Posts

Explained: 3D Secure 2 (3DS2)

The more you sell online, the more opportunities there are for fraudsters. Luckily, there are measures you can take to protect your customers and secure your revenue. One of these measures is 3DS2. 

3DS

First introduced in 2001 by EMV, 3D Secure, known by its acronym 3DS quickly became the standard anti-fraud measure in the industry. So how does 3DS work? Whenever customers initiate a purchase on the web, they are redirected to a secure page on their card provider’s website. Here, they are prompted to either enter a password or an authentication code that is sent to their mobile phone. Once the information is verified, the payment is approved and customers are redirected to the merchant’s website.

By adding a security layer to online transactions, 3D Secure made it a lot harder for fraudsters to steal, it lowered transaction costs, increased trust among online customers shifted liability away from merchants. And yet, it also had various drawbacks that only became worse in time.

For the average consumer, being redirected to a separate website and asked for a code turned out to be less straightforward than expected. This leads to abandoned carts and lost revenue. Moreover, when it was introduced in 2001, mobile commerce was non-existent.

3DS2

The follow-up to the original 3D Secure brings much-needed improvements to security and user-friendliness. To grasp these changes, we need to understand what 3DS2 is meant to accomplish. The new standard, 3DS2, has been developed in line with the regulations outlined in the European Union’s Revised Payment Services Directive (PSD2).

PSD2 outlines the rules and regulations by which all players within the European payments industry must abide by in order to protect consumers, secure payments and foster healthy competition within the market.

One of the practical results of the Revised Payment Services Directive is the development of Secure Customer Authentication (SCA) as a European regulatory requirement. For transactions to comply with SCA, customers are required to identify themselves using multi-factor authentication. In other words, they must present two out of three of the following identifiers: Knowledge (Something they know, e.g. password/PIN), Possession (Something they own, e.g. mobile phone, token), Inherence (Something they are, e.g. biometrics, voice/facial recognition).

In other words, 3DS2, the new version of 3D Secure, is meant to be SCA compliant. Being SCA compliant has many benefits that go beyond fraud prevention. With 3DS2, issuing banks are provided with over 100 data points that help them identify users and authenticate payments.

 

For a more thorough explanation of 3DS2, check out the following resource:
https://3dsecure2.com/

Explained: Strong Customer Authentication (SCA)

Strong Customer Authentication is part of the revised Payment Services Directive (PSD2) that came into force in 2018. PSD2 outlines that payments are to be made more secure and that platforms need to be open for integration with third parties. SCA specifically, refers to the way in which payments are made more secure. 

By the end of 2020, online shoppers will be required to verify their identity by sharing two out of three of the following elements:

  • Something they know (password, pin, secret fact)
  • Something they own (phone, wearable, hardware token)
  • Something they are (fingerprint ID, facial ID, voice ID, retina scan)

SCA adds friction 

So what does SCA mean for business? SCA makes payments secure and gives businesses a leg up in the battle to eradicate fraud. However, SCA also adds friction to the shopping experience. For some users, learning new tricks like using biometrics at checkout can prove challenging.

SCA is not always necessary

Luckily, there are various exceptions to the rule. The following are the most common:

  • Transactions (partly) outside the EEA
  • Low transaction value
  • Low transaction risk
  • Trusted beneficiaries

The following transactions are excluded from SCA as they fall outside the scope of the regulation:

  • MOTO: Transactions completed over the telephone or via mail order.
  • MIT: Merchant initiated transactions (MIT) like recurring payments or subscriptions.

Frictionless flow and chargeback liability shift

PSD2 also includes provisions that allow merchants to minimize the blow of SCA to the consumer experience. One such provision is ‘frictionless flow.’ Frictionless flow allows SCA measures to be bypassed. In other words, eligible merchants will be able to offer their consumers a checkout experience without any added friction. Frictionless flow can only be applied to transactions that meet certain criteria; e.g. the size of the purchase in relation to the fraud rate of the merchant (acquirer).

 

For a more thorough explanation of SCA, check out the following resource:

https://www.jpmorgan.com/jpmpdf/1320747214117.pdf

Explained: Revised Payment Services Directive (PSD2)

The European Union’s Revised Payments Services Directive (PSD2) has many purposes. PSD2 aims to improve the European payments industry by promoting healthy competition and increasing the participation of non-banks. The directive provides protections by facilitating the harmonization of rights and obligations of consumers and payment providers across the European Union. It also aims to empower consumers, by giving them more control over their data, and improve security for online payments.

A practical example

As of the launch of PSD2, banks are now required to provide third parties with access consumer’s banking data once the consumer has given explicit approval. Because of PSD2, fintech developers are able to create apps that directly interface with the consumer’s banking data and pull information from various bank accounts.

In other words, somebody with bank accounts at three different banks can now download a third-party app, provide the necessary permissions and thus gain never-before-seen insights into his or her financial situation through a unified dashboard.

Consumers can now also authorize payments via these third parties. PSD2 allows registered service providers to act as acquirers and deal directly with the banks on behalf of the consumer, completing transactions without the need for an intermediary.

Fintech companies are increasingly handling more banking duties on behalf of consumers. PSD2 makes sure that these third parties play by the rules and that consumers have the final say on how their banking data is managed.

Learn more about PSD2 at the following resource:
Payment services (PSD 2) – Directive (EU) 2015/2366

 

Other articles in this series:

  • Explained: SCA
  • Explained: 3DS2