paying a bill on a smart phone

What You Need to Know About Strong Customer Authentication With 3DS2 (3D Secure 2.0)

Stronger Authentication, Less Friction

3D Secure, or 3DS, is an authentication protocol that calls on three separate domains to authenticate consumers and sign transactions during card-not-present (CNP) payments. It offers a powerful combination of security and usability — and was even cited in the EU’s official guidance on compliance with the Strong Customer Authentication (SCA) section of the Revised Payments Services Directive (PSD2).

The new 3DS protocol is called 3DS2 (3D Secure 2.0) and it’s designed to improve upon the old 3DS by streamlining the consumer experience on mobile devices and incorporating more powerful and flexible risk profiles.

In this article, we’ll explain how 3DS2 delivers on that promise — and how you can incorporate the technology as part of your own fraud prevention strategy.

What’s the Difference Between 3DS2 and 3DS?

The original 3DS protocol was the same for all transactions. It did not support biometric authentication, and it was incompatible with some devices and mobile browsers. Authorization page loading speeds caused frustration, while questions about the authenticity of the 3DS in-session verification window led some consumers to abandon their transactions.

By contrast, 3DS2 is expected to leave a lot fewer shopping carts abandoned both because of the enhanced capability to maintain a consistent look and feel and because of its seamless fraud prevention enablement aspect.

This next generation 3DS also enables organizations to adapt payment authorization for high-risk transactions, rather than across the board. The authentication risk level is based on a rich set of data collected about the cardholder and the transaction and then sent to the issuer.

The card issuer is now empowered and given more flexibility to make better decisions thanks to data-sharing APIs connecting businesses and banks that are able to incorporate more than 150 potential data points representing the information they and card issuers know about their mutual customers.

How Else Does 3DS2 Help Prevent Fraud?

Most 3DS authentication flows happen in the background — the SDK and servers exchange all necessary data, and the customer sees nothing.

However, a one-time password (OTP) — generated by the customer’s card — is an integral part of the process, because it enables customers to confirm their identities on a separate channel from the one that they’re using to execute the transaction.

This transaction verification step introduces major risk in solutions that rely on SMS to transmit the OTP. SMS authentication is cheap, convenient and ubiquitous — and easier than ever for hackers to exploit. Unfortunately, our research shows that it’s still the financial services industry’s leading authentication method.

3DS2, with its support for biometric authentication, definitively closes this security loophole by enabling customers to authenticate via their fingerprint or face — functionalities built into almost all modern smartphones. What’s more, the simplicity of this authentication flow increases security without compromising usability, reducing drop-off rates and streamlining the customer journey.

In fact, according to Visa, 3DS2 implementation led to 85% reduction in transaction time, resulting in a 70% decrease in cart abandonment.

Getting Started With 3DS2

As 3DS2 moves into the mainstream — and Open Banking regulations mandate the use of SCA — the search is on for solutions that keep customers safe while maximizing the number of licit transactions that go through.

HID Approve™ is an end-to-end authentication solution that gives banks the flexibility to customize transaction signing flows while complying with 3DS2 protocols. Taking full advantage of native smartphone security and biometric capabilities, HID Approve validates transactions in seconds using push notifications that don’t require service providers to send any sensitive information over an insecure network.

Deployed as either a customizable off-the-shelf mobile application or fully integrated in your existing app via SDK, HID Approve allows organizations to meet the most stringent security regulations while providing a seamless consumer experience.

Open Banking is changing how consumers move money — and how banks verify their transactions.

Károly Petőcz is the Director of Sales for the APAC, Middle East and Africa Markets as part of the IAM Consumer Authentication business unit at HID Global. He has over twenty years of experience in the Financial Services and Insurance (BFSI) industry. Karoly started his career in Hungary developing front office applications and delivering different financial solutions. He later moved to the digital security sphere, working in CEE, CIS, ME regions. He has a deep knowledge related to secure and trusted strong customer authentication (SCA) technologies and understands banks’ security challenges. In his current role, Karoly supports financial institutions in Emerging Markets with security improvements of their digital customer interactions, and his expertise of the market enables him to provide them with advanced digital banking solutions that address their exact needs, bringing security entire ecosystem and customer journey.