3D Secure 2.0 (3DS 2.0) is the latest update of the 3D Secure authentication protocol, which allows issuing banks to verify credit card owners during the transaction process. Verifying card owners can transfer liability for fraud disputes away from the merchants who utilize 3DS. With issuing banks preparing to support 3DS 2.0 integrations by spring 2019, many merchants may be wondering how this next iteration will impact them -- and how they can prepare.
Moving to 3DS 2.0 can offer merchants benefits beyond increased fraud prevention. The improved authentication system helps merchants transacting in Europe meet Strong Customer Authentication requirements under the second Payment Services Directive (PSD2). It also is expected to greatly reduce friction in the mobile-purchase process and can help increase conversions for any merchants who integrate the new version -- a task Braintree is making easy via updated SDKs, available soon.
It's truly an exciting and welcome improvement, but we understand that merchants may have some questions about 3DS 2.0. Here are a few of the more frequently asked ones to help you prepare.
1. So... how is 3DS 2.0 different from 3D Secure 1.0?
3D Secure 1.0 (3DS 1.0) connects merchants, payment networks, and financial institutions in order to authenticate transactions and share data. The latest iteration -- 3DS 2.0 -- improves on the system greatly, especially in terms of mobile payments processing. It’s no wonder -- the original 3D Secure protocol was developed well before the advent of the smartphone!
3DS 2.0’s specifications as outlined by EMVCo, the company chartered with creating the 3DS 2.0 protocol, provide inherent support for mobile clients including native iOS and Android SDKs. In addition to supporting seamless authentication experiences for customers, the new version also helps reduce the occurrence of authentication challenges -- which can range from an app-switch to a one-time password sent via SMS -- by requiring issuing banks to accept and utilize a larger number of data points in a risk-assessment to determine if a challenge is warranted. Some of these data points, such as the email address, billing address, etc, will be supplied by customers, while others come from the customer’s device and browser data.
The premise for these changes: If the issuing banks have sufficient data about the customer attempting the transaction, it will reduce the need for authentication challenges.
2. How do the changes help out merchants?
As noted, companies doing business in Europe need to comply with PSD2 Strong Customer Authentication requirements. The good news: Enabling 3DS 2.0 helps cover those SCA requirements. A payments integration that supports 3DS 2.0 is an industry standard approach to comply with the new EU laws.
Also appealing: This next iteration of the 3DS is specifically designed to reduce friction in the transaction process, and thus help improve conversion. In fact, Visa reports that merchants using 3DS 2.0 experience a 70% decrease in cart abandonment, and an 85% reduction in transaction time.[1]
But perhaps the most important change is that 3DS 2.0 gives merchants another tool in their fight against fraud. 3DS 2.0 is designed to better authenticate legitimate transactions and to better deny fraudulent transactions. Under 3DS 2.0, merchants may also shift the liability for fraudulent transactions from themselves to the issuing bank.
3. What is the timeline for implementing 3DS 2.0?
3DS 2.0 is the early stages of adoption by issuing banks, which means that 3DS authentication attempts aren't benefiting yet from the new 3DS 2.0 protocol. That said, the broader rollout of 3DS 2.0 is coming -- and soon. Here are the deadlines for the card brand adoptions by geographic regions:
If an issuing bank doesn't support 3DS 2.0 after the card brand's activation date for a specific region, don't worry. A 3DS 2.0 authentication call should still give merchants the benefit of the liability shift, even if the issuing bank does not yet have a 2.0 authentication system in place. That’s because, in these instances, the card brands will stand-in and provide an authentication signature.
4. How is Braintree helping with the 3DS 2.0 transition?
Our goal is to make the transition as seamless as possible for our merchants. To that end, we are introducing a new version of our current 3DS modules in our front-end SDKs to support 3DS 2.0 authentication paths. This new iteration will include a method for collecting the device and browser data required by each individual issuing bank, as well as customer-supplied data elements. Braintree will first release an updated JS SDK, which will be able to support 3DS 1.0 and 3DS 2.0 calls. The iOS and Android SDKs will be available next.
After your merchant account is formally enrolled to use 2.0, 3DS 2.0 authentications will occur through the new Braintree SDK. Given the above timeline, most merchants can expect authentications to be supported by issuing banks by April 2019.
5. What else can merchants do to prepare 3DS 2.0?
Updating your Braintree SDKs is a great first step. Beyond that, Braintree will expand the existing integration for certain merchants using 3DS 1.0 for SafeKey and use these fields as-is in any 2.0 call globally, and we’ll include some entirely new data fields as well! You can take this preparation a step further by incorporating this integration. Passing these data elements in a 3D 2.0 message will help reduce the possibility of an authentication challenge from the issuer.
Keep an eye out for updates to our front-end SDKs to gauge what you’ll need to have a 3DS 2.0-ready integration in the near future, and stay tuned into 2019 as more authentication options, data elements, and more are made available!