What is 3D Secure authentication?

Key takeaways:

• 3D Secure authentication reduces the risk of unauthorised purchases, helping protect both merchants and customers from fraudulent transactions.

• The latest version of 3D Secure (3DS2) authentication is more secure and offers a better user experience than its predecessor (3DS1).

• Risk rules can be used to optimise 3D Secure authentication, triggering more stringent authentication for transactions deemed higher-risk.

Online fraud is a significant concern for merchants and consumers alike.

With 66 percent of executives reporting an increase in fraudulent payment activity in the past few years, more businesses are implementing additional security measures like 3D Secure authentication (also known as 3DS or 3D Secure) to safeguard online transactions and build customer trust.

What is 3D Secure authentication?

3D Secure is a security protocol that requires card holders to authenticate their identities before an online transaction is approved and processed. This involves a three-domain authentication process, where the card issuer, the merchant's bank, and the payment platform work together to verify it’s the real customer attempting the transaction and not a bad actor.

As of today, there have been two versions of 3D Secure authentication released: 3DS1 and 3DS2.

Understanding the differences between 3DS1 and 3DS2

Although similar since they’re versions of the same protocol, there are key differences between 3DS1 and 3DS2.

What is 3DS1?

The original 3D Secure protocol, 3DS1, was introduced in the late 1990s by Visa and Mastercard. It required cardholders to authenticate transactions using a static password or OTP sent via SMS or email.

While 3DS1 added an extra layer of security, it often resulted in a cumbersome checkout process as customers had to switch between devices or wait to receive OTPs. Most major players retired this version of 3DS in 2022, upgrading to 3DS2.

What is 3DS2?

Released in the late 2010s, 3D Secure 2.0 (3DS2) is an updated version of 3DS1. Enhanced data sharing enables more accurate risk assessments, leading to fewer authentication steps. This streamlined process has been optimised for smart devices, improving user experience across both mobile and desktop devices.

3DS2 supports a broader range of authentication methods, including biometrics. This allows for both a more secure and frictionless checkout process, as customers may not need to enter a password or OTP.

Why is 3D Secure authentication important?

With fraud tactics becoming more advanced, adding another security layer to eCommerce payment processing is vital. To protect online payments and build cardholder trust, implementing 3D Secure authentication is an important step since it significantly reduces the risk and success of fraudulent transactions. If someone attempts to complete a transaction with stolen card details, they still have to clear an additional authentication step, such as a facial recognition screening, which is much harder to bypass.

By decreasing the risk of successful fraudulent transactions and offsetting chargebacks, 3D Secure increases trust in online shopping and payment processing providers, benefiting both merchants and customers.

How does 3D Secure authentication work?

The process for how 3DS works is fairly straightforward and only takes a few minutes to complete.

1. When a customer makes an online purchase, they input their card details into the payment gateway.

2. The merchant's payment gateway then sends a request to the card issuer's 3D Secure server.

3. To verify the customer's identity, the card issuer may redirect them to their bank's website or application for additional authentication, which could include biometric verification, input of a single-use password (OTP), or acceptance of a push notification from the app on a mobile device.

4. Once authenticated, the card issuer authorises the transaction, and the payment processor completes the purchase.

In some cases, the cardholder may be sent an OTP via email or SMS to the contact details on file, which they'll then need to type into the secure portal. 

If the customer is unable to complete the process or the authentication action fails, the transaction will be declined. The failed transaction may be flagged for further investigation in certain instances, like if the authentication was attempted and failed more than once or if it was a transaction that didn’t match the typical buying habits of the cardholder.

Benefits of 3D Secure authentication

Along with the primary benefit of improved security during the checkout process to protect card holders from fraud, 3D Secure offers advantages like:

• Enhances customer trust: The added security measures can increase customer trust in the payment process, leading to a better overall shopping experience.

• Transfers responsibility: 3D Secure transfers the liability for fraudulent transactions to the card issuer from the merchant. This means that if a transaction is approved using 3D Secure and later turns out to be fraudulent, the card issuer is responsible for the loss, not the merchant.

• Reduces frequency of chargebacks: Since the extra layer of authentication minimises the success of fraudulent transactions, there’s a decreased change for customers to dispute credit or debit card charges due to bad actors.

• Accelerates dispute resolution: If a transaction is disputed, 3DS can simplify the dispute resolution process and reduce the time and resources needed to handle chargebacks.

• Simplifies compliance: Implementing 3D Secure helps merchants comply with regulatory requirements, such as the Payment Services Directive 2 (PSD2) in Europe, which mandates strong customer authentication (SCA) for online payments.

Disadvantages of 3D Secure authentication 

While 3D Secure offers many benefits, it’s important to consider possible drawbacks like:

• Delayed prompts: Some authentication methods, like texting or emailing an OTP, may be subject to delays. If such issues are encountered, there’s a higher chance of cart abandonment.

• False declines: In some cases, legitimate transactions may be declined due to errors in the authentication process, leading to lost sales.

• Implementation complexity: Integrating 3D Secure into existing payment systems and setting risk rules can be technically challenging, particularly for smaller merchants if they don’t have the proper skills in-house.

• Ongoing maintenance: As updates to 3DS are released, merchants need to keep up with any new standards and security requirements.

How to optimise 3D Secure authentication

One way of creating a balance between a user-friendly checkout and a secure authentication method is to assess the risk level of each transaction. 

Artificial intelligence (AI) and machine learning (ML) technology can perform risk analysis in real-time. However, to automate the decision-making process, risk rules must be created.

Risk rules determine when to trigger additional authentication when implementing 3D Secure and other online payment security measures. The most stringent checks can be restricted to high-risk transactions, making the checkout process easier for customers making low-risk transactions.

Risk rules may consider the impact of the following factors:

• Transaction amount

• Transaction frequency

• Geographic location

• Unusual user behaviour

• Historic pattern recognition

When outlined properly, risk rules can reduce the chance of potential 3DS drawbacks, like a false decline. Payment service providers (PSPs) play a crucial role in helping businesses optimise their risk rules for checkout success, while complying with regulations relating to payment security and customer protection.

Managing risk and maximising payment acceptance rates with Airwallex

Airwallex is a global payment provider that can help you effectively manage your risk strategy and maximise your payment acceptance rates. We offer state-of-the-art payment security technology, including 3DS2.

Airwallex’s 3DS engine automatically picks the best strategy based on transaction risk, applicable regulatory exemptions, and policies. Frictionless checkouts are offered to shoppers considered low-risk by the card issuer, and additional authentication is requested for higher-risk transactions. This maintains an optimal balance between checkout flow and security requirements.

The Airwallex risk engine leverages our own models in combination with external data sources to discern fraudulent transactions from legitimate ones. Merchants can customise their risk appetite to determine when 3D Secure should be leveraged, or if a transaction should be rejected.