What is 3D Secure
3D Secure (3DS) is a security protocol designed to prevent fraudulent use of credit cards in card-not-present (CNP) transactions. Introduced in 1999, it adds an extra verification step during online purchases to authenticate customers and reduce fraud risk. The flux below presents a payment process using 3DS:
Key components of 3DS
- Merchant Plugin Interface (MPI): Initiates the verification process and securely exchanges information between the merchant, scheme directory server, and issuing bank.
- Scheme Directory Server (DS): Acts as a centralized database that identifies the issuing bank and determines the authentication method.
- Issuer Access Control Server (ACS): Verifies the cardholder’s identity during a 3DS transaction. The ACS evaluates authentication requests and performs risk assessments based on the bank’s policies.
3D Secure 2 (3DS2)
Released in 2016, 3D Secure 2 (3DS2) enhances security while improving the user experience. Unlike the original 3DS, which relied on static passwords, 3DS2 introduces biometric authentication and token-based verification for a smoother, more secure process.Key improvements of 3DS2
- Supports authentication via biometrics, one-time passwords, and risk-based authentication.
- Reduces transaction friction with a seamless flow for trusted customers.
- Enhances fraud detection through detailed data sharing between merchants and banks.
Benefits of 3D Secure 2
3DS2 enhances security while improving the user experience, adapting the original protocol to modern payment technologies.Optimized for new technologies
Designed for the rise of smartphones, 3DS2 enables banks to offer biometric authentication, such as fingerprint or facial recognition, through mobile banking apps. This flexibility allows merchants to provide authentication methods that align with user preferences, creating a more convenient and secure checkout experience.Integration capabilities
3DS2 includes an SDK component that enables native mobile app integration, allowing merchants to authenticate transactions directly within their apps. This eliminates full-page redirects, ensuring a smooth and uninterrupted checkout process.Enhanced data for authentication
3DS2 enables businesses to share ten times more transaction data with the cardholder’s bank. This includes payment-specific details (e.g., shipping address) and contextual data (e.g., device ID, transaction history). With more data, banks can assess risk more accurately and often authenticate payments without additional input from the customer.Authentication flows in 3DS2
Frictionless flow
In a frictionless flow, the system verifies the customer’s identity automatically, using background data exchange. Since the system already recognizes the user’s device and information, no additional action is needed.Challenge flow
If the available data isn’t enough to verify the customer, the system triggers a challenge flow. This requires an additional authentication step, such as a one-time password or biometric verification. The customer may also be redirected to their card issuer’s page for further validation.Better user experience and conversion rates
By reducing friction in the authentication process, 3DS2 improves the checkout experience, lowers cart abandonment rates, and increases conversion rates, making online payments both more secure and user-friendly.3DS Standalone
3DS Standalone allows you to decouple 3DS authentication from payment authorization, enabling you to run 3DS as an independent step. This is particularly useful for merchants who use internal fraud or risk engines to evaluate 3DS results before deciding whether to proceed with authorization. When using 3DS Standalone, you only perform the authentication step with Yuno. You then receive the authentication data (such as ECI and CAVV) via webhook, which you can use to authorize the payment through Yuno or another processor.Triggering 3DS Standalone
To trigger a standalone authentication, you must include the metadata3DS_ONLY with the value 1 in your payment request: