AllSecure Payments Gateway and 3-D Secure 2.0

3-D Secure (3DS) 2.0 is coming! This new version of the 3DS authentication protocol will shortly be available, and includes several key changes to the handling of eCommerce and mobile payments. AllSecure Payment Gateway plans to launch 3-D Secure 2.0 in production by April 2019. Customers in Europe should migrate to 3DS 2.0 before September 14, 2019, when the PSD2 strong customer authentication (SCA) requirements take effect.

The second European Payment Services Directive (PSD2) is a European directive which came into force across the European Economic Area (EEA) on January 13, 2018. The establishment of PSD2 aimed to drive payments innovation and enhance data security by reducing competitive barriers, mandating new security processes, and encouraging standardized technology to protect the confidentiality and integrity of payment service users’ personalized security credentials.

What is 3-D Secure 2.0?

EMVCo and leading card schemes introduced 3-D Secure as a customer authentication protocol to reduce fraud rates and provide security for both merchants and shoppers. The current 3-D Secure version (1.0) does not enforce modern secure authentication methods and frequently relies on archaic authentication methods such as static passwords.

3-D Secure 2.0 is the latest version of the 3DS protocol. 3DS 2.0 includes several key changes to the handling of eCommerce and mobile payments. Critically, these changes ensure the protocol is fully in line with the PSD2 regulatory technical standards on secure customer authentication (SCA), which come into effect on September 14, 2019. The updated protocol also aims to streamline the customer journey by reducing or eliminating points of friction, ultimately boosting checkout conversion rates while reducing fraud.

What are the benefits of 3-D Secure 2.0 compared to 1.0?

There are several benefits to merchants, issuers and shoppers as a result of 3DS 2.0. Broadly, the changes ensure a streamlined customer journey with fewer friction points to reduce the high rate of shopping cart abandonment from 3-D Secure 1.0. These enhancements include:

• Risk-based authentication. 3-D Secure 2.0 will support the transmission of rich data during transactions, making authentication assessments and decisions more accurate. The issuer will be able to evaluate the fraud risk and bypass full authentication if the risk is low enough, resulting in a smoother customer journey for low-risk shoppers. This risk-based approach to authentication is entirely aligned with PSD2 guidance on SCA. More information on the risk-based authentication workflow is available below.
• Biometric or two-factor authentication. If the issuer (after performing an initial assessment) determines that authentication is required, either biometric or two-factor authentication will be performed to validate the shopper. The biometric authentication methods available will depend on what is supported
• Eliminates initial enrollment. The removal of this one-time step in the 3-D Secure flow eliminates a major point of friction in the customer journey upon first-time use.
• Support for in-app purchases. Unlike 3DS 1.0, which required a browser call-out to complete authentication, 3DS 2.0 can handle in-app purchases natively. This avoids compatibility issues experienced within some apps for browser authentication callouts.
• Allows for bespoke checkout integration. Should they wish, merchants can now integrate the 3-D Secure authentication process into their own checkout process, resulting in a much smoother experience for shoppers.
• Support for non-payment authentications. The latest 3DS version offers support for no-value authorizations, such as tokens for card-on file. Note that it is mandatory to use secure customer authentication such as 3-D Secure to add a new card as a card-on-file. Subsequent transactions do not have to go through 3DS 2.0, but need to reference the original transaction and the amount cannot differ by more than 15%.

Risk-based authentication

As mentioned previously, risk-based authentication based on rich data is a key feature of 3-D Secure 2.0. If the issuer determines the transaction is low-risk, they can bypass full authentication, which is called the “frictionless flow.” If the issuer opts for full authentication, it triggers the “challenge flow,” which closely resembles the 3DS 1.0 workflow.

The main difference between 3DS 1.0 and the 3DS 2.0 challenge flow is in how the cardholder interacts with the issuer. Firstly, redirecting the shopper from the merchant’s web page is not necessary any more as the interaction can be handled in an iFrame on the merchant’s website. Secondly, as detailed above the authentication itself offers more options, such as in-app, biometric, two-factor via SMS, knowledgebased or more. This mechanism is controlled by the issuer.

Under 3DS 2.0, shoppers will also be able to allowlist their most trusted merchants – as long as the issuer has also allowlisted those merchants. While this results in increased friction on the first visit to that merchant, subsequent visits will use “frictionless flow” while ensuring that shoppers remain fully protected.

How will AllSecure support 3-D Secure 2.0?

The AllSecure Payments Gateway will support 3DS 2.0 for customers integrated via both Server to Server and SECUREPAY. Note that the protocol for go-live will in fact be 3DS 2.1 rather than 2.0. AllSecure will support the following brands for 3DS 2.0:

• Visa
• Mastercard
• American Express
• Diners
• JCB
• Carte Bancaire
• Bancontact – Mistercash

We will ensure that our top-performing acquirers are ready for 3DS 2.0 processing by the service launch, and we will continue updating the remaining connected acquirers throughout 2019. AllSecure will request, import and maintain all certificates required for 3D Secure processing.

AllSecure will continue to support 3DS 1.0 alongside 2.0, until further notice from card schemes on timings for deprecation of the older version. The cost for a 3DS 2.0 transaction will remain in line with the current cost for a 3DS 1.0 transaction, as stipulated in AllSecure commercial contracts.

Full integration details on migrating to 3-D Secure 2.0 are available on the developer portal at the below
link: https://allsecure.docs.oppwa.com/support/3d-secure-2.0-guide .