3DS 2.0: What Is It?


With the recent widespread implementation of 3DS 2.0 in Europe fostered by regulation, many merchants around the globe are wondering what this technology can do for them. Below we summarize what 3DS 2.0 is and what it does compared to the status quo.

3D Secure is a security protocol that protects cardholder payment details from unauthorized use

What is basic 3D Secure?

Before we can explain what 3DS 2.0 is, we must cover what 3DS 1.0 does. 3D Secure is a security protocol that protects cardholder payment details from unauthorized use across three domains: the acquirer, the issuer and the infrastructure between them that supports the protocol. The idea behind it is to reduce card-not-present fraud by authenticating the identity of the cardholder with their issuer before they make a purchase.

To use 3D Secure, the customer first registers with their issuing bank and sets up a static password. When the customer checks out on the websites of participating merchants, they are directed to a popup or inline frame belonging to their issuing bank to fill their password to authenticate their identity and enable the bank to authorize the transaction. Following the authorization, the merchant sends the transaction to their acquirer for processing.

Merchant pain points specific to subscription chargebacks also exist. For example, there is no proration for a chargeback. The customer can be significantly into their subscription period before requesting a chargeback. As a result, the merchant faces not only chargeback fees but also the expenses related to the product or services already consumed.

Another issue with subscriptions is the use of free trials that auto-convert to paid subscriptions after a specific timeframe. Even if you’ve asked for subscribers’ credit card details during the free trial sign up it doesn’t mean they are aware that they will automatically be moved to a paid plan after the trial ends. This confusion can quickly escalate into a chargeback request.

Overall adoption was weak because the net benefits of 3D Secure implementation were a mixed bag

Why was 3D Secure adoption weak?

3D Secure was launched in 2001 as Verified by Visa and MasterCard SecureCode, followed several years later by branded versions for American Express, Discover and JCB as well. Adoption of the technology was low in some of the largest Western markets, such as France (19 percent), Germany (46 percent), Spain (17 percent) and the U.K. (29 percent), according to the 2016 Arvato Payments Review. Among the worst was the world’s largest market, the U.S., where adoption was just 5 percent.

Overall adoption was weak because the net benefits of 3D Secure implementation were a mixed bag. The primary benefit to merchants of enrolling in 3D Secure was that it shifted the liability for fraudulent transactions from them to the issuer.

The main drawback to 3D Secure for merchants was that the solution significantly lowered customer conversion rates. Customers on a 3D Secure enrolled merchant site would abandon checkout because they weren’t comfortable being dragged in the middle of a transaction to a third-party site to authenticate. Another factor in low conversion rates over the past decade is that many bank pages weren’t optimized for mobile, getting caught off-guard by the boom in mobile commerce. This left mobile-based customers dealing with long load times and difficult to fill forms, pushing them to abandon transactions.

For issuers, 3D Secure represented only added costs. For starters, if fraud occurred on an authenticated transaction, it was the bank’s responsibility. This liability issue was exacerbated by the fact that on a security level, 3-D Secure wasn’t very secure. The use of static passwords was problematic because they weren’t very difficult for motivated fraudsters to compromise and then use to bypass the 3D Secure process. All the issuer would receive to determine the likelihood of fraud was 10 static data elements. Lastly, the issuing banks had to shoulder the cost of implementing and supporting access control servers (ACS) to receive 3D Secure messages, process the messages and authenticate the card user.

In short, there were plenty of stakeholders dissatisfied with the original 3D Secure.

3DS 2.0 supports token-based and biometric authentication and removes static passwords

3DS 2.0 improves upon 3D Secure

3D Secure 2.0 was jointly created by Visa and Mastercard in 2016 and remedies to some extent the problems with 3DS 1.0. One major change is that the protocol now sends over 100 data elements for each transaction and enables risk-based authentication (RBA) decisions, which benefits both merchants and issuers. RBA means that the decision to challenge the cardholder to authenticate their identity is based on the perceived risk of the transaction as determined by looking at the data elements passed through 3DS 2.0. Transactions that are deemed low risk are passively authenticated through a “frictionless flow” that does not disturb the customer, reducing checkout abandonment. 3DS 2.0 was also designed to be mobile responsive with native in-app payment options instead of iframes or popups, making it easier to retain mobile users. Lastly, 3DS 2.0 supports token-based and biometric authentication and removes static passwords, making it more difficult for fraudsters to compromise credentials.

PSD2 pushes 3DS 2.0 adoption

The adoption of 3DS 2.0 received a big push with the implementation of the Revised Payments Service Directive (PSD2) in the European Economic Area (EEA). PSD2 set a new standard in European countries for protecting customer payments online by mandating Strong Customer Authentication (SCA) for most transactions.

To fulfill the SCA requirement merchants must authenticate a customer’s identity using two of the following three things: something they know, something they have and something they are. “Something they know” includes password, PIN or personal fact. “Something they have” would be a mobile phone (i.e. SIM card), security token or smart card. “Something they are” could comprise a fingerprint, facial features or voice pattern.

Adoption numbers are hard to come by but European issuers and merchants flocked to 3DS 2.0 to meet the SCA requirement that went into effect in January 2021. 3DS 2.0 was also designed with PSD2 in mind, including exemptions from SCA, for example, when dealing with small transaction amounts. 3DS 1.0 doesn’t support SCA exemptions.

What 3DS 2.0 doesn’t cover

It’s important to point out that the liability shift from merchant to issuer in cases of 3DS authentication covers fraud chargebacks alone and not service related chargebacks. This still leaves merchants exposed to friendly fraud, which comprises over 80 percent of chargebacks.

To fight friendly fraud chargebacks consider using a chargeback mitigation service. Justt offers a tailor-made solution designed to maximize the amount of chargebacks we reverse for you. The service is risk-free with a success-based fee and has a current win rate of 83 percent. This means you can only improve your bottom-line.

Start now. Win back lost revenue

Find out why Justt is the right solution for your business.

    Chargebacks per month

    • Under $5,000
    • Under $50,000
    • Under $100,000
    • Over $100,000