Fraud, data tampering, and identity theft have been linked to the internet since its inception. Because making credit card payments online automatically places consumers at greater risk of cybercrime, the card industry continues to take steps to thwart digital attacks. The most recent of these is a protocol known as 3-D Secure 2.

An important historical note.

Before we dive into the new approach of 3DS2, it is necessary to understand the environment within which it was created. Even back in 1999 when online shopping was done solely from a desktop internet browser, it was obvious that customers’ sensitive payment details were ripe for the picking by cybercriminals. Something had to be done to safeguard this information; otherwise, the card companies would be held liable, purchases would decrease, customers would be unhappy, and everyone would lose.

In response, EMVCo, an organization of officials from the six leading card companies, created the 3-D Secure protocol. The “3-D” in 3-D Secure refers to the three distinct domains that interact using this protocol: the merchant, the customer’s issuing bank, and the interoperability domain consisting of the underlying infrastructure that makes the communications possible.

Here is how 3-D Secure payments work.

• The customer proceeds to your checkout page to make an online purchase.
• They enter their credit card details in a secure payment gateway.
• The 3-D Secure protocol uses as many as 15 data points to test whether the rightful card owner is making the payment.
• If any concerns warrant further investigation, the consumer is redirected to a 3-D Secure page and prompted to supply additional information, such as a password or PIN.

Buyers who have already set up a password or PIN will not be required to re-enter that information for every purchase. In addition, most card providers use the protocol, greatly enhancing the overall security of the purchasing process.

Downsides of 3-D Secure.

Although the wide adoption of 3-D Secure in the early 2000s made the digital marketplace much safer, it became apparent that the system was far from perfect. For one thing, consumers tend to forget their passwords, requiring great expenditures of time and money on the part of the card issuing companies to help them restore their service. Furthermore, because the system only used a few data points to check the authenticity of consumers’ identities, many false declines led to frustration and shopping cart abandonment. Finally, the dawn of the iPhone and other mobile technology spawned a whole new way to shop that quickly began to replace desktop computers and browsers.

The birth of 3-D Secure 2.

In 2019, EMVCo rolled out its new and improved 3-D Secure suite known as 3-D Secure 2.0, also known as EMV 3-D Secure, 3-D Secure 2, and 3DS2. The new protocol is designed to take mobile ecommerce into consideration, as well as to make the user experience flow more smoothly. Although 3DS2 has not been implemented for all that long relative to its predecessor, some of its benefits are already becoming clear.

For one thing, the protocol allows for a frictionless yet more robust authentication experience. This is because businesses and their payment providers are now able to send significantly more data elements to the cardholder’s bank during each transaction. No longer limited to 15 or fewer facts, the customer’s bank can now receive more than 100 unique details such as the customer’s device ID, previous shopping history, and IP address. Armed with these facts, the bank can do the following.

• Determine that there is sufficient information to deem the payment authentic. If this occurs, the transaction is completed without the need for additional data from the customer.
• Conclude that further investigation is warranted. In this case, the customer is “challenged” to produce additional unique details to authenticate their identity.

Another 3-D Secure 2 benefit is that it is designed with the mobile user in mind. For example, many banking apps allow cardholders to authenticate their identity via easy biometric methods such as fingerprints or facial IDs. This eliminates the need to submit passwords that are easily forgotten while continuing to provide strong security precautions before payments can be approved. In addition, 3DS2 allows the customer to enter any requested information right on your checkout page, with no need to be redirected to the bank’s 3-D Secure site. This drastically reduces much of the shopping cart abandonment that once resulted from being involuntarily shuffled from one page to another.

Companies doing business in the European Union also benefit greatly from 3-D Secure 2. That’s because the passage of the Payment Services Directive (PSD2) legislation in the EU now requires that this protocol be used as the standard authentication method for online transactions taking place in the EU. PSD introduces the concept of Strong Customer Authentication (SCA) to authenticate electronic payments. This will mandate that consumers provide at least two of the following for a transaction to be successful.

• Something they know (one-time password, PIN, the answer to a security question, etc.).
• Something they own (credit or debit card, mobile or wearable device).
• Something they are (biometric data such as a fingerprint or face ID).

Because enabling 3-D Secure 2 satisfies all SCA requirements, it is a must for EU-facing businesses.

Is 3-D Secure 2 the last and final word on robust and frictionless user authentication for online transactions? It’s safe to say that innovations in technology, as well as ever-evolving cyber threats, will eventually require yet another update from EMVCo. 

However, at least at this moment, the 3DS2 protocol represents a marked improvement for both merchants and customers alike. If you think it might be time to update your digital checkout process, talk to your payment services provider about updating to 3-D Secure 2 to ensure enhanced and more secure transactions for everyone involved.