What is EMV 3D Secure

What is EMV 3D Secure?

A little bit of history...

In 2001 major card networks implemented the first version of 3D Secure as standard to reduce fraud and provide added security to online credit card payments. The standard requires the end user to further authenticate with the issuer before proceeding with the payment authorization. The authentication process involves a full redirect to a web page where, usually, login credentials must be provided. Each card scheme has his own branded name for it. EMVCO logo The clear benefits of adopting 3D Secure are:

  • effective extra layer of fraud protection
  • liability shift from merchant to the issuer
On the other hand, the clear disadvantages are:
  • the additional step required to complete the checkout adds friction (e.g. customers abandon the purchase)
  • bad 3D Secure experience in mobile devices

A new version

A new version of 3D Secure was defined by EMVCo in order to address many of the drawbacks of version 1.

EMVCO logo This is achieved by:
  • standardizing user interfaces for better user experience
  • introducing new workflows: Frictionless vs Challenge
  • maintaining the same Liability Shift for the merchant

Better user experience

With the introduction of responsive design guidelines and native mobile integration via SDK, the user experience of a 3D Secure challenge will look and feel better. The issuer page must be suitable to be rendered properly in all type of devices and, when applicable, support an inline redirect via iFrame. This will avoid the never beloved redirect to another page. Devices Better user experience doesn't only mean better user interface. Strong customer authentication also improves the overall process and the new standard introduce the following three ways to authenticate a shopper.

  • One Time Password (OTP)
  • Knowledge Base Authentication (KBA)
  • Out of band (OOB)

Frictionless vs Challenge

The EMV 3D Secure standard defines two distinct scenarios that can happen when purchasing online. The decision is based on the additional data that is provided together with the payment transaction and used for further risk analysis by the issuer.

Frictionless

Customer and additional data submitted with the payment can be sufficient for the issuer to trust that the real cardholder is making the purchase. In this case the transaction qualifies for a “frictionless” flow and the authentication is completed without impacting the user experience. The cardholder never sees any sign of 3D Secure being applied in the background.

Even if a transaction follows the frictionless flow, the merchant will benefit from the same liability shift as for transactions that pass through the challenge flow.

Challange

After analyzing the data, the issuer might decide to have a further proof on the actual buyer. In this case the transaction will follow the "challenge" flow and the customer will be asked to provide additional authentication for the payment.

Decision flow with 3DS1 fallback

An important consideration to take into account is that, especially in the early stages of adoption, 3D Secure version 1 and EMV 3D Secure will coexist. For this reason the standard also introduces a "lookup request" with the purpose of informing which 3DS version is applicable for that specific card/issuer. Due to the imminent PSD2 regulation in Europe from September 2019, a fall back logic is essential to ensure Strong Customer Authentication.

3DS Fallback

To know more why EMV 3D Secure is essential for the future of online payments, check our article.