3D Secure Authentication

3D Secure Authentication

Back in the day, a lot of card transactions were made in person. But now due to popularity of ecommerce - they can be made online resulting in card-not-present (CNP) payments offers. It is very convenient as it requires less from merchants, who no longer need to have an offline shop or look for employees to accept payments. Despite this, the disadvantage of this is card fraud that is more difficult to stop.

It can be complicated to identify the person who makes payment and confirm its legitimacy. The security measures that are available for chip readers and PIN-pad devices can are not available for CNP transactions. Therefore, while making payment, other authentication techniques to process CNP transactions must applied.

To prevent illegal actions, card brands and other organizations have developed additional authorization technologies. The first one is called strong customer authentication (SCA). SCA s a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement,[1] and many contactless card payments do not use a second authentication factor. The PSD2's SCA control is particularly concerned with using MFA to protect customers, merchants, and banks from fraudulent transactions, and it is commonly satisfied via the use of a technology called 3-D Secure (3DS).

What is 3D Secure Authentication?

3DS is a security protocol used to authenticate users. For extra fraud protection, 3D Secure requires customers to complete an additional verification step with the card issuer when paying. Typically, you direct the customer to an authentication page on their bank's website, and they enter a password associated with the card or a code sent to their phone. This process is familiar to customers through the card networks' brand names, such as Visa Secure and Mastercard Identity Check. It helps to prevent payment fraud, stymie unauthorized transactions, and reduce chargebacks.

Components of 3-D Secure Authentication

This additional security authentication is based on a three-domain model

  • Acquirer domain (the bank and the merchant to which the money is being paid).
  • Issuer domain (the card issuer of the card being used).
  • Interoperability domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other types of a payment card, to support the 3-D Secure protocol). It includes the Internet, merchant plug-in, access control server, and other software providers

The 3DS authentication process uses Secure Sockets Layer (SSL) protocol to send Extensible Markup Language (XML) messages with client authentication, providing digital certificates to confirm the identity of all parties involved in the transaction. This ensures maximum security.

How 3-D Secure 2.0 Works

The latest version of this protocol (2015) provides a less intrusive authentication process to reduce the cart abandonment as during the original 3DS.

Merchants should send authentication data along with the payment card information to verify the authenticity of the transaction.

Shall suspicious behavior or an unknown device causes the transaction be flagged, the user receives a text message or confirmation code via an app to verify his or her identity.

SCA is required for many businesses in the EU and European Economic Area (EEA). If you have an ecommerce in the EU, you will need 3DS or a similar authentication technology.