How 3DS Secure 2.0 will reshape card payment acceptance

Watch our new panel discussion: Implementing 3D Secure 2: What happens next? to find out more about how to approach SCA compliance before the extended deadline.

From April 2019 new rules are being introduced by the card schemes that mandate the adoption of 3D Secure 2.0, the new EMVCo security standard that is VISA and Mastercard’s solution for compliance with the new Strong Customer Authentication (SCA) technical standards mandated by PSD2. We recently wrote about PSD2 and highlighted the impact of new rules for Strong Customer Authentication for eCommerce transactions in September 2019.  Implementing 3DSv2.0 will enable you to comply with these new laws.

But with 3DSv1.0 viewed so negatively by much of the online retail community, and with 3DSv2.0 being mandatory rather than optional for merchants, there are understandable concerns about how the new security standard might affect online businesses.

Here is our all you need to know guide for what 3DSv2.0 will mean for online merchants.

The need for reform

It will come as no surprise to anyone that online merchants have struggled to operate under the current 3D Secure system. The original online payments security solution mandating greater authentication processes at the checkout is accused of being a hindrance to optimal customer experience, and therefore has always been considered a principle reason for cart abandonment and a fall in conversion rates.

This struggle is exacerbated by the proliferation of new technology since 1999 – the year that 3DSv1.0 launched – that has fundamentally changed the way that people shop online. The growth in mCommerce – shopping on mobile phones – has redefined consumer preference and experience when it comes to online purchasing; 3DSv1.0 is of a different time and therefore doesn’t tailor to these buying platforms effectively.

And ultimately, there is a need for a new security protocol which utilises the evolution in technology to better protect consumers and merchants. The introduction of new solutions such as EMV has resulted in dramatic reduction of card present payment fraud, but the same is not true for card no present fraud.

In our 2018 Lost in Transaction research reports, 55% of businesses we surveyed told us that online card fraud was an increasing problem for them as a business, and 74% agreed that fraudsters are targeting online channels more than they were a year ago.

These figures are supported by our consumer research. 33% of British consumers and 34% of US consumers said that they had been victims of fraud. 29% of Canadians also said they had been victims of fraud, a 32% increase on the number of fraud victims in 2017.

When assessing these two factors, namely poor customer experience and security weaknesses, in tandem, it is clear that an upgrade to card payment authentication is overdue.

How is 3DSv2.0 different?

3DSv2.0 will make a visible difference for consumers at the checkout when it comes to the experience of verifying payments. Principally the antiquated (and insecure) static password system of verification that is the source of consumer frustration (and merchant frustration due to its role in driving up cart abandonment rates) will be shelved and replaced with authentication systems that are not only stronger but also are implemented with ultimate user experience in mind.

When a cardholder makes an online payment under 3DSv2.0 protocol it generates over 100 data points, which are shared between the merchant and issuer which will provide the issuer with a much greater picture as to the validity of the transaction. This data is used by the issuer to generate a more accurate risk profile of the payment than a simple password authentication, making the payment more secure, but also in the background rather than the preventing repetitive and arduous input from the consumer. The lack of friction that results from this change in procedure vastly improves the consumer experience.

Only if the transaction is deemed of the highest risk by the issuer is the consumer challenged to further authentication checks..

Under PSD2 Strong Customer Authentication this type of enhanced payment authentication must replace a static password with ‘two of three factor’ authentication; ‘what you know’, ‘who you are’, or ‘what you have’. By placing biometrics (‘who you are’) at the centre of the verification process this authentication is immediately better equipped to manage the authentication process more seamlessly for mCommerce which is key to online retail customer experience, and by giving consumers the choice as to how they verify their identity, even the process of verifying high risk transactions is a huge upgrade on the current system. 

However, whilst all transactions must go via 3DSv2.0, Visa believes that Strong Customer Authentication will only be required for 5% of all transactions. Given the volume of data generated by a payment that is available for analysis, low value (transactions under €30, up to the value of €100 in a 24 hour period), and transactions considered to be low risk will be exempt from these two factor authentication rules.

Other payment types that are exempt from Strong Customer Authentication include subscription or recurring transactions (although it is believed that recurring transactions of a variable amount will need to be authenticated each time), payments to merchants identified as ‘trusted beneficiaries’ by consumers to their bank, and inter-regional transactions where the issuer and acquirer are not based in Europe.

What happens next?

With the impending April deadline now on the horizon, now is the time for businesses that accept online payments to begin discussions with their payment service provider, in order to better understand how 3DSv2.0 will affect them.

At Paysafe we’re already beginning these conversations, and will be sharing specific details of our 3DSv2.0 solution in January. For more information on 3DSv2.0 or any for any other enquiries on how we cab enhance your business through smoother payments contact your Paysafe account manager or contact us online.