Raising the Bar for Passwordless, Frictionless Commerce

3DS 1, 3DS 2.1, 3DS 2.2.

These acronyms should be crowding merchants’ minds as fines loom this fall for those who are not in compliance with the latest version of the 3D Secure protocol for authenticating eCommerce card transactions. But the state of readiness for the latest wave of authentication protocols remains uneven at best, Jonathan Van der Merwe, product manager at Entersekt, told PYMNTS.



At a high level, 3D Secure (3DS) 2.1 and 3DS 2.2 have the advantage of sending richer data to issuing banks than previous iterations — in part through advanced technologies such as biometrics.

Risk-based authentication can leverage artificial intelligence (AI) for insight into behavioral biometrics, understanding how consumers shop normally and what outlier behaviors are — then assigning a risk score to any given transaction.

But thus far, Van der Merwe said, uptake of 3DS is dependent on a variety of factors: Different countries have different mandates — and a slew of differing regulations.

Looking at Merchant Behaviors

In addition, he said, “Merchant behaviors and expectations in how they perceive their markets to operate will drive different uptake and engagements on the 3DS protocol.” The good news is that thus far, there’s been a higher uptake of 3DS 2.0 than was seen with version one.

“There was a lot to be desired from 3DS version one,” he told PYMNTS, “especially from a perspective of user experience and from an ease of authentication perspective” — which in turn resulted in high abandonment rates.

See also: Companies Lean on Biometrics, Machine Learning to Stay ‘One Step Ahead’ of Fraudsters

With the first iteration’s total elimination beginning next month, 2.1 and 2.2 will be the only protocols merchants and issuers will be able to use to authenticate eCommerce transactions. Payment services providers have been a boon to merchants, he added, in that they’ve been helping with the technical heavy lift with no-code integrations as enterprises migrate to newer incarnations.

Getting everyone on board, however, is no easy task.

“The first thing to realize is that 3DS is an ecosystem of players,” Van der Merwe said. “There are issuers, and there are acquirers, directories and card associations, PSP and vendors.”

The goal is to have the 3DS protocol in the middle so that these stakeholders can talk to one another.

Merchants still worry about injecting so much friction into the mix that customers will abandon their carts when it’s time to authenticate before a purchase. Some of that caution comes from the fact that 3DS1 was a security-first experience, rather than a user-first one.

But once the ecosystem comes around to the understanding that ACS (access control server) vendors are committed to better user experiences, there’ll be greater success rates across eCommerce as a whole.

“The level of trust will improve,” he said, “as the merchants and the issuers that have been lagging move over to the newer versions of 3DS.”

Learn more: Cybersecurity Firms Challenge ‘Professional Fraudsters’ With Customer-Friendly Protections

That enthusiasm will mount as passwordless authentication gains momentum through the FIDO Alliance, and authentication can be done in-app, too, which will render static passwords obsolete. Looking ahead, he said that there’s roughly a 9% monthly migration of traffic of 3DS1 to 3DS2.

“That’s quite a strong migration, from the merchant’s perspective,” he told PYMNTS. And in November, when “one” is switched off, the ability to authenticate using that earlier protocol will disappear (and liability stays with the merchant).

“It’s definitely a good idea to move to 3DS2 as soon as possible,” Van der Merwe said, noting the added benefit of lower interchange fees. “There’s really no risk for cart abandonment based on the user experience of authentication.”