Designed to prevent card fraud during online transaction, 3D Secure is a security protocol that authenticates cardholders during Card-Not-Present (CNP) transactions. The “3D” refers to the three operational domains of the protocol: the issuer, the acquirer, and the interoperability domain. EMVCo, an organisation jointly owned by Visa, Mastercard, American Express, Discover, JCB, and UnionPay, provide updates to the protocol to help mitigate fraud.

After the introduction of 3D Secure around 17 years ago, this authentication method was adopted by the payments industries in most countries, although uptake varied from region to region. However, it was recognised that to keep up with the changing trends in the marketplace and support payment authentication using mobile devices and digital wallets, a new version of the 3D Secure was required. The 3D Secure 2 (3DS2) specification was developed to account for these new payment channels, to provide enhanced security and performance, and a more frictionless payment process in order to improve the user experience and reduce the higher cart abandonment rates with 3D Secure 1.

3D Secure 2 employs dynamic authentication methods such as biometrics and token-based authentication instead of static passwords.

Supporting authentication based on enriched data elements shared through the protocol makes the risk-based analysis credible for determining whether to authenticate a transaction. The user experience can be refined and enhanced by eliminating the initial sign-up procedure and requiring cardholders to use static passwords. Subsequently, merchants can anticipate a reduced amount of cart abandonment from customers.

Additionally, the message interface and challenge flows have been optimised for mobile platforms (i.e. in-app, mobile, and digital wallet).

3D Secure 2 can provide a faster, more unified, and less intrusive authentication solution by eliminating 3D Secure 1's previous shortcomings.

For merchants, cart abandonment rates will decrease. Previously, 3D Secure 1 always required a manual password entry from cardholders. Since many cardholders forget their static password, it was felt that the additional effort was not worth it, causing many cardholders to abandon the purchase altogether. By eliminating this additional manual step, Frictionless Flow increases the likelihood that cardholders will complete their transactions.

From the perspective of the issuer, it is their responsibility to determine whether a transaction is presumably fraudulent. With 3D Secure 2, a comprehensive set of cardholder and transaction information is collected and sent to the issuer. This indicates whether issuers can make riskier decisions than they were previously able to. By enabling issuers to make informed decisions, the incidence of chargebacks from cardholders will fall, thereby reducing the time and resources required to resolve such disputes.

And for the end consumer (or "cardholder"), 3D Secure provides security that their credit card is not being used for fraudulent purposes. Compared to 3D Secure 1, 3D Secure 2 offers a much faster, more accurate, and natural method of authentication in order to achieve frictionless authentication.

After the introduction of 3D Secure around 17 years ago, this authentication method was adopted by the payments industries in most countries, although uptake varied from region to region. Frictionless Flow is one of 3D Secure 2's two authentication flows. The alternative is a Challenge Flow.

Frictionless Flow enables issuers to authorise a transaction without requiring the cardholder's manual input. This is accomplished through Risk Based Authentication (RBA). RBA works by collecting a set of cardholder data during the transaction and transmits it to the issuing bank and their Access Control Server (ACS), which then compares the data collected with the cardholder's historical transaction data to generate a fraud risk value for the new transaction. If the fraud risk value is less than a specified threshold, frictionless flow applies. Therefore, if the risk of fraud is low enough, the issuing bank will not request additional verification from the cardholder and will consider the cardholder for the specified transaction genuine. This eliminates the previously required manual verification step for cardholders in 3D Secure 1.

Challenge Flow applies if the fraud risk value of a transaction exceeds the predetermined threshold. For further information about Challenge Flow, including how it functions and how this has changed between 3DS1 and 3DS2, please contact us.

No, it is the responsibility of each merchant to implement 3D Secure. However, in nations such as India and South Africa, 3D Secure is mandatory.

Currently, liability shift is given to all merchants who attempt 3D Secure 1 authentication. This is true even if the card's issuing bank does not endorse 3D Secure 1 or if the cardholder has not registered in the protocol. This is a major advantage of 3D Secure 1, as merchants who merely attempt authentication can rid themselves of chargeback liability.

3D Secure 2 supports liability shift. As the updated protocol is gradually implemented, different card schemes determine their own liability shift implementation rules. Mastercard began supporting liability shift as of October 2018, whereas Visa activates liability shift based on the merchant's location. Various regions have had dates ranging from April 2019 through April 2020. Contact us via the form for more information on liability shift and how GPayments can help merchants benefit from liability shift.

You may have encountered 3D Secure without realising it. If you have been prompted to enter the password for your credit card when online shopping, it is likely that the site uses 3D Secure. All major card brands implement 3D Secure and market their 3D Secure services under different brand names. Visa refers to it as "Verified by Visa," Mastercard refers to it as "Mastercard Identity Check," and American Express brands it as "American Express SafeKey" for their 3D Secure services. However, in the end, they all accomplish the same goal, the use of 3D Secure.

As of 17 October 2021, VISA will no longer guarantees merchants for transactions authorized with the 3D Secure v1 protocol and as of October 21, 2022, secure payments must use the 3D Secure V2 protocol. As of October 14, 2022, Mastercard will no longer accept new 3D Secure v1 enrolments. As of October 18, 2022, Mastercard will no longer process any 3D Secure V1 transactions for cardholder authentication. At GPayments we are committed to support the industry's transition from 3DS 1.0. 2 to EMV 3DS 2.0. EMV 3DS 2.0 delivers improved authentication that makes online payments more secure and lowers fraudulent transactions. It is mobile-friendly and has a more robust data flow and better flexibility. This enhances the user experience, stimulates higher sales with less friction, and provides a better platform. If you have any questions or concerns about the transition, please get in touch with our team.

GPayments supports all major global card schemes including Visa, Mastercard, American Express, Discover/Diners, JCB, eftpos and UPI, with more to come on our roadmap. Stay tuned or ask Gpayments team if you have questions about specific networks or regions.

Outside of Europe (and other regulated jurisdictions), retailers may opt to use the liability protection features of 3-D Secure. This implies that when an issuer authenticates a digital transaction, they are certain that the transaction is valid, and if the transaction turns out to be fraudulent, they will assume responsibility for the fraud. This is a tremendous advantage for the merchant and a tremendous risk reduction tool. The issuer has a wealth of information on its cardholders, so if they validate a transaction, they are quite certain that the cardholder in question is their own.

In Europe, when SCA is implemented beginning in December 2020 (for most of the EEA and from September 2021 for the UK), if SCA is needed, 3DS isn't utilised, and an exemption isn't applied, a gentle decline signalling the transaction needs to be authenticated is expected. If the merchant resubmits the transaction without validating it, the transaction may be automatically denied, resulting in the loss of the sale.

As regulatory agencies begin enforcing the SCA requirements, our recommendation is to implement EMV 3DS immediately, as we expect the consequences of not having it to become more severe. Planning and implementing in advance allow businesses to get it up and running and maximise their 3DS performance without the pressure of a deadline. Contact our team for more information and how we can help you implementing EMV 3DS.

In regulated regions, such as the European Economic Area (EEA), where PSD2's Strong Customer Authentication (SCA) requirement is in place (albeit not implemented in most nations until late 2020 or early 2021), EMV 3DS facilitates the two-factor authentication need to address SCA.

This is a crucial factor for retailers. When implementing 3DS, merchants should ensure that just one core implementation is required. Merchants that use GPayments today are approved for EMV 3DS versions 2.2 and 2.1 (the most recent versions in production) as well as 3DS version 1.0. If you are considering deploying now, ensure that your supplier is able to handle all current versions, including version 1.0, which will be utilised throughout the transition period.

When the next version of EMV 3DS is published, the merchant may need to take use of additional data points and fields for new functionality, but it is not necessary to replace the complete implementation every time the specification is updated.