3DS2: the new authentication standard

In order to fight against the increase in fraud with e-commerce transactions, a new version of the 3D Secure protocol has been released: 3D Secure 2 (3DS2).

This new version increases the security of payments and improves the user experience: based on intelligent and dynamic risk analysis, it allows to reduce the number of abandoned transactions that came with 3DS1 by minimizing the amount of communication with the buyer.

To do this, more information (almost 10 times more compared to the previous version, 3DS1) will be used by the issuer in order to evaluate the transaction risks.

If the issuer determines that the level of risk for the transaction is low, buyer authentication will be performed without interacting with him or her. In this case, the authentication is “Frictionless”.

If the issuer estimates that the risk for the transaction is high, interaction with the buyer is necessary. In this case, it is a “Challenge”.

During this challenge, the buyer will have to pass at least two authentication factors. This authentication method is called SCA (Strong Customer Authentication).

SCA requires for two out of three different authentication factors to be provided:
  • Possession: an object that the customer owns (such as a phone for e-commerce payment or a bank card for payment in the shop).
  • Knowledge: information known only to the client (such as a password).
  • Inherence: biometric element that identifies the client (such as a device fingerprint, vocal or facial recognition).

SCA is required only if the issuer and the acquirer are both located in the European Economic Area (EEA).

SCA is not mandatory for transactions made with a card issued outside the EEA, nor if the merchant has a contract with an acquirer outside the EEA, even if the card is issued in the EEA (case referred to as “one-leg”).

The implementation of the so-called strong two-factor authentication method is gradually being deployed by card-issuing institutions around the world.

Other features:
  • Authentication in pop-in mode replaces redirection to the ACS page.
  • This new version is better suited for new payment channels like in-app payments and mobile payments.

More information exchanged between the different interlocutors

With 3DS1, only the following information was used to allow cardholder authentication:

  • Merchant contract number (MID)

  • Acquirer’s BIN

  • URL of the authentication server

  • Messages (VEReq, VERes, PAReq, PARes)

  • Card number

  • User Agent of the buyer’s browser

With 3DS2, there is 10 times more information shared, falling into 4 categories:
  • Transaction & client details

    Contains mandatory or optional information retrieved during the customer journey on the merchant website and using the transaction details:

    • Card number and expiry date
    • Billing address
    • Shipping address
    • Merchant name
    • URL of the merchant website
    • Country
    • MCC code
    • Acquirer BIN
    • MID
    • Amount
    • Currency
    • Transaction type
  • Merchant details

    1. Information about the merchant risk

      Details that can only be verified by the merchant using the order details and used for risk analysis:

      • Shipping to the billing address
      • Store delivery
      • Shipping e-mail address
      • Shipping delay
      • Purchase of gift cards
      • Available products or pre-order
      • First purchase or not
      • Result of the risk analysis made by the merchant
    2. Information about the cardholder’s user account

      Information relative to the details or the history of the user account on the merchant website:

      • Date of creation
      • Date of update
      • Date of last password change
      • Number of transactions
      • Suspicious activity
      • etc.
  • Information about the equipment

    Information about the equipment (browser / native iOS application/ native Android application):
    • IP address
    • Language
    • Screen size
    • Time zone
    • User-Agent
    • HTTP headers
    • Equipment model
    • Name of the OS
    • Version of the OS
    • Date and time
    • Screen resolution
    • GPS coordinates

    Depending on the OS, dozens of details can be exploited (IMEI, fonts, Subscriber ID etc.).

  • Authentication details

    1. Authentication on the merchant website
      Concerns buyer authentication (not 3DS) for access to the merchant website:
      • Authentication method
      • Date and time of the connection
      • Authentication details

    2. Previous strong authentication
      3DS authentication details issued from a previous transaction made by the same cardholder with the same payment method:
      • Authentication method (frictionless or challenge)
      • Date and time of 3DS authentication
      • Authentication details (ACS transaction number)