Results for

icon-search-large No search results yet
Enter your search query above

3-D Secure version 2

3-D Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

To reflect current and future market requirements, EMVco recognized the need to create a new 3-D Secure specification that would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. This led to the development and publication of the EMV® 3-D Secure – Protocol and Core Functions Specification. The specification takes into account these new payment channels and supports the delivery of industry leading security, performance and user experience.

Besides the major global card brands we also see that some local card brands are also looking to adopt similar/identical means of authentication as defined in the 3-D Secure version 2 specifications.

Why a new version

Version 1 of 3-D Secure results in redirects for consumers, to pages that aren't always optimized for the device that the consumer is using. This increases the drop-off rate of the consumers during your checkout. Next to this, the way the consumer has to authenticate isn't always the best way from a usability point of view, again increasing the drop-off even further. Due to the drop-off impact not all merchants have adopted 3-D Secure, so consumers aren't always familiar with the flow and this again leads to increased drop-off. In short the user experience leaves a lot to desire and you are faced with a loss of revenue due to a reduction of conversion on your checkout. Below map shows the drop-off percentages for 3-D Secure version 1 we observed on Ingenico's Global Collect Payment Platform in the first half of 2018.

GlobalCollect 3-D Secure version 1 drop-off per region in 2018

The implementation of 3-D Secure version 1 historically has introduced more friction than necessary. As more and more transactions are app based and we see rapid development of new ways to make payments there was a need for an updated version of 3-D Secure that could deal with this, which is 3-D Secure version 2.

What will change

One of the core differences is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge). This can then result in a frictionless authentication, which doesn't involve the consumer to be redirected. In case the consumer is using an app this also applies. In case a challenge is required by the issuer this can be handled inside the app. This greatly improves the user experience and will increase conversion.

Separately the Strong Customer Authentication (SCA) required in Europe by September 14th, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible.

In short 3-D Secure version 2 means:

  • You will need to implement 3-D Secure before September 14th, 2019 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
  • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
  • A much better user experience for your consumers

Benefits

The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the consumer compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

According to card networks projections, with 3-D Secure version 2, merchants will be able to achieve the same performance levels as physical store merchants (using Chip & PIN):

  • Up to 10 percentage points higher approval rates
  • Up to 50% reduced fraud rates
  • Around 50% lower abandonment rates.

Timeline

3Dv2 Timeline

A couple of dates are important:

  1. April 2019: Mastercard issuers globally and Visa issuers from Europe can support 3-D Secure version 2 in their production environments, so you might be impacted as well as you can only benefit if you provide the right data points.
  2. August 2019: Visa issuers In North and South America can support 3-D Secure version 2.
  3. September 14th, 2019: PSD2 SCA goes into effect in the European markets requiring Strong Customer Authentication for each online transaction that match the criteria as set forth in the PSD2 SCA guidelines.
  4. April 2020: Issuers from the rest of the world can support 3-D Secure version 2.

For each of the above activations the following applies: If the issuer supports 3-D Secure version 2 for the card, you should use 3-D Secure version 2. If you do not support 3-D Secure version 2, falling back to 3-D Secure version 1 remains a possibility without any impact on the liability shift.

Technical implementation

We have done our best to limit the impact of 3-D Secure version 2 for you. This means that we have kept the existing 3-D Secure flow and statuses the same. The impact has been reduced to API changes that introduce the additional new properties that you can (and in some cases should) provide to increase the likelihood of your transactions being authenticated using the frictionless flow.

Flow

Below flow shows the high-level flow of both version 1 and version 2 of 3-D Secure. Please note that we show the browser flow specifically for 3-D Secure version 2 as version 1 doesn't support different flows besides the browser flow. The functional flow between the two versions is the same from your point of view. After the initial payment creation two flows are possible:

  • One flow requiring the redirection of the consumer
  • One flow not requiring the redirection of the consumer

3Dv2 flow v1.1

The flow with the redirection for 3-D Secure version 2 could potentially only involve a page that allows the issuer to collect data from the consumers device without any user interaction. This is called a MethodURL flow in the 3-D Secure version 2 documentation. We have chosen to handle this flow on our hosted payment pages to reduce the implementation impact on you. This means that redirection will not always result in a so called Challenge towards the consumer and could still be considered friction-less in the 3-D Secure version 2 terminology. The statuses for each of the flows are identical with REDIRECTED for the flow that involves redirection and all the other possible statuses, like REJECTED, PENDING_APPROVAL, CAPTURE_REQUESTED, etc. for the non-redirect flow. Please see below image showing the 3-D Secure specific status flow for the most common implementation (not using the 2-step 3-D setup that requires explicit approval from your side to continue with the authorization).

Payment Flow Credit Cards 3Dv2

Additional data elements

The key aspect of 3-D Secure version 2 is the ability of the issuing bank to better assess the risk involved of the transaction. The specification 3-D Secure version 2 contains a lot of data elements, some of them were already commonly used in fraud screening, but some are new and specific to 3-D Secure. In general the data elements can be categorized in the following categories:

  • Card details
  • 3-D Secure specific information
    • Previous 3-D Secure results
    • Specific 'settings' for this transaction
  • Transaction information
    • Billing address data
    • Shipping details
    • Meta information on what the transaction is for
  • Consumer
    • Device/browser data
    • Account of the consumer with you
      • Authentication used
      • Account on file
      • Payment history

Our existing APIs already capture a lot of the data elements, but we are adding a lot of new data elements. The reason is that we believe that everybody in the payments ecosystem benefits from increased security, with the least amount of negative impact to the experience of the consumer. Payments are based on trust and by providing more data it becomes easier for parties to trust one-another, without requiring additional challenges to authenticate the consumer. Almost all of the newly added data elements are optional, but we advise you to supply as much of them as possible. This increases the likelihood of your transactions following the frictionless flow, while you benefit from liability shift. In case you use the MyCheckout hosted payment pages we will capture the Device/browser related data automatically.

Webhooks

The additional properties that have been added to the Create Payment response have also been added to the webhook payment events, in case a 3-D Secure version 2 authentication was completed.

3-D Secure version 2

3-D Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

To reflect current and future market requirements, EMVco recognized the need to create a new 3-D Secure specification that would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. This led to the development and publication of the EMV® 3-D Secure – Protocol and Core Functions Specification. The specification takes into account these new payment channels and supports the delivery of industry leading security, performance and user experience.

Besides the major global card brands we also see that some local card brands are also looking to adopt similar/identical means of authentication as defined in the 3-D Secure version 2 specifications.

Why a new version

Version 1 of 3-D Secure results in redirects for consumers, to pages that aren't always optimized for the device that the consumer is using. This increases the drop-off rate of the consumers during your checkout. Next to this, the way the consumer has to authenticate isn't always the best way from a usability point of view, again increasing the drop-off even further. Due to the drop-off impact not all merchants have adopted 3-D Secure, so consumers aren't always familiar with the flow and this again leads to increased drop-off. In short the user experience leaves a lot to desire and you are faced with a loss of revenue due to a reduction of conversion on your checkout. Below map shows the drop-off percentages for 3-D Secure version 1 we observed on Ingenico's Global Collect Payment Platform in the first half of 2018.

GlobalCollect 3-D Secure version 1 drop-off per region in 2018

The implementation of 3-D Secure version 1 historically has introduced more friction than necessary. As more and more transactions are app based and we see rapid development of new ways to make payments there was a need for an updated version of 3-D Secure that could deal with this, which is 3-D Secure version 2.

What will change

One of the core differences is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge). This can then result in a frictionless authentication, which doesn't involve the consumer to be redirected. In case the consumer is using an app this also applies. In case a challenge is required by the issuer this can be handled inside the app. This greatly improves the user experience and will increase conversion.

Separately the Strong Customer Authentication (SCA) required in Europe by September 14th, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible.

In short 3-D Secure version 2 means:

  • You will need to implement 3-D Secure before September 14th, 2019 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
  • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
  • A much better user experience for your consumers

Benefits

The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the consumer compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

According to card networks projections, with 3-D Secure version 2, merchants will be able to achieve the same performance levels as physical store merchants (using Chip & PIN):

  • Up to 10 percentage points higher approval rates
  • Up to 50% reduced fraud rates
  • Around 50% lower abandonment rates.

Timeline

3Dv2 Timeline

A couple of dates are important:

  1. April 2019: Mastercard issuers globally and Visa issuers from Europe can support 3-D Secure version 2 in their production environments, so you might be impacted as well as you can only benefit if you provide the right data points.
  2. August 2019: Visa issuers In North and South America can support 3-D Secure version 2.
  3. September 14th, 2019: PSD2 SCA goes into effect in the European markets requiring Strong Customer Authentication for each online transaction that match the criteria as set forth in the PSD2 SCA guidelines.
  4. April 2020: Issuers from the rest of the world can support 3-D Secure version 2.

For each of the above activations the following applies: If the issuer supports 3-D Secure version 2 for the card, you should use 3-D Secure version 2. If you do not support 3-D Secure version 2, falling back to 3-D Secure version 1 remains a possibility without any impact on the liability shift.

Technical implementation

We have done our best to limit the impact of 3-D Secure version 2 for you. This means that we have kept the existing 3-D Secure flow and statuses the same. The impact has been reduced to API changes that introduce the additional new properties that you can (and in some cases should) provide to increase the likelihood of your transactions being authenticated using the frictionless flow.

Flow

Below flow shows the high-level flow of both version 1 and version 2 of 3-D Secure. Please note that we show the browser flow specifically for 3-D Secure version 2 as version 1 doesn't support different flows besides the browser flow. The functional flow between the two versions is the same from your point of view. After the initial payment creation two flows are possible:

  • One flow requiring the redirection of the consumer
  • One flow not requiring the redirection of the consumer

3Dv2 flow v1.1

The flow with the redirection for 3-D Secure version 2 could potentially only involve a page that allows the issuer to collect data from the consumers device without any user interaction. This is called a MethodURL flow in the 3-D Secure version 2 documentation. We have chosen to handle this flow on our hosted payment pages to reduce the implementation impact on you. This means that redirection will not always result in a so called Challenge towards the consumer and could still be considered friction-less in the 3-D Secure version 2 terminology. The statuses for each of the flows are identical with REDIRECTED for the flow that involves redirection and all the other possible statuses, like REJECTED, PENDING_APPROVAL, CAPTURE_REQUESTED, etc. for the non-redirect flow. Please see below image showing the 3-D Secure specific status flow for the most common implementation (not using the 2-step 3-D setup that requires explicit approval from your side to continue with the authorization).

Payment Flow Credit Cards 3Dv2

Additional data elements

The key aspect of 3-D Secure version 2 is the ability of the issuing bank to better assess the risk involved of the transaction. The specification 3-D Secure version 2 contains a lot of data elements, some of them were already commonly used in fraud screening, but some are new and specific to 3-D Secure. In general the data elements can be categorized in the following categories:

  • Card details
  • 3-D Secure specific information
    • Previous 3-D Secure results
    • Specific 'settings' for this transaction
  • Transaction information
    • Billing address data
    • Shipping details
    • Meta information on what the transaction is for
  • Consumer
    • Device/browser data
    • Account of the consumer with you
      • Authentication used
      • Account on file
      • Payment history

Our existing APIs already capture a lot of the data elements, but we are adding a lot of new data elements. The reason is that we believe that everybody in the payments ecosystem benefits from increased security, with the least amount of negative impact to the experience of the consumer. Payments are based on trust and by providing more data it becomes easier for parties to trust one-another, without requiring additional challenges to authenticate the consumer. Almost all of the newly added data elements are optional, but we advise you to supply as much of them as possible. This increases the likelihood of your transactions following the frictionless flow, while you benefit from liability shift. In case you use the MyCheckout hosted payment pages we will capture the Device/browser related data automatically.

Webhooks

The additional properties that have been added to the Create Payment response have also been added to the webhook payment events, in case a 3-D Secure version 2 authentication was completed.