3D Secure, or 3DS, is a security protocol for online payments to prevent the fraudulent use of credit cards in card-not-present (CNP) transactions. The protocol, developed in 1999, requires additional verification steps for customers during the purchase process to authenticate themselves and reduce the risk of fraud. The flux below presents a payment process using 3DS:
- Merchant Plugin Interface (MPI) initiates the verification process by facilitating the secure exchange of information between (the merchant, scheme Directory server, and the cardholder’s issuing bank).
- Scheme Directory Server (DS) acts as a centralized database and facilitates the identification of the appropriate cardholder’s issuing bank and the corresponding authentication method to be used.
- Issuer Access Control Server (ACS) is responsible for verifying and validating the cardholder’s identity during a 3DS transaction. The Issuer ACS receives authentication requests and performs risk assessments and authentication checks based on the bank’s predefined rules and policies.
3D Secure 2, or 3DS2, published in 2016, is an updated version of the original 3DS protocol and uses dynamic authentication methods such as biometrics and token-based authentication, whereas the original 3DS protocol relies on static passwords. 3DS2 aims to provide a better user experience with a more fluid flow for end users during authentication. EMVCo, an organization owned by major card brands, developed and managed both protocols. All major card brands stopped supporting the first version of 3DS on October 2022. Therefore, integrating the 3DS2 verification step is essential to ensure your customers' experience and security. Yuno already provides an easy 3DS2 integration for your business.
As mentioned, 3DS2 was developed to enhance the user experience and adapt the 3DS protocol to the modern payment landscape.
3DS2 was designed with the rise of smartphones in mind and allowed banks to offer innovative authentication experiences through their mobile banking apps, such as biometric authentication using fingerprints or facial recognition. Therefore, merchants can offer several authentication methods that align with consumer preferences and technological advancements, resulting in a more convenient and secure authentication process.
Regarding integration, 3DS2 includes an SDK component that enables native integration into mobile apps. As a result, merchants can authenticate transactions within their own apps. Now, the challenge flow happens directly within the mobile checkout flows, eliminating the need for full-page redirects and providing a more seamless user experience.
3DS2 allows businesses to exchange ten times more data on each transaction to the cardholder's bank. This includes payment-specific data, such as shipping address, and contextual data, such as the customer's device ID or previous transaction history. This allows the bank to assess the transaction's risk level and potentially authenticate the payment without additional input from the cardholder. Therefore, a payment using 3DS2 protocols can face a frictionless flow or a challenge flow to complete the payment.
In a frictionless flow, the customer's data is confirmed without any manual data entry. It happens when the system recognizes and verifies the customer’s device, and the data is exchanged in the background. As the customer is identified and validated with this information, no additional requests are necessary from the payment systems.
The challenge flow happens when the stored information isn't enough to validate the customer. As the customer's identity is not confirmed, the system requires an additional step to validate the customer, using a one-time password or biometric verification. Depending on the validation system, the customer may be redirected to a card issuer’s page to enter the necessary information.
The use of 3DS2 results in a smoother and more frictionless user experience. The improved data flows and decision-making capabilities enabled by 3DS2 reduce the cart abandonment rate and improve the conversion rates.
Adding the 3DS2 verification step to the checkout process changes the normal workflow. Below is a flow chart of the complete checkout and the description of each step to better understand the process.
- The customer provides their card data to initiate the merchant checkout process.
- The merchant's system checks if it supports 3DS2.
- If the merchant does not support 3DS2, the checkout process proceeds with the regular payment workflow without using the 3DS2 verification.
- If the merchant supports 3DS2, Yuno sends the transaction information to the issuer's 3DS service provider to assess the transaction risk. This data includes cardholder and device information upon regional or market law restrictions, such as device ID, MAC address, geo-location, previous transactions, and more.
- The issuer's 3DS service provider determines if it is a high-risk transaction and if a challenge is necessary for additional verification.
- The payment proceeds to the authorization step if no challenge is necessary (frictionless flow).
- If a challenge is required (challenge flow), it is presented to the cardholder to verify their identity. This verification can use biometrics and/or two-factor authentication, such as a one-time password or a fingerprint.
- The system checks if the cardholder successfully completed the challenge.
- The payment proceeds to the authorization step if the cardholder successfully verifies their identity.
- If the cardholder fails to verify their identity, the payment is canceled.
- The merchant checks with the card issuer if the transaction is authorized.
- If the transaction is authorized, the payment is processed successfully.
- If the transaction is not authorized, the payment is canceled or declined.
You decide if your system will implement the 3DS2 or not. The 3DS2 verification step is added while defining your cards dynamic routing. When starting your card routes, you can add the 3DS2 step before defining the payment provider. In the case of adding the 3DS2 verification step, when a payment using a card is initialized, the Yuno system will analyze if the card needs an extra challenge. If an extra challenge is necessary, the user will be redirected to the bank environment to complete the authorization. On the other hand, the payment process will proceed normally.
Yuno provides different ways to add 3DS2 security to your payment flow. The currently available options are the Direct and the Checkout integrations.
The Direct workflow is only available for PCI-compliant merchants. It provides a straightforward way to create a payment and validate user information, requiring the merchant to perform just one request to create the payment. To successfully implement the Direct integration, follow the steps outlined in the integration guideline and provide the required information as instructed.
The Checkout workflow is part of the Checkout solution provided by Yuno.
Updated 3 months ago