3DS vs 3DS 2.0: Exploring The Upgrades
10 min read Jun 2023

The 3D Secure standard, commonly recognised as Visa Secure, Mastercard Identity Check, or American Express SafeKey, is designed to minimise fraud and enhance the security of online payments.

3D Secure 2 (3DS2)introduces “frictionless authentication” significantly enhancing the overall purchase experience compared to 3D Secure 1. This version serves as the primary card authentication method to comply with Strong Customer Authentication (SCA) regulations in Europe and plays a crucial role for businesses seeking exemptions to SCA requirements.

What is 3DS?

3DS stands for 3 Domains Secure. In simpler terms, the 3D Secure (3DS) protocol facilitates authentication across three domains. The 3D Secure (3DS) protocol was initially developed in 1999. In 2001, Arcot System (which was later acquired by CA Technologies) implemented 3DS for Visa, originally known as Verified by Visa and subsequently renamed Visa Secure. Around the same time, MasterCard introduced its own version called Secure Code. The management and oversight of the 3DS standard are handled by EMVCo, a consortium composed of EuroPay, MasterCard, and Visa.

3DS protocol

A Brief Overview of 3DS 1.0

Despite the implementation of security measures like the Address Verification System (AVS) or CVC verification in certain markets, credit and debit card payments remain susceptible to fraud. This risk is why customers have the ability to dispute fraudulent transactions made with their cards.

To combat this issue, card networks introduced the first version of 3D Secure in 2001. If you frequently make online purchases, you may be familiar with the 3D Secure process: After entering your card details to confirm a payment, you are redirected to another page where your bank asks for a code or password to authorise the transaction. Most customers are familiar with the branded names of 3D Secure, such as Visa Secure, Mastercard Identity Check, or American Express SafeKey, as the authentication page is co-branded by the card network.

For businesses, 3D Secure offers a clear advantage by requesting additional information, you can incorporate an extra layer of fraud protection and ensure that you only accept card payments from genuine customers. Moreover, authenticating a payment with 3D Secure transfers the liability for chargebacks resulting from fraud from your business to your customer’s bank. This additional protection is often applied to significant purchases like airline tickets.

However, the use of 3D Secure 1 also presents some drawbacks: The additional step required to complete the payment adds complexity to the checkout process and may cause customers to abandon their purchases. Furthermore, certain banks still require their cardholders to create and remember their own static passwords for 3D Secure verification. These passwords are prone to being forgotten, leading to higher rates of cart abandonment.

How’s 3DS 2.0 different?

EMVCo, an organization comprising six major card networks, has introduced an upgraded version of 3D Secure known as 3D Secure 2 (also referred to as EMV 3-D Secure, 3D Secure 2.0, or 3DS2). The primary objective of this new version is to overcome the limitations of 3D Secure 1 by introducing a more seamless authentication process and enhancing the user experience.

3D Secure 2 enables businesses and their payment providers to transmit a wider range of data elements for each transaction to the cardholder’s bank. This includes specific payment details like the shipping address, as well as contextual data such as the customer’s device ID or previous transaction history.

The cardholder’s bank can utilise this information to evaluate the risk level associated with the transaction and choose an appropriate response:

  • If the available data is sufficient for the bank to establish trust in the genuine cardholder initiating the purchase, the transaction proceeds through a “frictionless” process, completing the authentication without requiring any additional input from the cardholder.
  • If the bank determines the need for additional verification, the transaction follows a “challenge” process, prompting the customer to provide supplementary input to authenticate the payment.

While a basic form of risk-based authentication was already supported in 3D Secure 1, the expanded data-sharing capabilities of 3D Secure 2 aim to increase the number of transactions that can be authenticated without necessitating further input from the customer.

3DS 2.0 Support Flow.

Even in cases where a transaction follows the seamless frictionless authentication flow, your business will still enjoy the same liability shift as it does for transactions that go through the additional verification challenge flow. This ensures that your business is protected from liability in cases of fraudulent transactions, providing you with peace of mind and added security.

Enhanced User Experience

Unlike its predecessor, 3D Secure 2 takes into account the prevalence of smartphones and offers a more streamlined authentication experience through mobile banking apps, commonly known as “out-of-band authentication.” Instead of relying on password entry or SMS verification, cardholders can simply use their fingerprint or even facial recognition within the banking app to authenticate a payment. We anticipate that numerous banks will embrace these seamless authentication methods supported by 3D Secure 2, further enhancing the user experience.

Another notable improvement in user experience is the integration of the challenge flow directly into web and mobile checkout processes without the need for full-page redirects. In the case where a customer undergoes authentication on your website or webpage, the 3D Secure prompt will now appear as a modal within the checkout page itself, known as the browser flow, by default. This advancement minimises disruption and provides a smoother and more integrated checkout experience for customers.

3DS 2.0 User Experience flow

For app developers, mobile SDKs specifically designed for 3D Secure 2 offer the capability to create an “in-app” authentication flow, eliminating the need for browser redirects entirely. This means that when integrating 3D Secure 2 into your app, you can seamlessly handle the authentication process within the app itself, providing a smoother and more integrated experience for your users. By leveraging these mobile SDKs, you can ensure a seamless and secure authentication process directly within your app environment.

3.0 mobile authentication flow

Improved 3DS 2.0 Mobile flow

Global trends: 3D Secure 2 and Strong Customer Authentication (SCA)

With the enforcement of Strong Customer Authentication (SCA), the significance of 3D Secure 2 becomes even more pronounced for businesses operating in Europe. This regulatory requirement mandates increased authentication for European payments. The improved user experience offered by 3D Secure 2 can help mitigate the potential negative impact on conversion rates.

Furthermore, the 3D Secure 2 protocol enables payment providers like Stripe to seek exemptions to SCA and bypass authentication for low-risk payments entirely. Transactions that necessitate SCA will undergo the “challenge” flow, whereas transactions eligible for SCA exemptions can proceed through the “frictionless” flow. However, it’s important to note that if a payment provider requests an exemption for SCA-required transactions and the transaction successfully passes through the “frictionless” flow, it will not benefit from the liability shift protection.

How does Juspay support 3D Secure 2?

Juspay supports the 3D Secure 2 browser flow on our payments APIs and SDKs, letting you dynamically apply 3D Secure to high-risk payments to protect your business from fraud. We will apply 3D Secure 2 when it’s supported by the cardholder’s bank and fall back on 3D Secure 1 when the new version isn’t supported yet.

If you’re building a mobile application, our iOS and Android SDKs let you build an in-app authentication flow to offer a “native” authentication experience and avoid redirecting your customers outside of your application.