3D Secure 2.0’s Six Pillars

Like Web 2.0, Mobile 2.0, and Vegetables 2.0 (And, yes, that’s a thing. Have you ever had fried brussels sprouts?), 3D-Secure 2.0 is also taking something in need of an upgrade and making it better. In this case, though, that upgrade comes to a security protocol designed to strengthen security around online credit card transactions, but which has seen little change since its inception 17 years ago.

While much of Europe has embraced the use of the original 3DS protocol for the majority of virtual transactions, the protocol’s reputation for a clunky user experience in the online checkout flow has kept it from seeing the same adoption in the U.S. In fact, only 18 percent of U.S.-based transactions leverage it today.

The concern from merchants over cart abandonment due to friction in the process, compounded with a shift to mobile commerce and a general hunger for data, has finally driven EMVCo. and CA Technologies to give it an overhaul. And by “overhaul,” we mean “tear-it-down-and-create-something-new.”

“This is not just an upgrade,” said Ankur Karer, director of global solution strategy at CA Technologies, which developed the 3DS 1.0 protocol in the early 2000s. “It’s a redo from the core messaging perspective.”

Karer said issuers won’t have to change much to implement 3DS 2.0 — it’s the underlying protocol that has been transformed. A key part of development, he said, was getting input from merchants to give them a voice in how the protocol should work. Now that they’ve had an equal say, Karer expects to see much less resistance to adoption compared to the original 3DS.

Of course, a streamlined user experience and mobile-first approach will encourage adoption, as well. Karer said a primary goal with 3DS 2.0 was to reduce the number of shopping cart abandonments driven by friction at the checkout. Furthermore, tailoring the protocol to address not only mobile browser shopping but also in-app purchases was an exercise in foresight and meeting consumers wherever they are using their credit cards.

Karer outlined six highlights of the 3DS overhaul in a recent webinar with PYMNTS’ Karen Webster.

1. Rich Data

Under the old protocol, data gathered on secure transactions contained only six or seven relevant fields, including the currency used in the transaction and some merchant information. That didn’t give issuers much to work with in the analytics realm, and it gave the merchants virtually nothing, since data was captured directly from the cardholder’s browser and never even passed through the merchant’s system.

“It was a complete black box with 3DS,” Karer said. “It’s not good. Merchants capture a wealth of data. The goal was for merchants to be able to provide this wealth of data to the issuing site to use in risk assessment.”

Under the new protocol, the process has become much more transparent. Merchants will provide 40 to 50 relevant fields to issuers, including elements like an address match indicator and a merchant category code. In return, issuers will reciprocate by sharing the data they have with merchants.

2. Early Risk Evaluation

Sharing all that data will help merchants and issuers identify and mitigate risks earlier. In addition, a simplified message flow for authentication request processing will pull all necessary data into one place at one time so a decision can be made immediately to allow or challenge the transaction.

Karer emphasized all of this happens behind the scenes, so it appears frictionless on the cardholder side. The system only bothers them for extra information when something doesn’t seem right. Ideally, he said, that will only happen 10 percent of the time.

3. Frictionless/Dynamic Customer Challenge Technologies

If something does seem off, then a customer challenge will be issued. That challenge used to be a static password. Today, banks know a static password is not enough to protect an account. The minimum standard today is a one-time password, which is sent to the cardholder by SMS using the mobile number associated with the account.

Better yet, a cardholder may be redirected to their bank’s mobile app to accept or decline the transaction in question. Choosing “accept” submits a message to the merchant and the cardholder is then redirected, mostly seamlessly, back to the point of sale to finish checking out.

But newer methods have been unlocked with the advent of biometric verification. TouchID thumbprint recognition, selfie pay facial recognition and voice recognition have all emerged as new ways to confirm consumer identities. These strategies have a native feel in the growing mobile environment, though they can apply to desktop shopping as well.

4. In-App Purchases

They’re the way of the future, says Karer. Therefore, it’s not enough to improve security and user experience in mobile browsers, because before long, mobile apps will outstrip them in terms of transaction volume.

Today, however, there is no 3DS in apps. In some locales, online merchants have had to find ways to navigate the cardholder away from the app, authenticate and bring them back — something Uber and Amazon do in India.

Karer said users should not be navigated away from the app because it creates the feeling something isn’t right, and the process becomes cluttered and cumbersome. By comparison, an in-app challenge such as a request for a thumbprint or facial scan will simply feel like a security measure from the app itself and will not generate the same uneasiness that something has gone wrong.

In all of this, standardization is going to be important, said Karer, as brands must maintain a consistent experience across channels or risk confusing their users.

5. New Browser Specs

On a desktop, a payment screen is often displayed as an in-line window within a merchant website. Scroll bars may be visible, and the site may not appear correctly across devices. New browser specs will display that same information in a new way — for example, by popping up the authentication box front and center, while blurring the merchant info in the background.

If authentication is required, which should, again, only happen 10 percent of the time, the exact same methods can be used. The site can direct users to “Click yes or no in your mobile app” or take another verifying action.

6. Identity and Verification

Karer could offer little insight on this area, since the specifications are not yet available. Other areas are still shaping up, including dual authentications, as in a peer-to-peer money transfer, and the application of this protocol to Internet of Things (IoT)-enabled devices like wearables. Karer expects the protocol to be certified and begin rolling out by October, with large-scale enablement not on the docket until mid-2018. So, there’s still time to iron out these elements.


Even though 3DS 2.0 hasn’t rolled out yet, Karer said there’s no reason for issuers to wait on implementing tools that are already available, such as risk-based authentication. Older portfolios and legacy issuers especially should update now rather than waiting, he said, and anyone who’s still requiring a static password for identity verification needs to get with the times.

3DS 2.0 incorporation is designed to be a straightforward process. The protocol is simply a software development kit (SDK) that merchants can incorporate within their apps by copying and pasting a simple snippet of code. Better yet, said Karer, companies on the acquiring side could — and maybe should — manage that upgrade for their merchants.

Although Karer doubts 3DS 2.0 will become globally-mandated by the networks, he said anyone who has implemented version 1.0 will be mandated to convert to 2.0 within the next few years. A mandate, of course, is different from a liability shift. Visa has set a date of April 12, 2019, for liability shift globally for 3DS 2.0 Merchant-Attempted transactions.