3D Secure 2: Five benefits of cardholder authentication

Mark Dobinson - Senior Product Manager

July 30, 2019

With the Strong Customer Authentication (SCA) requirement of PSD2 quickly approaching, it's easy to see why the world of payments is focused on authentication to meet the new regulations. SCA requires that businesses use two independent authentication elements to verify payments, while PSD2 is the Second EU Payments Service Directive, which regulates payment services and payment service providers throughout the European Union (EU).

It's worthwhile, however, to take a step back and discuss the value of authentication even where it isn't mandated. As a reminder, 3-D Secure (3DS) is the primary mechanism for authenticating cardholders globally. But, it can be viewed by merchants as adding friction to the shopper checkout experience.

To address this pain point, EMVCo and the major credit card schemes introduced the next generation of 3-D Secure, 3DS2. This enables one frictionless flow and a range of shopper-friendly authentication flows where an authentication challenge is required.

Here we'll discuss five benefits of authentication with 3DS2.

1 - More data for better risk assessments

3DS2 lets the merchant send more data to issuers with each transaction. Issuers can use this data to make more informed assessments of transactions and determine whether the shopper is the legitimate cardholder.

If an issuer is confident that the transaction presents a low risk, they can authenticate it without any further input from the shopper. This is commonly referred to as a frictionless flow, because the shopper journey is seamless.

For higher risk transactions, issuers will choose a shopper-friendly way to authenticate the cardholder (e.g. biometrics), commonly referred to as a challenge flow.

The good news is that merchants already submit most of the data required to authenticate cardholders. In the background, Worldpay from FIS and other parties can now supplement this data to include:

More data and better risk decisions results in less fraud.

2 – Optimized shopper challenges

If an issuer deems a transaction to be high-risk, shoppers are presented with a challenge to prove they are the legitimate cardholder.

With 3DS1, shoppers had to input characters from a static password. Since passwords are often forgotten, this scenario often led to cart abandonment.

With 3DS2, static passwords are replaced with modern, shopper-friendly challenges. These challenges are designed for cardholders to breeze through the challenge experience with minimal friction. Typically, shoppers will be presented with one of the following challenges:

Enhanced one-time password (OTP)

With this challenge, issuers use the cardholder's registered mobile device to send an OTP. The shopper receives the text message and enters the password to continue with their purchase. Many devices can automatically read these text messages and populate the password field, which further minimizes friction.

Note that for PSD2 payments, the European Banking Authority (EBA) recently announced that they will no longer recognize card details as a valid, independent "possession" factor for SCA. (EBA is a regulatory agency of the European Union.)

This will have a direct impact on enhanced OTPs, which issuers were planning to use widely as an SCA compliant challenge method through 3DS1. It will no longer be possible the way SMS OTP is currently designed. Issuers will have to update how OTP works on their systems, which may have further impacts on implementation timeframes.

The change to OTP should not directly affect merchants' PSP integrations or SCA readiness; this is for issuers to manage. However, for transactions outside of the PSD2 mandate, shoppers will still be able to leverage the simplified experience as shown above.

· Biometrics

3DS2 was created with shopper-friendly challenges in mind, leveraging technology that is now prevalent with online shoppers. Biometric challenges involve using smart phone capabilities to authenticate shoppers, such as fingerprints or facial ID readers.

It's important to note that some schemes are mandating that issuers have the capability to support a biometric challenge by 2020. This means that biometrics could become one of the most prevalent and seamless authentication methods.

· Out of Band authentication (OOBA)

OOBA lets shoppers use their online banking app to seamlessly authenticate their transactions. Shoppers are directed to their mobile banking apps and log in as they already do, to authenticate transactions.

Through the increasing use of biometrics to login to mobile banking apps, shoppers experience lower friction than what is seen with 3DS1 challenges today.

3 – Liability shift

3DS is a cardholder authentication protocol backed by the major credit card scheme schemes. It helps card issuers confirm the identity of their cardholder when they make an online purchase.

If the shopper's card is enrolled in a 3DS program and the issuer has confirmed their identity, the liability for fraud-related chargebacks on that transaction shifts from the merchant to the card issuer.

For 3DS2, the rules of liability have changed slightly, providing even greater benefits for merchants. If a merchant tries to authenticate a transaction, and the issuer does not take part in either 3DS1 or 3DS2 programs, then the liability still shifts to the issuer.

Note that this increased protection is subject to regional scheme mandates and is not available in every region. Contact your Worldpay account team to find out more. For more information on liability shift, visit:

4 - Integrated with the shopping experience

3DS2 has been designed to work regardless of how a shopper is interacting with a merchant's website.

· For browser-based flows, the challenge is embedded into checkout pages through an optimized iFrame

· For mobile transactions, Worldpay can provide iOS and Android SDKs that allow challenges to be embedded into checkout flow and automatically rendered for the device in use

Optimizing the 3DS experience and embedding it as part of the shopper journey reduces friction, leading to increased sales uplifts and increased fraud protection.

5 - Increased acceptance

Authentication allows merchants to reduce the acceptance gap between point of sale (POS) and online/card not present (CNP) transactions. As issuers know more about authenticated transactions, using 3DS2 could help increase acceptance rates compared with non-authenticated transactions.

How Worldpay can help

Worldpay has released 3DS Flex, a new authentication platform that lets merchants leverage these five benefits. 3DS Flex offers a market-leading global 3DS solution, with a flexible approach.

Merchants can optimize their risk appetite and shopper experience, driving sales uplift while reducing fraud. With this platform, we're making it easy for merchants to navigate the complex regulations of PSD2 and other scheme and regional mandates.

Get in touch with your Worldpay account team to find out more about 3DS Flex and our complementary PSD2 solutions.

Learn more about 3DS Flex

Learn more