The 3DS security protocols for the protection of online purchases

The 3D Secure (3DS) security protocols for the protection of online purchases are a payment protection system created and developed by the leading international payment circuits like Visa and Mastercard, in order to improve the level of security of online transactions with credit and debit cards.

The protocols are applied through the activation of Verified by Visa and Mastercard Identity Check (recent evolution of Mastercard Securecode, 2020) on payment cards, which need 3D-secure authentication from the purchaser in order to complete online payments, minimising the risk of the card use by third parties.

Functions and evolution of the protocols

Thanks to the introduction of 3D Secure protocols, which dates back to the start of the 2000s¹, the Ecommerce ecosystem has witnessed an increase in the level of security of online payments and, as a direct result, consumer confidence has also gradually grown in a world that was still the prerogative of a few first movers.

The security services introduced the concept of authentication: to complete a 3DS payment, it was no longer enough to insert just the card details: typically, name and surname, PAN, expiry date and CVV; but it became necessary to type in a password that the purchaser had chosen during the service activation phase or a temporary code received via SMS or generated by a device provided by the bank.

Developments have been minimal over the years and mostly related to the authentication solutions with convergence towards SMS, thanks in particular to the constant increase in mobile phones use. However, in 2018 the European PSD2 regulation on payments introduced the concept of Strong Customer Authentication and important changes regarding 3DS protocols, with the objective of making online payments even more secure, also through a more structured 3D secure authentication process.

3DS2 protocol features

One improvement in consumer protection comes from the switch to 3DS2. The first version of the 3DS protocols had many limitations, starting with the fact that it used a pop-up screen with a different URL, effectively offering an opportunity (phishing) to those who wanted to perpetrate online fraud by simulating the authentication page. Moreover, the storage of a password for each card could complicate the user's experience if they owned several credit or debit cards. Adding to this was the fact that it was not mandatory to implement 3DS as a security measure, and this used to increase the risks for the consumer.

This all changed with the introduction of 3DS 2.1, which fulfils the requirement to implement strong customer authentication from 31 December 2020, when the extension granted by the European Banking Authority (EBA) expired. Properly managed, the new version of the security protocol guarantees a higher approval rate and a reduction in shopping cart abandonment by providing a frictionless experience for the buyer. Its adoption has also the advantage of shifting the responsibility for the transaction from the merchant to the issuer (liability shift) for all transactions routed through the protocol, so it is the company that issues the card (issuer) that has to answer for any fraud.

Ultimately, 3DS2 ensures compliance with SCA standards, reducing the number of frauds and improving the consumer experience on websites and apps.

With the new protocol, username and password are no longer sufficient from a security point of view, but you must authenticate yourself with at least two of the following types of elements:

Information that only the customer knows (KNOWLEDGE)
PIN
Password
Security questions

Something held only by the customer (POSSESSION)
Card
Telephone
Token
Wearable Device

Something that distinguishes the customer (INHERENCE)
Fingerprint
Facial recognition
Voice recognition or iris scan

The most significant change is the introduction of biometrics for the identification of the buyer, a technology now widely available on most smartphones sold and which has improved both the security of access to the device and that of many available actions, for example, purchases from app stores.

The introduction of the 3D Secure authentication has drastically reduced the risk of fraudulent use of cards by third parties, by adding an element known only by the card-holder. The new European regulation, with the second version of the protocols, which was implemented in 2021, further reduced the risks of fraud, making the protocols mandatory, whose management by merchants had actually been optional up until then.

Activation of 3D Secure systems for the merchant

Activation of the 3DS services of credit and debit cards circuits is the responsibility of the issuers; in fact, they activate the functionality on the cards of acquirers, while for the merchant, the reference contact is the acquirer that, before the advent of PSD2, could grant the merchant the deactivation of the protocols that enhance security but may reduce the conversion rate.

In fact, the merchant has always had the possibility to ask the acquirer to disable the protocols, therefore accepting payments from its customers without insertion of the 3D Secure authentication code, to the detriment of security but favoring a greater probability of the 3DS payment being successful, considering that without entering the authentication code, the customer has one step less to complete. The new 3DS2 protocols, instead, shift to the issuer (that issued the payment card) the decision whether or not to apply authentication with two or more factors on each transaction, therefore, the acquirer and the merchant become "passive" subjects in the application of 3D Secure authentication, an integral part of the customer journey during the 3DS payment phase.

The new protocols require, in particular, the insertion of more pieces of information in the payment requests connected with the transaction and the acquirer, which enable the issuer to conduct a more accurate analysis of fraud risk and, consequently, meaning a lower probability of authentication being requested for 3DS transactions entered effectively by the holder of the payment instrument.

Although there are exceptions and exemptions to the application of Strong Customer Authentication, the management of new 3DS2 protocols becomes essential for businesses that would not be compliant with the regulation and would see the payment requests rejected in the event of non-implementation.

How to manage the new security protocols

The 2.0 protocols offer the merchant the opportunity to add some more optional fields to provide a set of additional data to the issuer and help reduce the likelihood of SCA being applied to the 3D secure transactions. In order to do this, it may be necessary to review the customer journey, by adding fields for collecting data, and therefore, this may increase the complexity of integration.

A key element in leveraging PSD2 is the application of exceptions and exemptions to as many transactions as possible, while maintaining high security standards. Guaranteed payments and Advice are two of Fabrick's solutions that use these opportunities to guarantee an excellent fraud prevention service, reducing friction at the payment stage and guaranteeing the reimbursement of any unidentified fraud.