3-D Secure version 2
3-D Secure version 2 is an evolution of the existing 3-D Secure version 1 programs:
- Verified by Visa
- Mastercard SecureCode
- AmericanExpress SafeKey
- Diners/Discover ProtectBuy
- JCB J/Secure
It is based on a specification drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. EMVCo’s six member organization oversees it:
- American Express
- Discover
- JCB
- Mastercard
- UnionPay
- Visa
Dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates further support them.
Anticipating future market requirements
To reflect current and future market requirements, EMVco recognized the need to create a new 3-D Secure specification capable of supporting app-based authentication and integration with digital wallets, along with traditional browser-based e-commerce transactions.
This led to the development and publication of the EMV® 3-D Secure – Protocol and Core Functions Specification. This specification caters for these new payment channels and supports the delivery of industry-leading security, performance and user experience.
Aside from global card brands, we also note some local card brands looking to adopt identical means of authentication, as defined in the 3-D Secure version 2 specifications.
Why the need for a new version?
3-D Secure version 1 results in redirects for consumers to pages that aren't always optimized for the device they're using. This increases consumer drop-off rate of the consumers during your checkout process. Aside from this, the way the consumers able to authenticate isn't always the best way, from a usability point of view. This again contributes to the drop-off rate.
Due to the contribution to drop-off rates, some merchants haven't adopted 3-D Secure. This means that many consumers aren't always familiar with the flow, which again leads to increased drop-off. Put simply, the user experience leaves a lot to be desired, with your business facing a loss of revenue due to a reduction of conversion on your checkout.
The below map illustrates the drop-off percentages for 3-D Secure version 1 that we observed on Worldline's GlobalCollect Payment Platform in the first half of 2018.
The implementation of 3-D Secure version 1 historically caused more friction than necessary. As more and more transactions become app-based and with the rapid development of new ways to make payments there, the need arose for an updated version of 3-D Secure that could address this, which spawned 3-D Secure version 2.
What will change?
One of the core differences between 3-D Secure version 1 and 3-D Secure version 2 is that you can use many data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers won't challenge the transaction, like not sending an SMS to the cardholder. However, issuers will still authenticate the transaction (frictionless).
Inversely, for high risk transaction, issuers require the cardholder to authenticate with an SMS or biometric means (challenge). This results in a frictionless authentication, which doesn't involve the consumer being redirected. Should the consumer use an app this also applies. If the issuer requires a challenge, this can be handled inside the app. It ultimately improves the user experience and will therefor lead to an increase in conversion.
Separately, the Strong Customer Authentication (SCA) required in Europe by September 14th, 2019, as specified in PSD2, will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible.
In short, 3-D Secure version 2 means:
- If you don't support it already, you will need to implement 3-D Secure before September 14th, 2019 if your transactions fall within the EEA PSD2 SCA guidelines
- You're advised (and for some, required) to submit additional data points to support the transaction risk assessment performed by the issuer in case of 3-D Secure version 2
- You might need to update your privacy policy with regards to GDPR, as you might be sharing additional data-points with 3rd parties
- A much better user experience for your consumers
Benefits of 3-D Secure version 2
The market expectation is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything extra from the consumer. This in contrast to the current 3-D Secure checkout flows.
Simply put, it means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process should not be negatively impacted.
Card networks projections suggest that with 3-D Secure version 2, merchants will be able to achieve the same performance levels as physical store merchants using Chip & PIN:
- Up to 10 percentage points higher approval rates
- Up to 50% reduced fraud rates
- Around 50% lower abandonment rates.
Timeline
There are several important dates:
- April 2019: Mastercard issuers globally and Visa issuers from Europe can support 3-D Secure version 2 in their production environments. This means you may be impacted, as you only benefit if you provide the correct data points.
- August 2019: Visa issuers In North and South America can support 3-D Secure version 2.
- September 14th, 2019: PSD2 RTS SCA goes into effect across European markets (EEA), requiring Strong Customer Authentication for each online transaction that match the criteria, as set forth in the PSD2 RTS SCA guidelines.
- April 2020: Issuers from the rest of the world can support 3-D Secure version 2.
The following applies for each of the above mentioned activations: If the issuer supports 3-D Secure version 2 for the card, you should use 3-D Secure version 2 as well. If you do not support 3-D Secure version 2, falling back to 3-D Secure version 1 remains a possibility without impacting on the liability shift.