What is 3D Secure 2?

3D Secure, or 3DS, is a security protocol for online payments designed to prevent the fraudulent use of credit cards in card-not-present (CNP) transactions. The protocol, developed in 1999, requires additional verification steps for customers during the purchase process to authenticate themselves and reduce the risk of fraud. The flow below presents a payment process using 3DS:

Where:

  • Merchant Plugin Interface (MPI) initiates the verification process by facilitating the secure exchange of information between the merchant, scheme Directory Server, and the cardholder’s issuing bank.
  • Scheme Directory Server (DS) acts as a centralized database and facilitates the identification of the appropriate cardholder’s issuing bank and the corresponding authentication method to be used.
  • Issuer Access Control Server (ACS) is responsible for verifying and validating the cardholder’s identity during a 3DS transaction. The Issuer ACS receives authentication requests and performs risk assessments and authentication checks based on the bank’s predefined rules and policies.

3D Secure 2, or 3DS2, published in 2016, is an updated version of the original 3DS protocol and uses dynamic authentication methods such as biometrics and token-based authentication, whereas the original 3DS protocol relies on static passwords. 3DS2 aims to provide a better user experience with a more fluid flow for end users during authentication. EMVCo, an organization owned by major card brands, developed and managed both protocols. All major card brands stopped supporting the first version of 3DS in October 2022. Therefore, integrating the 3DS2 verification step is essential to ensure your customers' experience and security. Yuno already provides an easy 3DS2 integration for your business.

Benefits of 3D Secure 2

As mentioned, 3DS2 was developed to enhance the user experience and adapt the 3DS protocol to the modern payment landscape.

Prepared for new technologies

3DS2 was designed with the rise of smartphones in mind and allowed banks to offer innovative authentication experiences through their mobile banking apps, such as biometric authentication using fingerprints or facial recognition. Therefore, merchants can offer several authentication methods that align with consumer preferences and technological advancements, resulting in a more convenient and secure authentication process.

Integration capabilities

Regarding integration, 3DS2 includes an SDK component that enables native integration into mobile apps. As a result, merchants can authenticate transactions within their own apps. Now, the challenge flow happens directly within the mobile checkout flows, eliminating the need for full-page redirects and providing a more seamless user experience.

Amount of data available for authentication

3DS2 allows businesses to exchange ten times more data on each transaction to the cardholder's bank. This includes payment-specific data, such as shipping address, and contextual data, such as the customer's device ID or previous transaction history. This allows the bank to assess the transaction's risk level and potentially authenticate the payment without additional input from the cardholder. Therefore, a payment using 3DS2 protocols can face a frictionless flow or a challenge flow to complete the payment.

Frictionless flow

In a frictionless flow, the customer's data is confirmed without any manual data entry. It happens when the system recognizes and verifies the customer’s device, and the data is exchanged in the background. As the customer is identified and validated with this information, no additional requests from the payment systems are necessary.

Challenge flow

The challenge flow happens when the stored information isn't enough to validate the customer. As the customer's identity is not confirmed, the system requires an additional step to validate the customer, using a one-time password or biometric verification. Depending on the validation system, the customer may be redirected to a card issuer’s page to enter the necessary information.

The use of 3DS2 results in a smoother and more frictionless user experience. The improved data flows and decision-making capabilities enabled by 3DS2 reduce the cart abandonment rate and improve the conversion rates.

3D Secure 2 Payment

Adding the 3DS2 verification step to the checkout process changes the normal workflow. Below is a flow chart of the complete checkout and a description of each step to help you better understand the process.

  1. The customer provides their card data to initiate the merchant checkout process.
  2. The merchant's system checks if it supports 3DS2.
  3. If the merchant does not support 3DS2, the checkout process proceeds with the regular payment workflow without using the 3DS2 verification.
  4. If the merchant supports 3DS2, Yuno sends the transaction information to the issuer's 3DS service provider to assess the transaction risk. This data includes cardholder and device information upon regional or market law restrictions, such as device ID, MAC address, geo-location, previous transactions, and more.
  5. The issuer's 3DS service provider determines if the transaction is high-risk and if a challenge is necessary for additional verification.
  6. The payment proceeds to the authorization step if no challenge is necessary (frictionless flow).
  7. If a challenge is required (challenge flow), it is presented to the cardholder to verify their identity. This verification can use biometrics and/or two-factor authentication, such as a one-time password or a fingerprint.
  8. The system checks if the cardholder successfully completed the challenge.
  9. The payment proceeds to the authorization step if the cardholder successfully verifies their identity.
  10. If the cardholder fails to verify their identity, the payment is cancelled.
  11. The merchant checks with the card issuer if the transaction is authorized.
  12. If the transaction is authorized, the payment is processed successfully.
  13. If the transaction is not authorized, the payment is cancelled or declined.

Configuring 3D Secure for your payments

You decide if your system will implement the 3DS2 or not. The 3DS2 verification step is added while defining your cards dynamic routing. When starting your card routes, you can add the 3DS2 step before defining the payment provider. When adding the 3DS2 verification step, when a payment using a card is initialized, the Yuno system will analyze if the card needs an extra challenge. If an extra challenge is necessary, the user will be redirected to the bank environment to complete the authorization. On the other hand, the payment process will proceed normally.

Yuno 3D Secure 2 integration

There are different ways of integrating 3DS in Yuno, depending on your needs.

In general terms, a 3DS integration requires a setup_id/device_fingerprint for the payment session as the first step for security analysis, and that id can only be obtained by executing a SDK/JS powered by a 3DS authorized provider. While using our SDKs we take care of all the logic for you, so you don't have to worry about different provider needs.

Therefore, depending on your Yuno integration, you have three different options:

  1. Checkout integration: The Checkout workflow is part of the Checkout solution provided by Yuno. Use our SDKs so we can handle all the logic regarding external provider requirements and executions for 3DS. If you want to define specific cases for 3DS analysis, you can define that in the CARD route of your Yuno dashboard.
  2. Direct integration: Use our JS only to get the three_d_secure_setup_id and then handle the payment as an only API integration. The Direct workflow is only available for PCI-compliant merchants. It provides a straightforward way to create a payment and validate user information, requiring the merchant to perform just one request to create the payment. To successfully implement the Direct integration, follow the steps outlined in the integration guideline and provide the required information as instructed.
  3. External integration: Use your own 3DS and then send the corresponding authorization fields in the payment creation (card_data - eci, cryptogram, etc). Only available for PCI-compliant merchants.

Using 3DS for Specific Scenarios

When configuring the CARD route in the Yuno dashboard, you can specify for which situations 3DS should be executed using the available conditions. As mentioned previously, some preliminary steps will be necessary to execute 3DS depending on the integration method used.