What is 3DS2?
3DS2 (3D Secure 2.0) is an authentication solution designed to protect customers when they shop online using credit or debit cards. The purpose of 3DS2 is specifically to prevent a shopper’s credit or debit card from being used without their authorisation.
In this article, we’ll explain how 3DS2 works, and why it matters for your business. We’ll also discuss alternative methods for taking recurring payments while maintaining the high levels of security standards essential for the digital age.
What is the purpose of 3DS2?
For businesses with customers in the European Economic Area, 3DS2 is particularly significant. It allows you to meet the essential requirements of Strong Customer Authentication (SCA) when customers pay with debit or credit cards. SCA was introduced in 2018 as part of the revised payment services directive (PSD2).
SCA requires customers to authenticate their online payments using extra parameters, beyond just a username and password. When making a payment under SCA, potential customers will need to use data from two out of the following three categories to identify themselves: something they know (e.g. mother’s maiden name), something they have (e.g. a secure key), something they are (e.g. a fingerprint).
3DS2 goes even further to identify customers online. It requires merchants to send additional data with each transaction to help the issuing bank determine if the cardholder is actually the person making the transaction. If all the data matches, then the transaction is allowed to proceed. But if there is a mismatch, then the bank will respond asking the customer for additional user authentication data.
The history of 3DS2
The predecessor of 3DS2, known as 3DS or 3DS1, was introduced in 1999 with the aim of reducing fraud during online transactions. 3DS is commonly used in European countries as well as further afield, such as India and South Africa.
3DS1 is the umbrella name for a whole host of customer authentication solutions created by each of the major card schemes such as Visa Secure, MasterCard Identity Check and American Express SafeKey. 3DS1 allows the cardholder’s bank to prove that the person trying to pay with a particular credit or debit card is actually the legitimate holder of that card.
When the original 3DS system was first introduced, the online payments landscape was completely different. Smartphones were yet to arrive on the scene and 3DS1 was designed solely with desktops in mind. 3DS2 was introduced in 2015 to update 3DS1 for the internet age.
In the early iterations of the 3DS1 service, customers were often redirected to the website of the issuing bank and asked to enter a PIN. This interrupted the payment flow and had a negative impact on customer experience, leading to a rise in abandoned carts. A new authentication solution was needed, that prioritised the customer experience alongside security. This is where 3DS2 comes into the picture.
3DS2 signifies a major change. It keeps up with the rapid evolution of new digital technologies, and the new ways fraudsters use to defraud people. Importantly, 3DS2 not only leverages today’s technologies. It is also ready to handle future developments in online customer authentication.
How does 3DS2 impact your business?
As a merchant, one way your business will be impacted is if you accept recurring payments from within the European Economic Area (EEA), as these payments may require SCA.
3DS2 offers an extra layer of security, which also reduces the likelihood of customer chargebacks. In the rare case of a chargeback occurring, having your customers using 3DS2 means liability is shifted away from your business to the card issuer.
In addition, 3DS2 helps cut down friction around the payment process, reducing the likelihood that a customer will get frustrated and abandon their cart. 3DS2 could theoretically optimise the payment experience for your customers in the following ways:
Streamlining the payment process: 3DS2 provides additional information to the card issuer, freeing them up to verify only the riskiest transactions. This improves the experience for your customers by cutting down on needless friction during the transaction process, which may have once resulted in lost sales.
Providing customisation: 3DS2 offers the ability to customise the authentication method to suit the preferences of the target audience. This may include the addition of security features such as one time passwords or biometric authentication.
Providing mobile optimisation: 3DS2 also offers the ability to optimise for mobile, which may reduce customer drop-off.
The limitations of 3DS2
Although 3DS2 is already helping to make online transactions more secure, it has certain limitations that you should be aware of.
As mentioned, the original 3D Secure was plagued by problems, including the dreaded conversion drop because of redirects and poor user experience. A recent study by Ravelin found that 22% of all transactions authenticated using 3D Secure are lost.
While the new version has been designed to minimise the original’s drawbacks, including a better user experience designed for smartphone users, it will require a wider rollout to evaluate whether it has been successful.
How GoCardless can help
Since paperless Direct Debit mandates that are used by GoCardless are out of scope of SCA and fully PSD2 compliant, using GoCardless means you can avoid any potential conversion hit that may come with implementing 3DS2.
To find out more about how GoCardless can save your business from the hassle of SCA and 3DS2, take a look at our guide to SCA.