3-D Secure 2.0 Explained

Considering the rapid evolution of consumer behavior and the surge in payments made through digital channels like tablets, mobile phones and the Internet of Things in recent years, along with the increased fraud rates observed, the European Payment Service Directive (PSD) has introduced an updated version of the directive, known as PSD2.  

The new directive requires banks to open their customer data assets to third parties and also includes new safety requirements. It also led to the development of an enhanced security protocol known as 3-D Secure 2.0. PSD2 also introduces new transaction security measures such as Strong Customer Authentication (SCA), Risk Based Authentication (RBA) and Transaction Risk Analysis (TRA). Our research found that 73% of consumers say that multi-factor authentication makes their payment feel safer and more secure.

What is 3D Secure?

3D Secure (3DS) is a security protocol that requires customers to complete an additional authentication step when attempting an online card payment. 3D refers to “three domains”, the card issuer, the merchant, and the infrastructure that mediates between the consumer and the merchant.

In Europe, 3DS is required by the Strong Customer Authentication (SCA) regulation for all card payments, though it is optional in other regions.

What is 3D Secure 2.0?

In October 2022, all major card brands made the switch from 3DS 1 to 3D secure 2.0 (3DS2), an updated version of the protocol that improved upon some of the limitations of its predecessor. In essence, 3DS2 enables faster, more secure, more accurate fraud detection.

How does 3D Secure work?

3DS verification is triggered whenever an attempted online card payment meets certain conditions. Those conditions are either that the customer lives in an SCA-mandated region or that the transaction or user falls within the parameters of the rules you’ve created in your payments or fraud prevention system.

For example, you might set 3DS to be presented to the customer if the transaction value exceeds $500 or is deemed especially risky. Your payments system will probably come with default rules for 3DS, though you can create custom rules to meet your own requirements.

If the transaction requires 3DS, your customer will be asked to complete an additional authentication step. Most commonly they will be redirected to the authentication page of their bank’s website or app and then have to use a one-time password (OTP) or biometric information to approve their purchase. Once authenticated, they’ll be returned to your website to receive confirmation of payment.  

Advantages of 3D Secure v2

3DS 2.0 represents a marked improvement on 3DS1, which had a reputation for being slow, non-user-friendly, and sometimes even damaging to customer trust.

The main advantages of 3D secure are:

  • Improved risk assessment – 3DS2 has significantly increased the quantity of data sent to issuers. This gives the system far more contextual information about the customer and the transaction, leading to more accurate risk assessments, optimized outcomes for the shopper and the merchant, and higher acceptance rates.
  • Improved user experience – as a result of improved risk assessments, customers deemed low risk by 3DS2 can continue with their purchase without any disruption (frictionless flow), with the whole process taking place ‘behind the scenes’. Higher risk customers can now be presented with a user-friendly authentication procedure such as biometrics or a OTP (challenge flow) that can take place entirely within the merchant’s website or app. This improved user experience boosts customer trust and confidence
  • Reduces fraud and chargebacks – more accuracy results in a higher acceptance of legitimate transactions and better fraud prevention. Additionally, 3DS2 protects merchants by shifting the liability for fraud-related chargebacks onto the card issuer
  • Reduces cart abandonment – integrating the 3DS experience into the users shopping journey minimizes disruption and reduces the chance that they’ll abandon their purchase in frustration

Difference between 3DS 1.0 vs. 3DS 2.0

Most shoppers have experienced, at least once, the limitations of the 3DS 1.0 protocol through non-browser e-commerce transactions; paying on mobile devices or in-app can sometimes be a frustrating experience and not quite user-friendly.

The 3DS 2.0 protocol – created, owned and managed by the EMVCo and its six-member organization that include American Express, Discover, JCB, Mastercard, UnionPay and Visa – has been developed with the goal of improving the overall performance of the 3DS program and supports the payments industry in delivering a global, inter-operable and consistent user experience across all e-commerce channels and connected devices.

The biggest differences in PSD2 and the new protocol include merchant liability shift in case of fraud, reduced interchange fees and authentication upgrades – all of which can result in benefits like higher approval rates and reduced friction due to improved risk-based authentications and a richer exchange of data.

Understandably, businesses may initially be concerned that more authentication elements will inevitably mean more friction points, thus affecting the overall customer experience which will have a negative impact on conversion rates – but in fact, it will likely have the opposite effect.

While drafting the PSD2, regulators kept these as central considerations and included a number of provisions that will allow merchants to maintain, and even improve, speed and user-friendliness.

With increased usage and popularity of these types of transactions, the new version of 3DS specifications is designed to deliver better integration with the merchant  – widening the limitations of 3DS 1.0, curbing cart abandonment rates and improving the user experience, all without compromising security. Let’s break down some of the key changes in 3DS 2.0 and what they’ll mean for your business.

What is Risk-Based Authentication (RBA)?

An important advantage of 3DS 2.0 is that it facilitates a richer exchange of data between the cardholder’s device and the issuer – essentially, enabling the issuer to perform Risk-Based Authentication (RBA). 3DS 2.0 will allow for an exchange of over 100 data elements on each transaction, factoring data points like a shipping address, device ID, and previous transaction history, in order to assess the risk level of each transaction. Depending on the issuer’s decision, the authentication will then either go through a frictionless flow, when the transaction is perceived as secure or through a challenge flow, where the user may be prompted to provide further verification.

According to Mastercard, through this data validation measure, it is expected that 90% of all transactions will not require a challenge to authenticate the user thus reducing overall friction and cart abandonment rates. Even better, users will not need to provide a password or SMS in order for the merchants to benefit from the liability shift.

With 3DS 1.0, there is a security protocol in which a bank page appears and confirms that there is no need to authenticate for this transaction – this can be an unnecessary friction point. However, with 3DS 2.0, the redirect or bank page will no longer be displayed to the user which will create a smoother, faster flow toward checkout completion.

What is Transaction Risk Analysis (TRA)?

The new protocol also introduces Transaction Risk Analysis (TRA) which is the proprietary risk fraud analysis that issuers and acquirers will apply on each transaction. It is based on an algorithm built to detect the cardholder’s spending or behavioral patterns. Other risk factors analyzed include cardholder location, merchant location, monetary threshold, and real-time fraud rates for e-commerce transactions.

imorney-global.com receives 3DS 2.3.1 certification

In May 2023, imorney-global.com received its 3DS 2.3.1. certification from EMVCo, the technical body composed of the six largest payment networks that manages and promotes secure payments.

The certification authorizes us to use proprietary AI to enhance our payment solutions while reducing fraud, giving our clients more power to tackle online threats and improve their payment performance.

The latest 3DS 2.3.1 protocol further improves on the limitation of its predecessors, specifically in reducing cart abandonment and customer friction, and improving payment performance.

It has also introduced a process that means, rather than switching manually from the merchant’s checkout to their banking app or website, your customers will be automatically redirected directly to their bank app for verification.  Additionally, 3DS 2.3.1’s new integrated authentication methods, including Secure Payment Confirmation (SPC) and WebAuthn, help to combat fraud while improving customer experience.

These tools and more are available as part of our flexible Fraud Detection Pro and Integrated Platforms solutions, which allow merchants to customize their fraud prevention and payments strategies to their exact needs.

What do real-time payments mean for merchants?

As new payment technology emerges, the way consumers, businesses, and individuals are moving money around is evolving fast.

In fact, the only thing that’s moving quicker than the industry is the speed of the payments themselves – and here’s where real-time payments come in.

Below, we’re breaking down what real-time payments are and how they differ from ACH and wire transfers. We’ll explain how real-time payments work, where they’re used, and – most importantly – how they stand to change the game for merchants going forward.

What are real-time payments?

Real-time payments (also known as immediate payments or instant payments) are any transfer of funds between two parties that makes the money received immediately available to the recipient. The funds will show up instantly in the payee’s balance; and, likewise, be instantly deducted from the payer’s bank account.

Real-time payments are available 24/7, 365 days a year – enabling in-the-moment transactions regardless of holidays, weekends, or periods of bank inactivity.

So – do ACH transfers, wire transfers, and mobile payments all count as real-time payments?

No. While these all remain popular and effective ways for businesses, consumers, and private individuals to pay, the networks they’re processed through, the parties involved, and the length of time they all take to process mean they aren’t the same as real-time payments.

  • ACH transfers, for instance, are not instant: they can take up to five business days to process, and even same-day ACH payments (provided they’re sent before the cut-off date) still take several hours to reflect in the payee’s bank balance.
  • Wire transfers occur between two banks rather than through an RTP network –  and because banks operate at a slower pace, payments made through wire transfers can take up to 48 hours to arrive in their recipient’s account.
  • 移动支付 still require a settlement period, and funds received by a merchant through a customer’s digital wallet – such as using Google Pay, Apple Pay, or Samsung Pay from their mobile phone – don’t appear immediately in the business’s account.

Crucial to remember is that, because real-time payments go through instantly, they’re irreversible. Both parties – the payer and payee – will be unable to deauthorize the transfer once it’s gone through.

Learn more: The future of US real-time payments ahead of FedNow launch

How do real-time payments work?

A real-time payment involves five different parties:

  • The payer
  • The payer’s financial institution
  • The payee
  • The payee’s financial institution
  • The RTP network

When a merchant initiates a payment, a unique identifier – which contains the transaction details and the amount to be paid – is sent to the customer’s device.

Then, the customer simply confirms those details to finalize the payment on their end from the app or service they’re using to make the real-time payment. From there, the app works with both the merchant’s and the customer’s bank to shore up the final details – and authorize the payment.

The RTP network acts as a kind of mediator – a crucial ‘middleman’ that validates the transaction and verifies there are sufficient funds in the payer’s bank account before accepting (or rejecting) the payment. It’s this network, which is much faster than traditional banks working directly together, that enables real-time payments to actually be in real-time – and neatly sidestep the hours, and days, ACH and wire transfers require.

Where are real-time payments used?

There are so many payment situations that can benefit from real-time payments. These could include:

  • Business to business (B2B): making refunds, offering adjustments, and paying suppliers.
  • Consumer to business (C2B): paying bills and for goods and services at the POS (point of sale).
  • Person to person (P2P): sending money to friends or family.
  • Business to government (B2G): paying rates, taxes, and business registration fees.

In the financial services and retail sectors, real-time payments stand to make a particularly big splash. Challenger banks will be able to use real-time payments to continue to set themselves apart from the clunky, inflexible approaches of some of the big, traditional banks – and appeal, in particular, to Gen Z buyers craving speed and convenience. While in the retail sector, real-time payments can transform the way goods are bought, sold, and returned.

Benefits of using real-time payments

Whether it’s seamlessly repaying a friend for dinner or paying instantly for goods or services at the point of sale, the benefits of real-time payments for consumers are clear.

So how do real-time payments make merchants’ lives easier, too?

Speed

Real-time payments – as the name suggests – are fast.

For merchants, this allows you to banish inefficiencies in your back office: reducing processing delays and cutting out the time and financial costs of having to manually intervene when a (non-RTP) transaction fails to clear.

Cash flow

When you receive payments for goods and services instantly – not several working days later –  you’ll naturally have a clearer picture of your business’s cash flow situation. This enables you to accurately forecast for the future, and make better decisions – ones informed not by hunches, but by your business’s actual financial circumstances.

Cut costs

By harnessing real-time payments, you’ll benefit from lower operational costs, too.

Because real-time payments don’t involve a card intermediary (such as Visa and Mastercard), you won’t pay any interchange fees as a merchant. Interchange fees can be up to 4% of each credit card transaction you accept – so, cumulatively, avoiding them represents big savings.

Open up a new world of business

With many emerging consumers ‘frozen out’ by the infrastructure of traditional banking – unable to apply for a debit or credit card due to age or credit score, for example – concerns around financial inclusion are as rife as ever.

This, of course, is a dilemma real-time payments can solve: and it’s good news for merchants, too. By enabling access to cashless payments to a whole new generation of shoppers, real-time payments can bring more consumers – hungry for the products and services you provide – to your business’s door.

A frictionless returns experience

According to Shopify, 20% of all items bought online are returned (compared to 9% for brick-and-mortar stores). So, for e-commerce businesses in particular, a solid returns policy – and process – is a must.

Real-time payments offer just that. You can refund a customer for unwanted or damaged goods in an instant – and seeing their funds returned to their bank account alleviate any anxiety or uncertainty on their end. Ultimately, this will boost their trust in and loyalty towards your brand – making it more likely they’ll buy from you again.

Payment options with iMorney-global.com

Real-time payments are an exciting, expanding new element of the payments space.

That said, they may not be the right fit for all merchants. Because of their irrevocable nature, you may, for example, still opt for ACH instead when it comes to paying staff or making supplier payments.

What is the best approach? Setting your business up to accept multiple payment methods.

This allows you to remain flexible and modular and offer your customers (across different regions, countries, and markets) the ability to pay in the way they’re most comfortable with.

Here at imorney-global.com, we empower you to accept payments through the methods and currencies your customers know and love. That includes ACH, American Express, Apple Pay, Google Pay, Paypal, Trustly, WeChat Pay – and plenty more options to suit the needs of your business, and customers, to a tee.

Explore the full range of digital wallets, international card schemes, and alternative payment methods imorney-global.com supports – and browse our complete payment methods directory.

And get in touch with our sales team to find out how imorney-global.com can work for you.

3D Vs 2Ds

Considering the rapid evolution of consumer behavior and the surge in payments made through digital channels like tablets, mobile phones and the Internet of Things in recent years, along with the increased fraud rates observed, the European Payment Service Directive (PSD) has introduced an updated version of the directive, known as PSD2.

The new directive requires banks to open their customer data assets to third parties and also includes new safety requirements. It also led to the development of an enhanced security protocol known as 3-D Secure 2.0. PSD2 also introduces new transaction security measures such as Strong Customer Authentication (SCA), Risk Based Authentication (RBA) and Transaction Risk Analysis (TRA). Our research found that 73% of consumers say that multi-factor authentication makes their payment feel safer and more secure.

What is 3D Secure?

3D Secure (3DS) is a security protocol that requires customers to complete an additional authentication step when attempting an online card payment. 3D refers to “three domains”, the card issuer, the merchant, and the infrastructure that mediates between the consumer and the merchant.

In Europe, 3DS is required by the Strong Customer Authentication (SCA) regulation for all card payments, though it is optional in other regions.

What is 3D Secure 2.0?

In October 2022, all major card brands made the switch from 3DS 1 to 3D secure 2.0 (3DS2), an updated version of the protocol that improved upon some of the limitations of its predecessor. In essence, 3DS2 enables faster, more secure, more accurate fraud detection.

How does 3D Secure work?

3DS verification is triggered whenever an attempted online card payment meets certain conditions. Those conditions are either that the customer lives in an SCA-mandated region or that the transaction or user falls within the parameters of the rules you’ve created in your payments or fraud prevention system.

For example, you might set 3DS to be presented to the customer if the transaction value exceeds $500 or is deemed especially risky. Your payments system will probably come with default rules for 3DS, though you can create custom rules to meet your own requirements.

If the transaction requires 3DS, your customer will be asked to complete an additional authentication step. Most commonly they will be redirected to the authentication page of their bank’s website or app and then have to use a one-time password (OTP) or biometric information to approve their purchase. Once authenticated, they’ll be returned to your website to receive confirmation of payment.

Advantages of 3D Secure v2

3DS 2.0 represents a marked improvement on 3DS1, which had a reputation for being slow, non-user-friendly, and sometimes even damaging to customer trust.

The main advantages of 3D secure are:

  • Improved risk assessment –3DS2 has significantly increased the quantity of data sent to issuers. This gives the system far more contextual information about the customer and the transaction, leading to more accurate risk assessments, optimized outcomes for the shopper and the merchant, and higher acceptance rates.
  • Improved user experience –as a result of improved risk assessments, customers deemed low risk by 3DS2 can continue with their purchase without any disruption (frictionless flow), with the whole process taking place ‘behind the scenes’. Higher risk customers can now be presented with a user-friendly authentication procedure such as biometrics or a OTP (challenge flow) that can take place entirely within the merchant’s website or app. This improved user experience boosts customer trust and confidence
  • Reduces fraud and chargebacks –more accuracy results in a higher acceptance of legitimate transactions and better fraud prevention. Additionally, 3DS2 protects merchants by shifting the liability for fraud-related chargebacks onto the card issuer
  • Reduces cart abandonment –integrating the 3DS experience into the users shopping journey minimizes disruption and reduces the chance that they’ll abandon their purchase in frustration

Difference between 3DS 1.0 vs. 3DS 2.0

Most shoppers have experienced, at least once, the limitations of the 3DS 1.0 protocol through non-browser e-commerce transactions; paying on mobile devices or in-app can sometimes be a frustrating experience and not quite user-friendly.

The 3DS 2.0 protocol – created, owned and managed by the EMVCo and its six-member organization that include American Express, Discover, JCB, Mastercard, UnionPay and Visa – has been developed with the goal of improving the overall performance of the 3DS program and supports the payments industry in delivering a global, inter-operable and consistent user experience across all e-commerce channels and connected devices.

The biggest differences in PSD2 and the new protocol include merchant liability shift in case of fraud, reduced interchange fees and authentication upgrades – all of which can result in benefits like higher approval rates and reduced friction due to improved risk-based authentications and a richer exchange of data.

Understandably, businesses may initially be concerned that more authentication elements will inevitably mean more friction points, thus affecting the overall customer experience which will have a negative impact on conversion rates – but in fact, it will likely have the opposite effect.

While drafting the PSD2, regulators kept these as central considerations and included a number of provisions that will allow merchants to maintain, and even improve, speed and user-friendliness.

With increased usage and popularity of these types of transactions, the new version of 3DS specifications is designed to deliver better integration with the merchant  – widening the limitations of 3DS 1.0, curbing cart abandonment rates and improving the user experience, all without compromising security. Let’s break down some of the key changes in 3DS 2.0 and what they’ll mean for your business.

What is Risk-Based Authentication (RBA)?

An important advantage of 3DS 2.0 is that it facilitates a richer exchange of data between the cardholder’s device and the issuer – essentially, enabling the issuer to perform Risk-Based Authentication (RBA). 3DS 2.0 will allow for an exchange of over 100 data elements on each transaction, factoring data points like a shipping address, device ID, and previous transaction history, in order to assess the risk level of each transaction. Depending on the issuer’s decision, the authentication will then either go through a frictionless flow, when the transaction is perceived as secure or through a challenge flow, where the user may be prompted to provide further verification.

According to Mastercard, through this data validation measure, it is expected that 90% of all transactions will not require a challenge to authenticate the user thus reducing overall friction and cart abandonment rates. Even better, users will not need to provide a password or SMS in order for the merchants to benefit from the liability shift.

With 3DS 1.0, there is a security protocol in which a bank page appears and confirms that there is no need to authenticate for this transaction – this can be an unnecessary friction point. However, with 3DS 2.0, the redirect or bank page will no longer be displayed to the user which will create a smoother, faster flow toward checkout completion.

What is Transaction Risk Analysis (TRA)?

The new protocol also introduces Transaction Risk Analysis (TRA) which is the proprietary risk fraud analysis that issuers and acquirers will apply on each transaction. It is based on an algorithm built to detect the cardholder’s spending or behavioral patterns. Other risk factors analyzed include cardholder location, merchant location, monetary threshold, and real-time fraud rates for e-commerce transactions.

imorney-global.com receives 3DS 2.3.1 certification

In May 2023, imorney-global.com received its 3DS 2.3.1. certification from EMVCo, the technical body composed of the six largest payment networks that manages and promotes secure payments.

The certification authorizes us to use proprietary AI to enhance our payment solutions while reducing fraud, giving our clients more power to tackle online threats and improve their payment performance.

The latest 3DS 2.3.1 protocol further improves on the limitation of its predecessors, specifically in reducing cart abandonment and customer friction, and improving payment performance.

It has also introduced a process that means, rather than switching manually from the merchant’s checkout to their banking app or website, your customers will be automatically redirected directly to their bank app for verification.  Additionally, 3DS 2.3.1’s new integrated authentication methods, including Secure Payment Confirmation (SPC) and WebAuthn, help to combat fraud while improving customer experience.

These tools and more are available as part of our flexible Fraud Detection Pro and Integrated Platforms solutions, which allow merchants to customize their fraud prevention and payments strategies to their exact needs.