3DS 2.0: What you need to know

The 3D secure protocol behind Verified by Visa and Mastercard SecureCode is being updated. At the same time, PSD2 regulations in Europe around strong customer authentication come into force on 14 September 2019. We explain the implications for those who accept card payments. In this article we answer some of the most frequently asked questions about 3DS 2.0.

What is strong customer authentication?

Strong customer authentication is part of a package of measures included in the revised Payment Services Directive (or PSD2). This EU legislation applies across countries in the European Economic Area, including the UK irrespective of Brexit negotiations. Its broad aims are to make payments safer, increase consumer confidence to transact electronically, foster innovation and competition, and create a level playing field for all players, including new ones.

This wouldn’t be an explainer about payments without some acronyms. There are a couple more in this paragraph. The European Banking Authority (EBA) had the delegated authority to determine how the general provisions included in the PSD2 would work in practice. It did this in a regulatory technical standard (or RTS).

This defined strong customer authentication as two or more of the following: something a customer knows (e.g. PIN or passcode), something they have (e.g. card or phone) and something they are (e.g. fingerprint).

There are exemptions but generally every electronic transaction is subject to strong customer authentication. This is a significant change. Up until now major card schemes had strong customer authentication protocols for online payments under 3D secure, yet participation was optional. Acquirers and merchants were able to decide whether or not they used Verified by Visa or Mastercard SecureCode during the checkout process.

From 14 September 2019, all payment service providers are required to undertake strong customer authentication when a customer accesses their payment account online or makes an online payment, unless one of the permitted exemptions applies.

What are the exemptions to strong customer authentication?

Contactless payments up to €50 with a cumulative limit of €150 or five consecutive transactions are exempt from strong customer authentication. As are low-value payments up to €30, with a cumulative limit of €100 or five consecutive transactions.

Transport fares or parking payments at unattended devices are exempt.

Recurring payments and those to trusted beneficiaries already white-listed by the payer do not require strong customer authentication, under certain circumstances. One of these is when the payer initiates a series of payment transactions of the same amount to the same business.

Low-risk transactions are also allowed as an exemption within certain limits (e.g. fraud rates by transaction value bands), subject to strict monitoring requirements.

So-called ‘one leg out’ transactions when either the card issuer or card acquirer are outside the European Union are also exempt from strong customer authentication.

What is driving the change in authentication requirements?

A combination of changing customer habits, technology and regulation is driving change.

Consumers are not only purchasing more online, they are also researching more online before purchasing offline. Research firm Forrester predicts that 55% of European retail sales will either be online or digitally influenced by 2021. Mobile plays a significant role as there are around 3.6 billion mobile internet users worldwide, according to 2019 figures from the GSMA.

Technology has also evolved since the first version of the 3D secure online authentication protocol from the late 1990s. Biometrics is increasingly being used outside law enforcement, border and access control. Data analytics and device ID have also changed what is possible since the days of dial-up connections and browser-based authentication.

Regulation is also driving change. As commerce has migrated online, so have the fraudsters. Regulators are keen to protect consumers, ensure they have the confidence to transact online, and drive market efficiencies and competition. The PSD2 is driving the regulatory agenda in Europe, yet its themes are common to regulators worldwide.

What are the main changes between 3DS 1.0 and 3DS 2.0?

The 3DS protocol is managed by EMVCo and underpins Verified by Visa, Mastercard SecureCode and other authentication solutions. The changes between versions 1.0 and 2.0 of the protocol are best summarised as more devices, more data, more service.

3DS 2.0:

• Addresses the need for omni-channel by optimising the customer experience on mobile devices, PC, digital television as well as in-app.
• Allows the passing of more data with each transaction message to enable issuers to better assess risk.
• Supports current and future innovations for more frictionless authentication, e.g. biometric or ‘behaviometrics’ if the issuer supports Apple TouchID or facial recognition.

While 3DS 2.0 is the new, enhanced version of the existing protocol, it still connects the acquirer, issuer and card scheme (the three domains in the 3DS protocol). This remains unchanged.

What timelines do merchants need to be aware of?

The EBA requires strong customer authentication on every electronic transaction from 14 September 2019, unless one of the permitted exemptions applies.

How can CashFlows help you prepare for strong customer authentication?

3DS 1.0 is PSD2-compliant. It is already in widespread use and offered by CashFlows today.

CashFlows is already able to accept 3DS 2.0-enhanced data to and from gateways as an acquirer. We are also able to support merchants using hosted payment pages to take advantage of the extra 3DS 2.0 functionality. No changes are required to the current merchant and gateway integrations to support 3DS 2.0.

CashFlows is currently working with customers and partners to support them with 3DS 2.0 planning in advance of the 14 September 2019 EBA deadline. For further information, get in touch today.