3-D Secure version 2
3-D Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.
To reflect current and future market requirements, EMVco recognized the need to create a new 3-D Secure specification that would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. This led to the development and publication of the EMV® 3-D Secure – Protocol and Core Functions Specification. The specification takes into account these new payment channels and supports the delivery of industry leading security, performance and user experience.
Besides the major global card brands we also see that some local card brands are also looking to adopt similar/identical means of authentication as defined in the 3-D Secure version 2 specifications.
Why a new version
Version 1 of 3-D Secure results in redirects for consumers, to pages that aren't always optimized for the device that the consumer is using. This increases the drop-off rate of the consumers during your checkout. Next to this, the way the consumer has to authenticate isn't always the best way from a usability point of view, again increasing the drop-off even further. Due to the drop-off impact not all merchants have adopted 3-D Secure, so consumers aren't always familiar with the flow and this again leads to increased drop-off. In short the user experience leaves a lot to desire and you are faced with a loss of revenue due to a reduction of conversion on your checkout. Below map shows the drop-off percentages for 3-D Secure version 1 we observed on Ingenico's Global Collect Payment Platform in the first half of 2018.
The implementation of 3-D Secure version 1 historically has introduced more friction than necessary. As more and more transactions are app based and we see rapid development of new ways to make payments there was a need for an updated version of 3-D Secure that could deal with this, which is 3-D Secure version 2.
What will change
One of the core differences is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge). This can then result in a frictionless authentication, which doesn't involve the consumer to be redirected. In case the consumer is using an app this also applies. In case a challenge is required by the issuer this can be handled inside the app. This greatly improves the user experience and will increase conversion.
Separately the Strong Customer Authentication (SCA) required in Europe by September 14th, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible.
In short 3-D Secure version 2 means:
- You will need to implement 3-D Secure before September 14th, 2019 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
- You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
- A much better user experience for your consumers
The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the consumer compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted. Current data shows that this is indeed true for about 75% of our volume.
According to card networks projections, with 3-D Secure version 2, merchants will be able to achieve the same performance levels as physical store merchants (using Chip & PIN):
- Up to 10 percentage points higher approval rates
- Up to 50% reduced fraud rates
- Around 50% lower abandonment rates.
A couple of dates are important:
- April 2020: Several issuers across Europe will start to soft decline transactions indicating that Strong Customer Authentication is required. This is sometimes also refered to as a step-up. These issuers will start doing this for transactions that they would have declined due to suspected fraud, allowing you to 'recover' these transactions. Later on they will also start doing this based on other criterea like the amount of the transaction. In this second phase, which is expected to start in the second half of 2020, they will start soft declining some transactions for which Strong Customer Authentication was not performed. These transactions would have been approved in the past; you might lose transactions if you are unable to perform 3-D Secure authentication. The aim is to get everybody in the ecosystem ready before the deadline at the end of 2020. As long as you submit the required datapoints to perform 3-D Secure our system will automatically perform such an authentication in case it is requested by the issuer though such a soft decline.
- September 2020: Issuers should be ready to support excemptions, like Low Value and Transaction Risk Analysis.
- January 1st, 2021: PSD2 SCA goes into effect in the European markets requiring Strong Customer Authentication for each online transaction that match the criteria as set forth in the PSD2 SCA guidelines.
For each of the above activations the following applies: If the issuer supports 3-D Secure version 2 for the card, you should use 3-D Secure version 2. If you do not support 3-D Secure version 2, falling back to 3-D Secure version 1 remains a possibility without any impact on the liability shift.
- Highlevel implementation
- Consumer user experience
- MyCheckout hosted payment pages implementation
- Create Payment API implementation
- Test cases
- Special use cases