Last updated on July 18, 2019
The 3D Secure standard—often known by its branded names like Visa Secure, Mastercard Identity Check, or American Express SafeKey—aims to reduce fraud and provide added security to online payments. Beginning in late 2019, banks are expected to gradually start supporting a new version of 3D Secure.
3D Secure 2 (3DS2) introduces “frictionless authentication” and improves the purchase experience compared to 3D Secure 1. It’s expected to be the main card authentication method used to meet the upcoming Strong Customer Authentication (SCA) requirements in Europe and a key mechanism for businesses to request exemptions to SCA.
A quick history of 3D Secure 1
Despite additional security measures such as the Address Verification System (AVS) or the CVC verification used in some markets, credit and debit card payments can still be at a high risk of fraud. (In fact, it is because of this risk that customers have the ability to dispute fraudulent payments made with their card.)
To address this problem, card networks implemented the first version of 3D Secure in 2001. If you regularly buy items online, you may be familiar with the 3D Secure flow: you enter your card details to confirm a payment, and are then redirected to another page where your bank asks you for a code or password to approve the purchase. Because the authentication page is co-branded by the card network, most customers are often more familiar with branded names for 3D Secure, such as Visa Secure, Mastercard Identity Check, or American Express SafeKey.
For businesses, the benefit of 3D Secure is clear: requesting additional information lets you build in an extra layer of fraud protection and ensure that you only accept card payments from legitimate customers. As an added incentive, authenticating a payment with 3D Secure shifts the liability for chargebacks due to fraud from your business to your customer’s bank. This added protection is why 3D Secure is often applied to large purchases like airline tickets.
Unfortunately, the use of 3D Secure 1 also has some drawbacks: the additional step required to complete the payment adds friction to the checkout flow and can lead customers to abandon the purchase. Additionally, a number of banks still force their cardholders to create and remember their own static passwords to complete 3D Secure verification. These passwords are easy to forget, which can lead to higher rates of cart abandonment.
What’s new with 3D Secure 2
EMVCo, an organization made up of six major card networks, recently released a new version of 3D Secure. 3D Secure 2 (also called EMV 3-D Secure, 3D Secure 2.0 or 3DS2) aims to address many of the shortcomings of 3D Secure 1 by introducing less disruptive authentication and a better user experience.
3D Secure 2 allows businesses and their payment provider to send more data elements on each transaction to the cardholder’s bank. This includes payment-specific data like the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history.
The cardholder’s bank can use this information to assess the risk level of the transaction and select an appropriate response:
If the data is enough for the bank to trust that the real cardholder is making the purchase, the transaction goes through the “frictionless” flow and the authentication is completed without any additional input from the cardholder.
If the bank decides it needs further proof, the transaction is sent through the “challenge” flow and the customer is asked to provide additional input to authenticate the payment.
Although a limited form of risk-based authentication was already supported with 3D Secure 1, the ability to share more data using 3D Secure 2 aims to increase the number of transactions that can be authenticated without further customer input.
Even if a transaction follows the frictionless flow, your business will benefit from the same liability shift as for transactions that pass through the challenge flow.
Better user experience
Unlike 3D Secure 1, 3D Secure 2 was designed after the rise of smartphones and makes it easier for banks to offer innovative authentication experiences through their mobile banking apps (sometimes referred to as “out-of-band authentication”). Instead of entering a password or just receiving a text message, the cardholder can authenticate a payment through the banking app by just using their fingerprint, or even facial recognition. We expect many banks to support these smoother authentication experiences with 3D Secure 2.
The second improvement in user experience is that 3D Secure 2 is designed to embed the challenge flow directly within web and mobile checkout flows—without requiring full page redirects. If a customer authenticates on your site or webpage, the 3D Secure prompt now by default appears in a modal on the checkout page (browser flow).
Illustration of the embedded challenge flow, using biometric authentication in a mobile banking app
If you’re building an app, mobile SDKs built for 3D Secure 2 let you build an “in-app” authentication flow and avoid browser-redirects altogether.
3D Secure 2 and Strong Customer Authentication
The enforcement of Strong Customer Authentication (SCA) in September 2019 makes 3D Secure 2 all the more important if you are doing business in Europe. As this new regulation will require you to apply more authentication on European payments, the improved user experience of 3D Secure 2 can help reduce the negative impact on conversion.
The 3D Secure 2 protocol itself will also allow payment providers like Stripe to request exemptions to SCA and skip authentication for low-risk payments altogether. Payments that require SCA will need to go through the “challenge” flow, whereas transactions that can be exempted from SCA can be sent through the “frictionless” flow. However, it’s worth noting that if the payment provider requests an exemption for payments requiring SCA and the transaction passes through the “frictionless” flow, it doesn’t benefit from the liability shift.
When will 3D Secure 2 be supported by banks?
The widespread adoption of 3D Secure 2 hinges on individual card issuers supporting the new standard. Although the first banks have started supporting 3D Secure 2 for their cardholders, it’s likely that wider implementation will take time and will vary by country and region.
In Europe, we expect many banks to upgrade to 3D Secure 2 between April and September 2019, to be ready for the enforcement of Strong Customer Authentication. We expect banks in other regions to gradually start supporting 3D Secure 2 in late 2019. While we anticipate that 3D Secure 1 and 3D Secure 2 will coexist until at least 2020, we’re excited for the improvements in customer experience introduced by this new version.
How Stripe is supporting these changes?
Stripe supports the 3D Secure 2 browser flow on the new payments APIs and Checkout, letting you dynamically apply 3D Secure to high-risk payments to protect your business from fraud. We will apply 3D Secure 2 when it’s supported by the cardholder’s bank, and fall back on 3D Secure 1 when the new version isn’t supported yet.
If you’re building a mobile application, our updated iOS and Android SDKs let you build an in-app authentication flow to offer a “native” authentication experience and avoid redirecting your customers outside of your application. Even if the cardholder’s bank doesn’t yet support 3D Secure 2, our mobile SDKs will dynamically fall back to showing 3D Secure 1 in a webview embedded within your application.