3D Secure (3DS1) came about to secure Card Not Present (CNP) transactions and minimise the incidence of card fraud. The security protocol protected buyers, issuers, and merchants by enabling them to validate online transactions. The verification could be done by requesting a personal code (usually sent to the buyer's cell phone or email address as a one-time PIN or push notification). However, the first version of 3DS was created at a time when connected devices were fewer and data was harder to accumulate.
The increased data validation techniques, connected devices and the accelerated evolution of the digital payment space have necessitated an even more robust and seamless security protocol.
3D Secure 2.0 (also known as 3DS2, EMV 3-D Secure or 3D Secure 2.0) is the updated version of 3D Secure 1 technology. 3DS2 enables a real-time, secure information-sharing pipeline that merchants can use to send an unprecedented number of transaction data attributes. This data includes payment-specific data like the shipping address and contextual data, like the customer's device ID or previous transaction history.
The issuer can then use the additional data to authenticate customers more accurately without asking for a static password or slowing down commerce. Moreover, 3DS2 was developed with more mobile devices in mind. It thus provided an improved mobile-first authentication level that caters to a better user experience.
3D Secure 2 uses frictionless authentication to allow card-issuing banks to verify cardholders and approve transactions without requiring manual input from the buyer. This authentication, faster and more accurate than the first version of 3D Secure, is achieved through risk-based authentication (RBA). It involves sending data about the cardholder and the transaction to the issuing bank and then comparing it to the cardholder's historical transactional data to determine fraud risk.
If the risk is low, the payment is processed without the cardholder need to verify the transaction. If there is any risk, the cardholder will be challenged to provide additional input to authenticate the payment.
3D Secure 2.0 enables the security of more than just online transactions. Non-payment authentication allows cardholder authentication without making a purchase, which helps add credit cards to e-wallets.
3D Secure 2 has added a mobile SDK component that allows merchants to integrate the 3D Secure process into their mobile apps, making the mobile checkout experience fast and seamless.
The 3D Secure 2 design allows dynamic authentication methods such as biometrics and token-based authentication, facilitating a faster and unobtrusive authentication process. For smartphone users and those with mobile banking apps, payment authentication can occur through their banking app using facial recognition or a fingerprint which is much more ideal.
There are also no more page redirects with the authentication request. It instead appears as a modal on the checkout page. Hence, buyers no longer need to be redirected away from the checkout page to complete their payment which was previously associated with cart abandonment.
From 14 October 2022, 3D Secure 1 will no longer be supported as a security protocol. Only authentication via 3D Secure 2 will be available from that date onwards. This international update affects credit and debit card payments worldwide. Banks and payment providers have been rolling out 3D Secure 2 in preparation for this cut-off date.