3D Secure 2

A new authentication standard

Last updated on November 15, 2018

Summary

The 3D Secure standard, often known by its branded names like “Verified by Visa” or “Mastercard SecureCode” aims to reduce fraud and provide added security to online payments. Beginning in 2019, banks are expected to gradually start supporting a new version of 3D Secure.

3D Secure 2 (3DS2) adds “frictionless authentication” and improves the purchase experience compared to 3D Secure 1. It is expected to be the main method to comply with the upcoming Strong Customer Authentication regulation in Europe. If you use 3D Secure on our PaymentIntents API, we’ll seamlessly transition you to 3D Secure 2 as card issuers gradually begin to support it in spring of 2019.

A quick history of 3D Secure 1

Though credit cards have become the preferred method for online payments in many countries, they’re also a prime target for fraudsters. Despite additional security measures such as the Address Verification System (AVS) or the CVC verification used in some markets, credit card payments can still be at a high risk of fraud. (In fact, it is because of this risk that customers have the ability to dispute fraudulent payments made with their card.)

To address this problem, card networks implemented the first version of 3D Secure in 2001. If you regularly buy items online, you may be familiar with the 3D Secure flow: you enter your card details to confirm a payment, and are then redirected to another page where your bank asks you for a code or password to approve the purchase. Because the authentication page is often co-branded by the card network, most customers are more familiar with branded names for 3D Secure, such as “Verified by Visa” or “Mastercard SecureCode.”

For businesses, the benefit of 3D Secure is clear: requesting additional information lets you build in an extra layer of fraud protection—ensuring that you only accept card payments from legitimate customers. As an added incentive, authenticating a payment with 3D Secure shifts the liability for chargebacks due to fraud from your business to your customer’s bank. This added protection is why 3D Secure is often applied to large purchases like airline tickets.

Unfortunately, the use of 3D Secure 1 also has some drawbacks: the additional step required to complete the payment adds friction to the checkout flow and can lead customers to abandon the purchase. Additionally, a number of banks still force their cardholders to create and remember their own static passwords to complete the 3D Secure verification. These passwords are easy to forget which can lead to higher rates of cart abandonment. The user experience impact is especially pronounced in mobile apps, where applying 3D Secure may redirect customers out of the native app and onto a bank’s website that isn’t optimized for mobile devices.

What’s new with 3D Secure 2

EMVCo, an organization made up of six major card networks recently released a new version of 3D Secure. EMV 3-D Secure (3D Secure 2 or 3DS2) aims to address many of the shortcomings of 3D Secure 1 by introducing less disruptive authentication and a better user experience.

Frictionless authentication

3D Secure 2 will allow businesses and their payment provider to securely send over 100 data elements on each transaction to the cardholder’s bank. This includes payment-specific data like the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history.

The cardholder’s bank can use this information to assess the risk level of the transaction and select an appropriate response:

  • If the data is sufficient for the bank to trust that the real cardholder is making the purchase, the transaction qualifies for a “frictionless” flow and the authentication is completed without impacting the user experience—the cardholder never sees any sign of 3D Secure being applied.

  • If the bank decides it needs further proof, the transaction follows the “challenge” flow and the customer is asked to provide additional input to authenticate the payment.

Although a limited form of risk-based authentication is already supported with 3D Secure 1, the ability to share much more data is likely to increase the number of transactions that can be authenticated without further customer input.

Example flow of authenticating a payment using 3D Secure 2 with fallback support for 3D Secure 1

Even if a transaction follows the frictionless flow, the business will benefit from the same liability shift as for transactions that pass through the challenge flow.

Many businesses choose to not use 3D Secure today because of the added steps for customers. With 3D Secure 2, they could choose to only complete the 3D Secure flow when the frictionless flow is available. It would remain invisible to customers but shift the liability burden to card issuers and potentially improve the acceptance rate for a meaningful fraction of their transactions.

Better user experience

Unlike 3D Secure 1, 3D Secure 2 will let businesses embed the challenge flow directly within their web and mobile checkout flows—without requiring redirects. Using new mobile SDKs, businesses will be able to introduce native flows within their apps, which will no longer require their customers to switch to a browser-based flow to complete the transaction.

Comparison

3D Secure 1: Mobile authentication flow with browser-redirect
3D Secure 1: Mobile authentication flow with browser-redirect
3D Secure 2: Mobile authentication flow within the app
3D Secure 2: Mobile authentication flow within the app

We’re particularly excited that the new mobile SDKs will also make it easier for customers to authenticate a payment using their mobile banking apps (sometimes referred to as out-of-band authentication). The SDK will be able to detect whether the bank’s app has been installed on the customer’s device and automatically open the banking app during the 3D Secure flow without any customer interaction. Then, the customer can authenticate the payment using a password, fingerprint, or even facial recognition.

3D Secure 2 and Strong Customer Authentication

The enforcement of Strong Customer Authentication (SCA) in September 2019 makes 3D Secure 2 all the more important if you are doing business in Europe. As this new regulation will require you to apply more authentication on European payments, 3D Secure 2 will offer a better user experience to minimize the impact on conversion.

Although 3D Secure 2 will be the primary method to comply with SCA requirements for card payments, we expect that the “frictionless” flow will not qualify as a form of Strong Customer Authentication. This would mean that after the enforcement of SCA in Europe, the frictionless flow could only be used for payments that qualify for an exemption (whereas all payments that require SCA would need to be authenticated using the “challenge” flow).

How Stripe is supporting these changes?

The widespread adoption of 3D Secure 2 will hinge on individual card issuers supporting the new standard. Although we expect the first banks to start supporting 3D Secure 2 for their cardholders in early 2019, it’s likely that the wider implementation will be incremental and take several months. While we anticipate that 3D Secure 1 and 3D Secure 2 will coexist until at least 2020, we’re excited for the major improvements in customer experience that 3D Secure 2 will bring.

We have released a beta of a new payments API—PaymentIntents, which lets you dynamically apply 3D Secure to high-risk payments and prepares you for Strong Customer Authentication. We will automatically add support for 3D Secure 2 on this API, before April 2019 to be ready for the expected rollout among most banks. If you integrate 3D Secure on our new PaymentIntents API today, we’ll seamlessly transition you to 3D Secure 2 once supported (without any required change to your integration).

If you currently use 3D Secure on our Sources integration, you’ll need to update to the new PaymentIntents API to support 3D Secure 2 along with dynamic authentication.

You can learn more about this new payments API, here.