What Is 3-D Secure?

3-D Secure (3DS) is a payment protocol designed to provide an additional layer of protection to help prevent fraud by enabling consumers to authenticate themselves with their payment card issuers when making purchase in digital channels. The “3D” stands for the three domains three parties, or “domains”—the acquirer bank, the issuer bank, and the infrastructure supporting the protocol, whether it’s the Internet or software providers.

Arcot Systems and VISA first developed the protocol to improve the security of online payments and reduce fraud. Merchants used the first version of the 3DS protocol in 1999 to stop fraudulent purchases online and enhance the security of digital payments.

This version, along with 3DS 1.0 (or 3DS1) helped reduce fraud, but also introduced numerous problems for e-commerce. Among other things, it required credit card users to enroll in the system using static passwords that many would promptly forget. When making a purchase, 3DS assessed 15 rudimentary data elements to verify identity. And because 3DS shifted liability for fraudulent purchases to card issuers, they often took a “better safe than sorry” approach that meant friction was all but guaranteed.

What’s more, a lot changed over the next 15 years—including the adoption of mobile as the go-to channel for Web browsing and purchases. With 3DS1, mobile users who couldn’t remember their passwords were redirected to a bank page that, more times than not, wasn’t optimized for mobile. SMS was used as an alternative, but presented issues of its own.

These extra steps caused a spike in cart abandonment and online conversion rates cratered. With card issuers responsible for fraudulent transactions, removing this secondary form of authentication wasn’t going to happen. It would be another 15 years before a solution would emerge.

3-D Secure 2.0 Improvements

In 2016, 3DS2 was developed to overcome the limitations found in early versions of the protocol. The second version was completely redesigned to improve security and provide a frictionless flow experience for legitimate customers. 3DS2 represented a significant improvement because it:

  • Supports mobile phones and other consumer-connected devices
  • At purchase, data is sent first to the issuing bank to see if it needs additional verification
  • Only risky transactions require challenges; otherwise, a “frictionless flow” process is initiated

This enables merchants to integrate the authentication process into their checkout experiences. Issuing banks can authorize payments using risk-based authentication, with no additional steps required by consumers.

The Rise of 3DS 2.1 and 2.2

One of the latest improvements to 3-D Secure was published in 2019 as 3DS 2.1 increases the number of data elements merchants send to issuers at the point of transaction to 100, with 20 required and the rest optional but recommended by EMVCo, the consortium behind the standards.

A richer dataset that includes information such as email and IP address, shipping address, and device status are shared with the issuer, allowing issuers to authenticate transactions faster—enabling far more transactions to be handled without friction.

3DS 2.2 not only builds on the foundation of the previous version but also adds the ability to authenticate through their acquirer or digital wallet provider. For these reasons and more, 3-D Secure has become the cornerstone of online payment authentication.

How 3-D Secure Works

With the advent of 3DS2, card issuers and payments processors no longer have to choose between lowering fraud at the cost of conversions. But how does 3-D Secure fraud prevention work?

Authentication Request

At checkout, the customer enters their card details. Behind the scenes, the merchant’s 3-D Secure provider sends an authorization request to the issuer. This request contains over 100 data points about the cardholder, their device, and previous transactions they have made.

Risk Assessment

The issuer’s 3-D Secure provider receives the data-rich request and assigns that transaction a risk score. These data points are compared against threat models using machine learning and statistical analysis. This method of fraud detection happens in mere seconds.

Authentication or Challenge

If there is enough data to authenticate the user, the transaction proceeds through a frictionless flow, with no other input required from the customer. If the transaction is suspicious, the customer is sent through a challenging flow to provide additional information.

Challenges may include a One Time Password (OTP) sent via text, a biometric fingerprint scan, or some other measure. Advancements in risk-based authentication have dramatically reduced transaction fraud while preserving the customers online experience.

The Importance Of 3-D Secure 2.x

Organizations that have migrated to Outseer 3-D Secure reap cost savings from fewer chargebacks and related losses. But there are also numerous other benefits.

Higher Online Conversion Rates

Experts state that 3DS2 has reduced checkout times by 85% and cart abandonment by 70%. Thanks to mobile compatibility and larger data sets in 3DS2, customers experience fewer interruptions and a better experience across their devices. This translates to revenue increases for banks and card networks, and more interchange fees for issuers.

Rock Solid Security

Because of its use of two-factor authentication (including biometrics and token-based models, instead of static passwords) 3DS2 is central to the secure customer authentication (SCA) rules in the EU’s second Payment Services Directive (PSD2). As part of that version, merchants hitting low fraud thresholds can request exemption from SCA requirements from the issuer, providing for even faster transactions.

While the United States doesn’t currently enforce SCA, it’s still catching on for a number of reasons.

While merchants and issuers doing business in the EU’s $300 billion ecommerce market are exempt from PSD2’s SCA requirements, that could change. What’s more, regulatory fervor is spreading everywhere—Australia, Mexico and others have started to enact SCA requirements. It’s simply just a matter of time before state and federal regulators begin mandating such standards as well. Which means implementing the latest version of 3-D Secure will help keep organizations ahead of the curve.

Merchant-friendly Features

Many merchants have resisted the EMV 3-D Secure protocol over concerns about it interfering with the consumer check-out experience. Admittedly, the first version of the protocol was cumbersome for consumers and led to increased cart abandonment rates. Thankfully, the second version provides for a completely frictionless experience. It also introduced a number of features to make the protocol more appealing to merchants than ever.

  • An extension of the shift in liability, whereby merchants are no longer responsible for covering the cost of fraudulent transactions
  • Automatic enrollment of consumers in the program so they no longer need to sign up themselves
  • Additional data elements that can yield more accurate assessments of fraud transaction risk in real time are included
  • Merchants gain the ability to make the final call on whether or not to challenge a user for step-up authentication
  • Support for multiple payment channels, including mobile devices, digital wallets, and gaming consoles as transaction volumes, values (and fraud) keep climbing

The Outseer Solution

Adopting 3DS is just smart business. And in North America, issuers, merchants, and others can leverage fully-hosted solutions such as our own. Outseer 3-D Secure is an Access Control Server (ACS) for credit and debit card issuers and processors. With the Outseer Risk Engine at its core and enriched by intelligence from our global data network partners, Outsider 3-D Secure transparently evaluates each transaction in real time to prevent 95% of all fraud. Only 5% of transactions ever require intervention—leaving the vast majority of transactions to go through unimpeded. That’s the best performance in the industry.

By seeing what others can’t, we stop fraud long before a transaction ever occurs. To learn how you can protect your customers through the power of frictionless fraud prevention, request a free demo today.

Armen Najarian

CMO + Chief Identity Officer

Armen is a 15-year Silicon Valley veteran with deep experience leading the marketing function for fast-growing fraud prevention, predictive analytics, and cybersecurity companies. His most recent leadership roles include CMO positions at Agari and ThreatMetrix, the latter of which he established as the definitive category leader for digital identity solutions.