Achieving Frictionless Payments with 3D Secure: Part 2

In our previous post, we explored the world of 3D Secure (3DS) protocols, a significant advancement in securing digital transactions. While 3DS 1 marked a revolution, it had its shortcomings, notably in user experience, mobile optimization, and structural rigidity, with very little scope for customization based on different transaction types. Addressing these challenges led to the evolution of 3DS 2, an essential upgrade in online payment security and experience.

What is 3DS 2?

3DS 2 is the enhanced version of the 3DS protocol, managed by EMVCo, designed to streamline the authentication process for online transactions. Unlike its predecessor, 3DS 2 offers a more seamless user experience, is optimized for mobile devices, and provides greater flexibility for online transactions done via mobile apps or the web.

Key differences between 3DS 1 and 2

• • Wider device support: 3DS 2 is designed with multiple device form factors in mind, with mobile and app transactions given high importance. It builds on the unique capabilities of different devices, such as authentication via biometric, FaceID, or a connected wearable device.
  • Richer data exchange: 3DS 2 captures real-time data points during each transaction, allowing issuers and merchants the ability to do sophisticated risk analysis, which can be then used to enable ‘frictionless’ authentication where possible while still maintaining a high level of security. The additional data captured in 3DS 2 typically includes the following:
    • Device Information: Details about the user’s device, such as the operating system, IP address, device binding, and browser information
    • Merchant and Transaction Information: Details about the transaction, such as merchant category code and the exact nature of the goods or services being purchased
    • Customer Account Information: Data related to the customer’s account, such as account age, transaction history, and shipping address
  • Enhanced user experience: With support for more sophisticated risk analysis 3DS 2 allows merchants to offer a frictionless payment experience to their users, like one-click pay, instead of requiring an OTP for each transaction
  • Support for additional use cases: 3DS 2 allows merchants to use it to support new use cases compared to 3DS 1, like
    • Recurring payments
    • Addition of a card to a mobile wallet

Now let’s see 3DS 2 in action in frictionless and challenge-based payments.

One-click (frictionless) transaction flow with 3DS 2

Imagine our friend Bob again, shopping online with his card. With 3DS 2:

1. Initiation: Bob adds a Lord of the Rings boxset to an online bookstore cart and heads to checkout. The Merchant Plug-In (MPI) sends the rich transaction details with an authentication request (AReq) to their 3DS Server.
2. Directory Server: The 3DS Server forwards the AReq to the Directory Server (DS) to check Bob’s card compatibility with 3DS 2.
3. ACS Risk Assessment: The DS sends the AReq to the Access Control Server (ACS) of Bob’s card issuer for risk assessment.
   • Bob’s card issuer uses the data shared in the AReq to create a real-time risk score for the transaction
   • The risk score confirms that Bob is a regular and creditworthy user, and for the current transaction, Bob need not provide any further confirmation
   • Due to the low-risk nature of the transaction, the ACS sends an ARes with a ‘Transaction Challenge Exemption’
4. Verification and Transaction Conclusion: The MPI receives the ARes and realizes no further input is required from Bob for authentication of the transaction. It tells Bob that the authentication was successful and successfully places Bob’s order for the Lord of the Rings box set.

Image 1

Bob’s frictionless journey through 3DS 2 (Image 1) ensures each transaction is effectively authenticated, balancing security with a seamless experience. This protocol represents a major improvement over 3DS 1, offering flexibility and adaptability in online transactions.

Challenge-based transaction flow with 3DS 2

Now let’s imagine a scenario where Bob does need to provide some authentication (Image 2). Where in 3DS 1 Bob would have to enter his static password or a one-time password (OTP), 3DS 2’s support for native authentication in devices enables authentication with minimal friction.

1. Initiation: Bob adds 5 Lord of the Rings box sets to his online bookstore cart and heads to checkout. The MPI sends an AReq with transaction details to their 3DS Server.
2. Directory Server: The 3DS Server forwards the AReq to the DS to check Bob’s card compatibility with 3DS 2.
3. ACS Risk Assessment: The DS sends the AReq to the ACS of Bob’s card issuer for risk assessment.
   • Bob’s card issuer uses the data shared in the AReq to create a real-time risk score for the transaction
   • The risk score confirms that while Bob is a regular and creditworthy user, this transaction requires Bob to complete an authentication challenge
   • The ACS triggers a Challenge Request (CReq) for the transaction
4. Challenge Process: Bob receives a challenge prompt on his logged in devices. Since Bob has logged in on his wearable device and his mobile phone, Bob receives the prompt on both devices. The challenge prompted to Bob could be any of the following:
   • Bob can authenticate himself using the device biometrics or Face ID on his mobile phone
   • Bob can swipe and complete a prompt received on his wearable device
   • Bob can be asked to enter a secure OTP sent to him on his verified phone number
5. Response and Verification: Once Bob completes the authentication on his wearable device, and his response (CRes) is sent to the ACS for verification
6. Transaction Conclusion: The ACS’s final authentication response (ARes) is received by the MPI, thus completing the transaction. The MPI informs Bob that the authentication was successful, and successfully places Bob’s order for the 5 Lord of the Rings box sets.

Image 2

Conclusion

3DS2 revolutionizes online payment security, creating a win-win for all. Merchants see reduced cart abandonment and lower fraud losses thanks to simplified authentication and enhanced security. Furthermore, 3DS2 empowers frictionless payments, enabling merchants to offer innovative solutions like one-click payments.
Issuers experience a significant reduction in fraudulent transactions, while the flexibility and accessibility of cross-device authentication can help broaden reach and engagement. Finally, cardholders enjoy seamless, secure payments across all devices and transaction types. Thus, by effectively addressing the shortcomings of 3DS1, 3DS2 paves the way for a future of secure and user-friendly payment solutions.
Connect with us to know how Zeta delivers 3DS 2 experiences!