AllSecure Payments Gateway and 3-D Secure 2.0

3-D Secure (3DS) 2.0 is coming! This new version of the 3DS authentication protocol will shortly be available, and includes several key changes to the handling of eCommerce and mobile payments. 3-D Secure 2.0 is expected to be available on the AllSecure Payment Gateway in production in April 2019. Customers in Europe are strongly recommended to migrate to 3DS 2.0 in advance of September 14, 2019, when the PSD2 requirements on strong customer authentication (SCA) come into effect.

The second European Payment Services Directive (PSD2) is a European directive which came into force across the European Economic Area (EEA) on January 13, 2018. PSD2 was established to drive payments innovation and data security by reducing competitive barriers, mandating new security processes and encouraging standardized technology to protect the confidentiality and integrity of payment service users’ personalized security credentials. PSD2 requires banks to support Open APIs to enable consumers to make payments directly from their bank accounts via newly-regulated third-party payment service providers. The primary focus of this document is the introduction of the Regulatory Technical Standards (RTS) around strong customer authentication (SCA). These standards will come into effect on September 14, 2019.

What is 3-D Secure 2.0?

3-D Secure is a customer authentication protocol introduced by EMVCo and leading card schemes, designed to reduce fraud rates and provide security to merchants and shoppers. The current 3-D Secure version (1.0) does not enforce modern secure authentication methods and frequently relies on archaic authentication methods such as static passwords.

3-D Secure 2.0 is the latest version of the 3DS protocol. 3DS 2.0 includes several key changes to the handling of eCommerce and mobile payments. Critically, these changes ensure the protocol is fully in line with the PSD2 regulatory technical standards on secure customer authentication (SCA), which come into effect on September 14, 2019. Furthermore, the updated protocol is designed to help streamline the customer journey by reducing or removing points of friction, ultimately improving checkout conversion rates as well as reducing fraud.

What are the benefits of 3-D Secure 2.0 compared to 1.0?

There are several benefits to merchants, issuers and shoppers as a result of 3DS 2.0. Broadly, the changes ensure a streamlined customer journey with fewer friction points to reduce the high rate of shopping cart abandonment from 3-D Secure 1.0. These enhancements include:

• Risk-based authentication. 3-D Secure 2.0 will support the transmission of rich data during transactions, making authentication assessments and decisions more accurate. The issuer will be able to evaluate the fraud risk and bypass full authentication if the risk is low enough, resulting in a smoother customer journey for low-risk shoppers. This risk-based approach to authentication is entirely aligned with PSD2 guidance on SCA. More information on the risk-based authentication workflow is available below.
• Biometric or two-factor authentication. If the issuer (after performing an initial assessment) determines that authentication is required, either biometric or two-factor authentication will be performed to validate the shopper. The biometric authentication methods available will depend on what is supported
• Eliminates initial enrollment. The removal of this one-time step in the 3-D Secure flow eliminates a major point of friction in the customer journey upon first-time use.
• Support for in-app purchases. Unlike 3DS 1.0, which required a browser call-out to complete authentication, 3DS 2.0 can handle in-app purchases natively. This avoids compatibility issues experienced within some apps for browser authentication callouts.
• Allows for bespoke checkout integration. Should they wish, merchants can now integrate the 3-D Secure authentication process into their own checkout process, resulting in a much smoother experience for shoppers.
• Support for non-payment authentications. The latest 3DS version offers support for no-value authorizations, such as tokens for card-on file. Note that it is mandatory to use secure customer authentication such as 3-D Secure to add a new card as a card-on-file. Subsequent transactions do not have to go through 3DS 2.0, but need to reference the original transaction and the amount cannot differ by more than 15%.

Risk-based authentication

As mentioned previously, risk-based authentication based on rich data is a key feature of 3-D Secure 2.0. If the issuer determines the transaction is low-risk, they can bypass full authentication altogether – this is referred to as “frictionless flow”. If the issuer decides to go ahead with full authentication, this triggers what is known as the “challenge flow”, which more closely mirrors the 3DS 1.0 workflow.

The main difference between 3DS 1.0 and the 3DS 2.0 challenge flow is in how the cardholder interacts with the issuer. Firstly, redirecting the shopper from the merchant’s web page is not necessary any more as the interaction can be handled in an iFrame on the merchant’s website. Secondly, as detailed above the authentication itself offers more options, such as in-app, biometric, two-factor via SMS, knowledgebased or more. This mechanism is controlled by the issuer.

Under 3DS 2.0, shoppers will also be able to whitelist their most trusted merchants – as long as the issuer has also whitelisted those merchants. While this results in increased friction on the first visit to that merchant, subsequent visits will use “frictionless flow” while ensuring that shoppers remain fully protected.

How will AllSecure support 3-D Secure 2.0?

The AllSecure Payments Gateway will support 3DS 2.0 for customers integrated via both Server to Server and SECUREPAY. Note that the protocol for go-live will in fact be 3DS 2.1 rather than 2.0. AllSecure will support the following brands for 3DS 2.0:

• Visa
• Mastercard
• American Express
• Diners
• JCB
• Carte Bancaire
• Bancontact – Mistercash

AllSecure will be working to ensure our top-performing acquirers are available for 3DS 2.0 processing by the time the service is launched, and we will continue to update the remaining connected acquirers throughout 2019. AllSecure will request, import and maintain all certificates required for 3D Secure processing.

AllSecure will continue to support 3DS 1.0 alongside 2.0, until further notice from card schemes on timings for deprecation of the older version. The cost for a 3DS 2.0 transaction will remain in line with the current cost for a 3DS 1.0 transaction, as stipulated in AllSecure commercial contracts.

Full integration details on migrating to 3-D Secure 2.0 are available on the developer portal at the below
link: https://allsecure.docs.oppwa.com/support/3d-secure-2.0-guide .