How 3D Secure 2 (3DS2) will redefine customer experience

3-D Secure 2 (3DS2) is an updated version that represents a new approach to security – one that reflects the realities of today’s online and mobile world and the need to balance customer experience with fraud prevention. As such, 3DS2 is a natural fit for PSD2, the regulatory framework that is reshaping European payments. Under the terms of PSD2, companies doing business in Europe must comply with the regulatory technical standards (RTS) for strong customer authentication (SCA).

Apart from supporting the new security standards and providing a firm foundation for compliance, 3DS2 eliminates many of the shortcomings of 3DS1. It is a security platform that is appropriate for today’s world of multichannel payments – a world where authentication is more complex and challenging, and fraudsters are never slow to exploit vulnerabilities. 

Clumsy to negotiate, vulnerable to phishing, and unsuitable for mobile commerce, 3DS1 when actively deployed does not make for a happy customer experience – which, of course, contributes to cart abandonment and poor conversion rates. 3DS2 will help to limit these concerns with card-not-present transactions handled smoothly and efficiently whether online, mobile, in-app, or via digital wallets.

With 3DS2, customers don’t need to remember passwords or negotiate cumbersome pop-up windows. Instead, 3DS2 relies on multi-factor authentication, which will mean a more fortified defence from fraud while maintaining a smooth checkout experience. 

The increased use of biometrics opens up new ways of authentication, such as fingerprint and iris recognition, addressing the increasing needs to adapt to mobile and in-app shopping environments. Not only will biometrics reduce the risk of fraud, if deployed seamlessly it can also make cart abandonment less likely.

A significant advantage of 3DS2 is that it promotes risk-based authentication. This is achieved through context-rich information that helps to assess risks. Key data can be gleaned from the transaction itself and the merchant’s and the cardholder’s risk profiles. Examples include the card holder’s email and postal addresses, the transaction amount, the number of transactions within a specified period, as well as browser, country details, behavioural profiles and many more.

Together, these datasets provide a detailed profile picture that can lead to more informed decisions, with low-risk and non-suspicious transactions being allowed to go unchallenged. For example, if a consumer initiates a low-value transaction from a device that has previously been used to authorise payments, in the country where the card is registered, it could be deemed low risk and require no authentication. 

On the other hand, if the same card was used for a high-value transaction from a different device in a different country, it would be considered high risk and so trigger authentication. 

The more data is shared, and the better the quality of that data, the more it will help to streamline the payment process while reducing fraud. Whereas 3DS1 was based on as few as 10 data points, 3DS2 generates over 100 to determine the validity of a transaction. When everyone in the payments chain provides more data to support a transaction, the result will be swifter checkout times, enhanced security, improved sales and a better customer experience. 

One of the benefits for merchants is that when 3DS2 is applied, they will not be liable for fraudulent transactions unless an acquirer exemption was applied. Currently, when the cardholder or issuer disputes an online transaction (on the basis that it is fraudulent), merchants will refund the loss in most cases. With 3DS2, liability will shift to the card issuer/cardholder.