a loss of revenue due to a reduction of conversion on your checkout. Below map shows the drop-off percentages for 3-D Secure version 1 we observed on Ingenico's Global Collect Payment Platform in the first half of 2018.

GlobalCollect 3-D Secure version 1 drop-off per region in 2018

The implementation of 3-D Secure version 1 historically has introduced more friction than necessary. As more and more transactions are app based and we see rapid development of new ways to make payments there was a need for an updated version of 3-D Secure that could deal with this, which is 3-D Secure version 2.

What will change

One of the core differences is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge). This can then result in a frictionless authentication, which doesn't involve the consumer to be redirected. In case the consumer is using an app this also applies. In case a challenge is required by the issuer this can be handled inside the app. This greatly improves the user experience and will increase conversion.

Separately the Strong Customer Authentication (SCA) required in Europe by September 14th, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible.

In short 3-D Secure version 2 means:

  • You will need to implement 3-D Secure before September 14th, 2019 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
  • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
  • A much better user experience for your consumers

Benefits

The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the consumer compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

According to card networks projections, with 3-D Secure version 2, merchants will be able to achieve the same performance levels as physical store merchants (using Chip & PIN):

  • Up to 10 percentage points higher approval rates
  • Up to 50% reduced fraud rates
  • Around 50% lower abandonment rates.

Timeline

3Dv2 Timeline

A couple of dates are important:

  1. April 2019: Mastercard issuers globally and Visa issuers from Europe can support 3-D Secure version 2 in their production environments, so you might be impacted as well as you can only benefit if you provide the right data points.
  2. August 2019: Visa issuers In North and South America can support 3-D Secure version 2.
  3. September 14th, 2019: PSD2 SCA goes into effect in the European markets requiring Strong Customer Authentication for each online transaction that match the criteria as set forth in the PSD2 SCA guidelines.
  4. April 2020: Issuers from the rest of the world can support 3-D Secure version 2.

For each of the above activations the following applies: If the issuer supports 3-D Secure version 2 for the card, you should use 3-D Secure version 2. If you do not support 3-D Secure version 2, falling back to 3-D Secure version 1 remains a possibility without any impact on the liability shift.

Additional information

  1. Introduction
  2. Highlevel implementation
  3. Consumer user experience
  4. MyCheckout hosted payment pages implementation
  5. Create Payment API implementation
  6. Test cases
  7. Special use cases
  8. Webhooks

3-D Secure version 2

3-D Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

To reflect current and future market requirements, EMVco recognized the need to create a new 3-D Secure specification that would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. This led to the development and publication of the EMV® 3-D Secure – Protocol and Core Functions Specification. The specification takes into account these new payment channels and supports the delivery of industry leading security, performance and user experience.

Besides the major global card brands we also see that some local card brands are also looking to adopt similar/identical means of authentication as defined in the 3-D Secure version 2 specifications.

Why a new version

Version 1 of 3-D Secure results in redirects for consumers, to pages that aren't always optimized for the device that the consumer is using. This increases the drop-off rate of the consumers during your checkout. Next to this, the way the consumer has to authenticate isn't always the best way from a usability point of view, again increasing the drop-off even further. Due to the drop-off impact not all merchants have adopted 3-D Secure, so consumers aren't always familiar with the flow and this again leads to increased drop-off. In short the user experience leaves a lot to desire and you are faced with a loss of revenue due to a reduction of conversion on your checkout. Below map shows the drop-off percentages for 3-D Secure version 1 we observed on Ingenico's Global Collect Payment Platform in the first half of 2018.

GlobalCollect 3-D Secure version 1 drop-off per region in 2018

The implementation of 3-D Secure version 1 historically has introduced more friction than necessary. As more and more transactions are app based and we see rapid development of new ways to make payments there was a need for an updated version of 3-D Secure that could deal with this, which is 3-D Secure version 2.

What will change

One of the core differences is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge). This can then result in a frictionless authentication, which doesn't involve the consumer to be redirected. In case the consumer is using an app this also applies. In case a challenge is required by the issuer this can be handled inside the app. This greatly improves the user experience and will increase conversion.

Separately the Strong Customer Authentication (SCA) required in Europe by September 14th, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible.

In short 3-D Secure version 2 means:

  • You will need to implement 3-D Secure before September 14th, 2019 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
  • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
  • A much better user experience for your consumers

Benefits

The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the consumer compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

According to card networks projections, with 3-D Secure version 2, merchants will be able to achieve the same performance levels as physical store merchants (using Chip & PIN):

  • Up to 10 percentage points higher approval rates
  • Up to 50% reduced fraud rates
  • Around 50% lower abandonment rates.

Timeline

3Dv2 Timeline

A couple of dates are important:

  1. April 2019: Mastercard issuers globally and Visa issuers from Europe can support 3-D Secure version 2 in their production environments, so you might be impacted as well as you can only benefit if you provide the right data points.
  2. August 2019: Visa issuers In North and South America can support 3-D Secure version 2.
  3. September 14th, 2019: PSD2 SCA goes into effect in the European markets requiring Strong Customer Authentication for each online transaction that match the criteria as set forth in the PSD2 SCA guidelines.
  4. April 2020: Issuers from the rest of the world can support 3-D Secure version 2.

For each of the above activations the following applies: If the issuer supports 3-D Secure version 2 for the card, you should use 3-D Secure version 2. If you do not support 3-D Secure version 2, falling back to 3-D Secure version 1 remains a possibility without any impact on the liability shift.

Additional information

  1. Introduction
  2. Highlevel implementation
  3. Consumer user experience
  4. MyCheckout hosted payment pages implementation
  5. Create Payment API implementation
  6. Test cases
  7. Special use cases
  8. Webhooks