3-D Secure 2.0: What you need to know

3-D Secure (3DS) is an authentication standard that enables real-time cardholder authentication between merchants and issuers providing an additional layer of security before authorization. With the arrival of the global pandemic, most businesses have been forced to implement an online solution making it imperative for merchants to take measures that combat ecommerce fraud. 3DS is a tool that does just that as it can help lower chargeback rates and help reduce costs that come with fighting, investigating and resolving chargebacks. In 2019, the global average acceptance rate of 3DS transactions was 70% and has since risen to 87% in 2020 as 3DS 2.0 has started to gain adoption. Going forward, the goal of 3DS 2.0 is to get this acceptance rate as close to 100% as possible.

However, there has been a reluctance in the past for merchants to implement 3DS due to the friction experienced by customers at checkout. 3DS 1.0 has long been associated with a bad user experience because it typically involved a redirect to the issuer’s webpage to authenticate the cardholder. As a result, the customer was required to entre a static password they had registered in the past with their issuing bank. This of course presents two issues in the payment process. First, if the cardholder has not registered a password with their issuing bank, they may be instructed to do so during the checkout process. From a merchant perspective, this is an unnecessary and unwanted step. Secondly, many of us simply forget our passwords. Merchants then run the risk of their customers abandoning the transaction entirely because they could not remember their password.

3DS 2.0 on the other hand, is an updated and enhanced protocol that promotes increased data exchange between the merchant and the issuer. The merchant sends additional transaction and device data not available in the 3DS 1.0 protocol, allowing the issuer to enable risk-based authentication. The additional data also allows the issuer to determine whether there is need for a challenge or whether further authentication is required. If no challenge is required, the issuer will authenticate the transaction in a frictionless manner. The importance of frictionless authentication cannot be understated as it improves the customer experience. If the transaction appears to be high-risk, the issuer will request step authentication, occurring to a small portion of transactions, approximately 5 to 10%.

Another improvement in the authentication process with 3DS 2.0 is the smart authentication methods implemented. Some of the options used with 3DS 2.0 are methods such as one-time passwords via SMS or email as well as biometrics, which are all security features the customer does not have to remember. This in turn reduces the probability of cart abandonment. It is also worth noting that cardholder registration is not required for a customer to participate in the 3DS 2.0 program. They are automatically enrolled by their issuing bank.

In summary, benefits of the 3DS 2.0 vs 3DS 1.0 program include:

  • Greater customer experience
    • Delivers a streamlined authentication process resulting in lower customer abandonment rates on merchant checkout pages
  • More data points
    • Exchanges more data between merchant and issuers in a collaborative way
  • Smart Authentication Methods
    • Eliminates static passwords in favor of intelligent friction methods such as one-time passwords and biometrics
  • Increased authentication ratio
    • 3DS 2.0 authenticated transactions have a higher chance of being authenticated than 3DS 1.0 transactions

3DS 2.0 Implementation Recommendations

It really is all about the data. The goal is to ensure a frictionless experience for your customers through seamless authentication. To accomplish this, merchants need to share more high quality data, especially device data, to issuing banks so they can make an informed assessment of risk.

The Moneris 3DS 2.0 API supports the data elements below, and we encourage you to pass in as many as possible:

  • Card Number/Data Key (supports tokenization)
  • Cardholder Name
  • Shipping Address
  • Billing Address
  • Email Address

To pass the device data, you will need to implement a card lookup request. This request verifies the applicability of 3DS 2.0 on the card and returns the 3DS Method URL that is used for device fingerprinting. The 3DS Method URL and 3DS Method Data are returned to the merchant server on the card lookup response. The 3DS Method Data can be transmitted to the 3DS Method URL via a browser post in order to supplement the authentication request with device data pertaining to the cardholder’s browser. The 3DS Method Data must be sent via HTTP POST to the 3DS Method URL in a hidden iFrame. Data points such as device type, browser type, browser language and time zone are incredibly useful in fraud prevention, which is why we recommend you send the 3DS Method Data.

3DS 2.0 Authorization Changes

When the issuer authenticates a transaction, they send back an authentication value that the merchant must insert in the authorization request. This authentication value is proof that the transaction has been authenticated by the issuing bank. With 3DS 2.0 there are two new fields required to be sent in the authorization request that were not mandatory with 3DS 1.0. The DS Protocol ID, which is the 3DS version number, and the 3DS Transaction ID that is returned in the authentication response.

Moneris Checkout

Our hosted payment solution that allows merchants to process online payments on their website now supports 3DS 2.0. From a development perspective all that is required is an integration to our Moneris Checkout (MCO) solution and quick configuration in the Merchant Resource Center (MRC). A sales order is required to enable 3DS on your merchant account. 3DS integrates into MCO by routing transaction requests to the card brands for a 3DS authentication request. Only transactions that are authenticated will be sent for authorization. If the issuing bank is not authenticating the transaction, the transaction is not eligible for fraud-related chargeback protection and sending for authorization would not be a good idea. Merchants who were using 3DS 1.0 via MCO will automatically have their transactions sent to 3DS 2.0. Please note that there are new fields in the Moneris Checkout response for 3DS 2.0, which you may choose to consume. Moneris will also control this transition from 3DS 1.0 to 3DS 2.0 within MCO.

Key Dates

Moneris is committed to supporting the transition to 3DS 2.0, and this protocol is currently supported by both the Moneris Unified API and MCO. We strongly encourage you to upgrade to 3DS 2.0 based on the timelines provided by card brands below:

  • Visa
    • Fraud Liability Protection (Effective October 17, 2021): Visa will end fraud liability protection for merchants processing transactions (fully authenticated or attempted) using the 3DS 1.0 specification.
  • Mastercard
    • SHA1 Server Certificates (Effective February 1, 2021): SHA1 server certificates for 3DS 1.0 transactions will no longer be accepted. All transactions using SHA1 server certificates by this date will result in an error.
    • Merchant ID Enrollments (Effective April 30, 2021): 3DS 1.0 Merchant ID enrollments will no longer be allowed.
    • Attempts Transactions (Effective October 1, 2021): The MasterCard 3DS 1.0 network will no longer support attempts transactions. Issuers that still want to support attempts must generate from their own access control server (ACS) solution. Fully authenticated transactions will continue to be supported.
    • 3DS 1.0 Retirement (Effective October 14, 2022): 3DS 1.0 transactions will no longer be supported on the MasterCard network. Any transactions submitted will receive an error response.
  • American Express
    • o Authentication Requests (Effective October 14, 2022): Authentication requests for SafeKey 1.0 will not be supported by American Express.

Did you know?

  • 3DS authenticated transactions qualify for Mastercard interchange programs that on average save merchants 30 basis points on interchange
  • Special characters (e.g. öüäéèê) in cardholder names are not accepted in 3DS authentication attempts
  • If the verification value received in the authentication does not match the verification value sent in the authorization, there is a good chance the transaction will be downgraded
  • You should check the CAVV Results Code in the 3DS response to ensure your 3DS purchase/preauthorization was not downgraded (https://developer.moneris.com/en/More/Testing/CAVV%20Result%20Codes)
  • It is recommended that if you receive a Transaction Status Response of “N” or “R” that you do not proceed with the authorization
  • 3DS test cases and cards can be found here (https://developer.moneris.com/More/Testing/Testing%203D%20Solutions)
  • There is no silver bullet to preventing fraud so we recommend a layered approach by utilizing 3DS 2.0 and Kount tools in your checkout flow
  • If you already have 3DS 1.0 and would like to transition to 3DS 2.0, you are already enabled from a sales perspective and your pricing will remain the same. Simply visit our Developer Portal and integrate 3DS 2.0 using our Unified API. Moneris will take care of the transition with merchants who have integrated to our MCO solution.
  • All Visa and Mastercard issuers globally have currently been mandated to support 3DS 2.0
  • Moneris will be supporting 3DS 2.0 with in-app, MO/TO and recurring transactions in the future

Conclusion

Global ecommerce is on the rise but so are false declines, lower authorization rates and digital fraud. Some staggering statistics to share with you in parting:

  • $261 billion growth in declines2
  • Authorization rates are 80% for online transactions compared to 98% for in-store transactions3
  • 1 in 15 customers who are declined due to suspected fraud are actually legitimate with 58% either reducing or ceasing doing business with the merchant in question4
  • CNP fraud will cost global retailers $97 billion between 2020-20235
  • 2Visa Secure with EMV 3-D Secure® Know your customers everywhere. Protect them anywhere. Merchant 101 deck – March 2020
  • 3Visa Secure with EMV 3-D Secure® Know your customers everywhere. Protect them anywhere. Merchant 101 deck – March 2020
  • 4Visa Secure with EMV 3-D Secure® Know your customers everywhere. Protect them anywhere. Merchant 101 deck – March 2020
  • 5Visa Secure with EMV 3-D Secure® Know your customers everywhere. Protect them anywhere. Merchant 101 deck – March 2020

The 3DS 2.0 solution was designed to decrease fraud rates, increase authorization rates and streamline the customer experience. If any of these benefits sound appealing, then implementing 3DS 2.0 into your online store’s checkout is a no-brainer.

To order 3DS 2.0 please call our sales team at 1-888-782-3965.

If you’re just starting your 3DS 2.0 integration and need assistance, please contact our Client Integrations team at clientintegrations@moneris.com and a Client Consultant will be assigned to your integration project.