Introduction
What is 3-D Secure?
3-D Secure (often also referred to as EMV 3DS) is a security protocol that provides an additional layer of authentication for online card transactions. It is designed to help prevent unauthorized transactions and reduce fraud for card-not-present (CNP) transactions. At its core it is a way how merchants and card issuers can authenticate the cardholder seamlessly during an online transaction.
Each card scheme has its own service that implements the EMV 3DS protocol. For example, Visa has "VISA Secure", Mastercard has "Mastercard Identity Check", and American Express "Safekey".
As of today there is one relevant version in the markets, which is 3-D Secure 2 (3DS2). This version is designed to address the shortcomings of the original EMV 3DS protocol (3DS1) and to improve the user experience for cardholders and merchants.
The benefits of 3DS2 include:
-
Regulatory compliance: 3DS2 is designed to meet the requirements of the Payment Services Directive 2 (PSD2) in Europe and the Strong Customer Authentication (SCA) requirements.
-
Acceptance rates: 3DS2 is designed to reduce friction in the checkout process and improve the user experience, which can lead to higher conversion rates.
-
Enhanced trust: 3DS2 provides additional data points that can be used to authenticate the cardholder, which can help reduce fraud and build trust with customers.
-
Liability shift: 3DS2 supports the liability shift for transactions that are authenticated using the protocol, which can help protect merchants from fraud-related chargebacks.
Hellgate® provides a simple and convenient but also secure way to integrate 3DS2 into your payment flows. Our services are designed to make it easy to authenticate cardholders and reduce fraud across all your acquirers, while still providing a seamless user experience for your customers.
One of the key aspects why 3DS2 is so convient is that it is designed to work based on data collected from the merchant, the customer and the device. This allows the card issuer to selectively challenge transactions based on the risk profile of the transaction. This means that in many cases the cardholder will not be challenged at all, which can help reduce friction in the checkout process and improve the user experience.
Challenge Flows
In case the card issuer decides to challenge the transaction, the cardholder will be redirected to the card issuer's authentication page to complete the challenge. The challenges typically include entering a one-time password (OTP) or accepting a push notification on their mobile device. This process effectively implements a two-factor authentication (2FA) mechanism to verify the cardholder's identity.
Frictionless Flows
In some cases, the card issuer may be able to authenticate the cardholder without requiring any action on their part. This is known as a "frictionless flow" and is designed to provide a seamless user experience for the cardholder. The card issuer may use data collected from the merchant, the customer, and the device to authenticate the cardholder without requiring any additional input.
Authentication Results
At the end of the 3DS2 authentication a so-called electronic commerce indicator (ECI) is returned. This ECI indicates the result of the authentication and can be used by the merchant to determine the next steps in the payment flow. The ECI can have different values, such as "authenticated", "attempted", or "not authenticated", depending on the outcome of the authentication.
- VISA, American Express, and others
- Mastercard
ECI Value | Description | Liability Shift |
---|---|---|
05 | Cardholder authentication was successfully completed. | Yes |
06 | Authentication was attempted but was not available at the issuer's end. | Sometimes |
07 | Authentication was rejected or could not be attempted. | No |
ECI Value | Description | Liability Shift |
---|---|---|
00 | Authentication was rejected or could not be attempted. | No |
01 | Authentication was attempted but was not available at the issuer's end. | Sometimes |
02 | Cardholder authentication was successfully completed. | Yes |