Changes in the 3D secure protocol: welcome to 3-D Secure 2.0

Tomcat

Tomcat

Professional
Messages
2,381
Reputation
4
Reaction score
407
Points
83
2zmn9czcepfc5eu5pft5_udoyro.png


Year after year, technology is rapidly advancing in its achievements and capabilities. In the very near future, the updated 3D Secure 2.0 protocol will take online security in the payment industry to a whole new level. The protocol will provide the opportunity to establish a secure data exchange channel operating in real time, through which much more transaction data will be transmitted for more accurate buyer authentication, the speed of payment will increase, since not all transactions will be authenticated using a password, but only some of them Part. Let's look at the main changes in the new protocol compared to its previous version.

What is 3D Secure?

3D Secure is a security protocol developed in 1999 that aims to prevent fraudulent use of credit cards by verifying the identity of cardholders in transactions that do not require the physical presence of the card (CNP transactions). “3D” means the “3 domains” in which the protocol operates, which include the issuer domain (the domain of the bank that issued the card), the acquirer domain (the domain of the merchant and the bank to which the money is transferred), and the compatibility domain (the domain provided by the payment processor). system to support the 3D Secure protocol). The protocol is developed and managed by EMVCo, an organization jointly owned by major brands Visa, Mastercard, American Express, Discover, JCB and UnionPay.

The first version of 3D Secure was designed to increase consumer confidence in online payments, thereby fueling the growth of e-commerce. To protect against fraudulent transactions, 3D Secure adds another authentication step for online payments, allowing merchants and banks to further ensure that the payment is made by the cardholder. While using 3D Secure 1, the system displays a pop-up window or inline frame, requiring the user to enter a password so that the bank can authenticate the user. However, the credentials of the entity generating the popup cannot be authenticated.

a_f75k6_k04vozfu4u-ty7x9ucw.jpeg


For businesses, the benefits of 3D Secure are clear: requesting additional information provides an additional level of fraud protection, ensuring that you only accept card payments from trusted customers. Also, in the case of using 3D Secure, the so-called “Liability Shift” occurs, in which responsibility for fraud also passes from the seller to the card issuer. Thus, if 3D Secure is not applied, then when a cardholder disputes a fraudulent transaction:
  • The seller is responsible for the transaction
  • The seller (merchant) must return the money to the buyer (chargeback)

But, if the merchant implements 3D Secure, liability for fraudulent transactions passes to the issuer (the bank that issued the card).

What are the main changes in the 3D Secure 2.0 protocol?

It has been over 17 years since the development of 3D Secure 1. While this authentication method has been fairly well accepted by the payment industry in most countries, there has been recognition of the need for a new protocol to address current and future market demands, including adding support for mobile device-based authentication and digital wallet integration. In addition, it was noted that using 3D Secure 1 has some disadvantages:
  • the additional step required to complete payment adds complexity to the ordering process and may cause customers to abandon their purchase.
  • a number of banks still require their cardholders to create and remember their own static passwords to complete 3D Secure verification. These passwords are easy to forget, which can also lead to a higher likelihood of purchase abandonment.
  • The negative impact on user experience (UX) is especially noticeable in mobile applications. When Visa first created the 3D Secure standard, personal computers were the only channel available to consumers to shop online. On mobile devices, the use of 3D Secure may redirect customers from the native application to the bank's website, which is not optimized for mobile devices.

Taking into account the main pain points of 3D Secure, EMVCo recently released a new and improved version of the protocol. EMV 3-D Secure (3D Secure 2 or 3DS2) addresses many of the shortcomings of 3D Secure 1 and provides the following key benefits:

1. Flexible Device & Channel Support.
Provides a smoother and more consistent user experience across multiple payment channels, including mobile browser payment, in-app payments, and digital wallet payments.

2. Improved User Experience.
Enables merchants to better integrate the authentication process into the shopping experience, providing cardholders with fast, simple and convenient authentication while maintaining a high level of security. Unlike static passwords, 3D Secure 2 uses dynamic authentication methods such as biometrics and token-based authentication. 3D Secure 2 will also allow companies to embed call flow directly into their web and mobile payment flows—without the need for any redirects. Using new mobile SDKs, companies will be able to embed native flows into their apps, which will no longer require their clients to navigate to a flow through the browser to complete a transaction.

3D Secure 1 (3D Secure 2 Stripe guide):
x6n3zreqabbxd8tgfw3tfwalvqo.png


3D Secure 2 (3D Secure 2 Stripe guide):
hhvzxejzpfngi_craugomccg_co.png


3. Enhanced Data Exchange to Manage Fraud and Reduce Friction. Risk-based authentication (RBA, Risk-based authentication). Frictionless authentication.
Frictionless Flow allows issuers to approve a transaction without requiring manual data entry from the cardholder. This is achieved using something called Risk-Based Authentication (RBA). The RBA works by collecting a set of cardholder data at the time of transaction and passing it on to the issuing bank and its Access Control Servers (ACS), which then compares the collected data with the cardholder's previous (historical) transaction data to derive a fraud risk value corresponding to the new one. transactions. 3D Secure 2 will enable companies and their payment providers to securely send more than 100 pieces of data per transaction to the cardholder's bank. This includes payment-related data such as the shipping address, as well as contextual data such as the customer's device ID or previous transaction history.

jqr5uie9pzqw-bieckrun-dx5p4.png


The cardholder's bank can use this information to assess the risk level of the transaction and select an appropriate response. If the fraud risk value is below the specified threshold, Frictionless flow is applied. In other words, if the risk of fraud is low enough, then the issuing bank will not request additional verification from the cardholder and will assume that the cardholder has been authenticated. This eliminates the manual verification step that has always been required of cardholders in 3D Secure 1:

1) If there is enough data for the bank to believe that the real cardholder is making the purchase, the transaction meets the Frictionless flow requirements, and authentication completes without impacting the user experience—the cardholder never sees any indication that 3D Secure has been applied. In other words, if the risk of fraud is low enough, then the issuing bank will not request additional verification from the cardholder and will assume that the cardholder has been authenticated. This eliminates the manual verification step that has always been required of cardholders in 3D Secure 1.

2) In the event that the fraud risk value is above a pre-defined threshold, for example a bank decides it needs additional evidence, the transaction is executed in Challenge mode and the customer are asked to provide additional information to verify the authenticity of the payment.

4. Changes to merchants' liability in case of fraud
Also significant differences in PSD2 include changes to merchants' liability in case of fraud. Issuers are the clear beneficiaries of the increased data sharing required for 3DS 2.0, as they are responsible for any chargebacks. The more data they have, the more accurately they can assess the risk of a transaction.

However, merchants also benefit, especially if they do not already collect enough transaction data that would be required to participate in 3DS, because they can then use that data to improve their own fraud detection efforts. But even if a merchant already has a sophisticated fraud prevention program in place, the additional layer of protection provided by the issuer conducting its own risk assessment should not be overlooked. ACS providers used by issuers typically have access to sources of fraud data that individual merchants do not, which often allows them to provide a more reliable fraud risk assessment.

When will payment systems support 3-D Secure 2.0?

Widespread adoption of 3D Secure 2 will depend on individual card issuers supporting the new standard. While the first banks are expected to begin supporting 3D Secure 2 for their cardholders in early 2019, it is likely that wider rollout will be gradual and take several months. For example, the Visa 3DS 2.0 platform is now available and ready to process 3DS 2.0 authentication requests: Before participating in the 2.0 program, ACS and 3DS Server service providers must complete testing with both EMVCo and Visa. Providers can begin testing with Visa only after receiving a confirmation letter confirming successful completion of testing with EMVCo. To ensure that stakeholders have sufficient time to implement 3-D Secure, the full set of program rules will not go into effect until the program activation dates listed below:
  • April 2019: Valid date for Europe
  • August 2019: Activation date for Canada, Latin America and USA.
  • April 2020: activation date for Asia Pacific and Middle East and Africa.

It is also expected that 3D Secure 1 and 3D Secure 2 will coexist at least until 2020.

For European businesses, a new regulation known as Strong Customer Authentication (SCA) will come into force in September 2019, which will apply to online payments in the European Economic Area (EEA), where the cardholder's bank and payment service provider are located in EEA, makes 3D Secure 2 even more important. Since the new rule will require more authentication to be applied to European payments, 3D Secure 2 will offer a better UX (user experience) to minimize the impact on site conversions.

While 3D Secure 2 will be the primary method of compliance with SCA card payment requirements, it is expected that Frictionless flow will not be considered a form of strong customer authentication. This will mean that once SCA is implemented in Europe, Frictionless flow can only be used for payments that fall within the exemption (while all payments requiring SCA will have to be authenticated using the Challenge flow).
 
You must log in or register to reply here.

Similar threads

Tomcat
Chrome OS moves to Android: Google changes system architecture
Replies
0
Views
11
Tomcat
Tomcat
Tomcat
Elon Musk and Fake Crypto Exchanges: Brooklyn's Russian-Speaking Diaspora Under Attack
Replies
0
Views
19
Tomcat
Tomcat
Tomcat
70% of South Korean crypto exchanges do not return money to customers when they close
Replies
0
Views
18
Tomcat
Tomcat
Father
Latrodectus changes its face: Azure and Cloudflare in the hands of hackers
Replies
0
Views
24
Father
Father
Father
Computer Security Engineer sentenced to three years in prison for Hacking Decentralized Exchanges
Replies
0
Views
50
Father
Father
Top