The introduction of new Strong Customer Authentication (SCA) regulations requiring 3D Secure 2 (3DS 2) has been described as ‘the biggest change to card payments since chip and pin was rolled out 16 years ago’1.
These new regulations were brought in due to rising fraud and cyberattacks, which was affecting consumers’ trust in the ability of banks to keep their assets safe, making them increasingly reluctant to carry out card-not-present transactions. The changes have been enforced since March 2022 and are already having a huge impact on transaction declines with 14% of shoppers noticing an increase in declined payments2.
At Cashflows we decided to do things a little differently. Rather than build 3DS 2, we went a few steps further and built 3DS 2.2 and here’s why:
What is 3DS 2 and what are the benefits over 3DS 1?
To understand 3DS 2.2, first you have to understand 3DS 2. 3DS 2 is an upgraded version of 3DS 1, which was a security protocol used to authenticate users, enabling businesses to comply with SCA regulations. The primary difference between the earlier version and version 2 is that it requires 2-factor authentication to enable a transaction, asking users for 2 out of 3 pieces of information to complete their transaction:
- something the user is, for example their fingerprint
- something the user has, for example their phone
- something the user knows, for example a password
As well as being necessary to remain compliant, 3DS 2 provides:
- Smoother experience
- More mobile-friendly
- More data
- Faster authentication
- Decreased Fraud
- Increased transaction approval rate
- Secure transactions across multiple devices
- New ways to authenticate, including banking app
How is 3DS 2.2 different from 3DS 2?
The main way that 3DS 2.2 differs is that it allows customers to request exemptions through their acquirer, rather than this being set by the card schemes. This means that we can tailor exemptions to the risk profile of businesses on an individual basis.
Why did we decide to build a 3DS MPI?
Most payment providers used third parties to build the necessary systems to enable 3DS 2, but we believe in the value of owning as much of our tech stack as possible, so that we can adapt fast and be flexible to our customers’ needs. At the time that discussions about 3DS 2 were in their initial stages, we realised that we already had a lot of the components already to create our own 3DS MPI. This fitted into our approach of owning as much of the payments journey as possible in order create the best possible payment experiences.
Why did we choose to build 2.2 instead of 2.1?
The eventual upgrade of requirements to 3DS 2.2 is inevitable, so we were just ahead of the curve. We wanted to ensure the least amount of ongoing disruption to our customers and by bypassing 3DS 2, we can now avoid the need for re-certification and we don’t need to commit as much developer resource to this, enabling us to focus on building out our capabilities for the businesses we support.
What were the challenges we faced in building it?
Building 3DS 2.2 wasn’t easy, which is why many payments providers choose to outsource, but we knew our customers would benefit if we built our own.
We faced tight deadlines from the card schemes and the government, which were made more difficult to meet by limited SME availability, due to their increased workload as a result of Covid-19.
We also faced difficulties in terms of upgrading legacy tech. Whilst our tech is all cloud native, some of the systems surrounding 3DS are not, complicating the build.
How has it positively impacted our customers?
3DS 2.2 has meant that our customers no longer need to choose between having a seamless checkout experience across channels for their customers and having stringent fraud and chargeback prevention measures, 3DS 2.2 does both.
The new build compliments other technological developments, such as Apple and Google Pay, that aims to reduce risk, increase authorisation levels, and deliver the best possible experience to cardholders, meaning that we can continue to improve our customer offering without too much disruption to their systems.
1The Guardian https://www.theguardian.com/money/2022/mar/14/uk-shoppers-face-more-identity-checks-when-buying-online