3DS2: the new authentication standard

In order to fight against the increase in fraud with e-commerce transactions, a new version of the 3D Secure protocol has been released: 3D Secure 2 (3DS2).

This new version increases the security of payments and improves the user experience: based on intelligent and dynamic risk analysis, it allows to reduce the number of abandoned transactions that came with 3DS1 by minimizing the amount of communication with the buyer.

To do this, more information (almost 10 times more compared to the previous version, 3DS1) will be used by the issuer in order to evaluate the transaction risks.

If the issuer determines that the level of risk for the transaction is low, buyer authentication will be performed without interacting with him or her. In this case, the authentication is “Frictionless”.

If the issuer estimates that the risk for the transaction is high, interaction with the buyer is necessary. In this case, it is a “Challenge”.

During this challenge, the buyer will have to pass at least two authentication factors. This authentication method is called SCA (Strong Customer Authentication).

SCA requires for two out of three different authentication factors to be provided:
  • Possession: information known only to the client (such as a single-use code),
  • Knowledge: information known only to the client (such as a password),
  • Inherence: biometric element that identifies the client (such as a device fingerprint, vocal or facial recognition).

SCA is required only if the issuer and the acquirer are both located in the European Economic Area (EEA).

SCA is not applied to transactions made with cards issued outside the EEA, or if the merchant has signed a contract with an acquirer outside the EEA, even if the card was issued in the EEA.

Other features:
  • This new version supports new payment channels, such as in-app payments and mobile payments.
  • Authentication in pop-in mode replaces redirection to the ACS page.

More information exchanged between the different interlocutors

With 3DS1, only the following information was used to allow cardholder authentication:

  • Merchant contract number (MID)

  • Acquirer’s BIN

  • URL of the authentication server

  • Messages (VEReq, VERes, PAReq, PARes)

  • Card number

  • User Agent of the buyer’s browser

With 3DS2, there is 10 times more information shared, falling into 4 categories:
  • Transaction & client details

    Contains mandatory or optional information retrieved during the customer journey on the merchant website and using the transaction details:

    • Card number and expiry date
    • Billing address
    • Shipping address
    • Merchant name
    • URL of the merchant website
    • Country
    • MCC code
    • Acquirer BIN
    • MID
    • Amount
    • Devise
    • Transaction type
  • Authentication details

    1. Authentication on the merchant website
      Concerns buyer authentication (not 3DS) for access to the merchant website:
      • Authentication method
      • Date and time of the connection
      • Authentication details

    2. Previous strong authentication
      3DS authentication details issued from a previous transaction made by the same cardholder with the same payment method:
      • Authentication method (frictionless or challenge)
      • Date and time of 3DS authentication
      • Authentication details (ACS transaction number)
  • Merchant details

    1. Information about the merchant risk

      Details that can only be verified by the merchant using the order details and used for risk analysis:

      • Shipping to the billing address
      • Store delivery
      • Shipping e-mail address
      • Shipping delay
      • Purchase of gift cards
      • Available products or pre-order
      • First purchase or not
      • Result of the risk analysis made by the merchant
    2. Information about the cardholder’s user account

      Information relative to the details or the history of the user account on the merchant website:

      • Date of creation
      • Date of update
      • Date of last password change
      • Number of transactions
      • Suspicious activity
      • etc.
  • Information about the equipment

    Information about the equipment (browser / native iOS application/ native Android application):
    • IP address
    • Language
    • Screen size
    • Time zone
    • User-Agent
    • HTTP headers
    • Equipment model
    • Name of the OS
    • Version of the OS
    • Date and time
    • Screen resolution
    • GPS coordinates

    Depending on the OS, dozens of details can be exploited (IMEI, fonts, Subscriber ID etc.)

Exemptions and merchant preferences

The second Payment Services Directive (or PSD2) provides for cases where interaction with the buyer (the challenge) will not be necessary:

  • Transactions of low amounts (< €30),
  • Low risk transactions,
  • Installment payments*,
  • Recurring payments that are limited in time, with fixed installment amounts*.

*Strong authentication will be required upon the first installment and will cover the total amount of installments.

However, the issuer can request a strong authentication if 5 or more transactions were made with the same payment amount over the period of 24 hours, or if the total of exempt transactions reaches the amount of €100.

With 3DS2, it will no longer be possible to disable 3DS. However, the merchant can request an exemption in his or her payment request (this is referred to as “merchant preferences”).

In this case, if the request is accepted by the issuer, the buyer will not need to authenticate him or herself (no challenge) but the merchant will assume responsibility in case of an outstanding payment (no liability shift to the issuer).

In any case, the issuing bank is the one to determine whether the transaction will be subject to exemption.