Do you know the latest version of 3-D Secure specification? V2.2 or …
After four years of great anticipation, EMVCo released the new 3DS specification — 3DS 2.3 at the end of September 2021. Multiple financial institutions and merchants have raised some common questions, such as, “What are the differences between the updated version and the old one, and will it bring more benefits?” The answer to this is definitively a “Yes”.
Over the past few years, the credit card market has increasingly adapted to 3-D Secure authentication. Even though EMVCo introduced frictionless authentication from the previous version, 3DS 2.1 released in 2016, a large number of issuers still see challenge authentication () as the only method. The high dependence on challenge authentication not only compromises customers’ shopping experiences, but also indirectly increases the likelihood of failed transactions.
Frictionless V.S. Challenge
Frictionless Authentication
Issuer performs Risk-based-authentication (RBA) using rich data received from authentication message and considers the transaction to be low risk. The customer will not be asked for additional proof that the real cardholder is making the transaction.
Challenge Authentication
Issuer presents an authentication step up and redirects cardholder to challenge page, where cardholder is required to confirm identity using OTP, Face ID, etc.
EMVCo and international card schemes are making efforts to increase frictionless transactions and reduce the transaction failure rate. Many updates in 3DS 2.3 are designed to achieve this goal. This is a benefit not only to the issuers, but to the merchants and acquirers as well.
Overview of EMV 3D Secure v2.3 Features
Optimize User Experience
SPC authentication is introduced in the new version 3DS 2.3 to enhance the security of transaction and improve the user experience by preventing OTP and page redirect errors. In addition, the common problems encountered in previous versions have been rectified, such as automatic OOB redirection.
Expand Usage Scenarios
Split-SDK divides the default-SDK into a server and client, enabling 3-D Secure to be applied to more devices without a full set of SDK functions, such as intelligent household appliances and smart car.
Increase Frictionless Authentication
More transaction data is added to authentication messages, including token, recurring transaction, and device binding information, which allows issuers to have better visibility on the transactions and make subsequent risk decisions.
Improve Success Rate
In addition to simplify OOB navigation process, the SPC authentication and Operating System Message can also reduce the transaction failure rate from different aspects to enhance users' confidence.
Stronger Security
FIDO is officially integrated into the authentication flow, which improves the application of biometric identification and provides consumers with a safer online transaction ecosystem.
SPC Authentication
SPC (Secure Payment Confirmation) is a new authentication method in 3DS v2.3, and officially integrates FIDO into authentication flow, effectively replacing traditional OTP with biometric identification. Since FIDO can also be applied to other banking services (e.g., mobile banking logins), EMVCo’s inclusion of FIDO allows issuers to provide a more consistent authentication method and shopping experience for their consumers.
Split-SDK Applications
Products with a complete SDK function are known as Default SDK, which is divided into an Split-SDK client and Split-SDK Server by functions in 3-D Secure v2.3, allowing 3-D Secure to be used on more devices (e.g., IOT devices). The 3-D Secure payment process keeps the transactions secured when cardholders shop on smart appliances.
Default SDK is divided into Split-SDK client and Split-SDK Server by functions. The Split-SDK has multiple variants depending on the Consumer Device and the 3DS Requestor environment. These variants include the Limited-SDK, Shell SDK, and Browser SDK.
Operating System Information - O Message
Operation Message provides DS with the ability to communicate operational information to 3DS Server or to ACS. Operation Message is expected to reduce the transaction failure caused by poor product conditions by communicating more system information.
Automatic Redirection of OOB Authentication
OOB (out-of-band) provides opportunities to apply a diverse range of authentication methods. By reducing their dependence on OTP, issuers can widely use Face ID, fingerprint recognition, etc. with a higher degree of safety. However, in previous versions, cardholders were asked to switch between the merchant app and authenticator app, easily resulting in transaction failures. The new version simplifies the manual operations conducted by cardholders, and introduces automatic redirection, which is expected to greatly increase the transaction success rate.
Comparison of different 3-D Secure versions
