What is 3DS2?
3D Secure 2 (3DS2) is an online card payment, multifactor authentication protocol designed to confirm the digital identity of a customer during checkout. Unlike its predecessor, 3DS1, the new protocol does not require cardholders to register their card and password, making for a much smoother customer experience.
When was the 3DS2 deadline?
According to PSD2 3DS2 specifications, the 3DS2 deadline for EU and EEA was on December 31, 2020. From that date forward, payment providers were legally required to enforce Strong Customer Authentication. The full adoption of the protocol wasn’t possible, so the date has been pushed forward.
What are the main 3DS2 benefits?
The new protocol aims to address the pain points of the previous version and elevate the overall experience for both users and merchants. Let’s see some of the most notable benefits:
Frictionless customer experience
By following a risk-based authentication (RBA) process, 3DS2 calculates a customer’s risk score for any given access attempt in real-time, based on a set of predefined rules. If you’re a low-risk customer, your checkout process will be much easier, smoother and faster than a customer with red flags tied to their risk assessment.
More data, better risk assessment, informed decisions
Talking of risk-based authentication, to build a more elaborate risk profile and be able to assess the risk associated with each transaction, you need data. 3DS2 allows merchants to send up to 10x more data to issuers, such as device channel and payment history.
By having access to this information, issuers can make more informed decisions on whether a transaction is of higher or lower risk.
Introducing biometrics decreases password fraud
A decade ago, using your fingerprint or face to unlock a phone or authenticate a transaction was a scene from a James Bond movie. Today, it’s what’s made possible with 3DS2. The use of biometric technology allows for a much safer authentication process, moving on from static passwords that were easier to steal.
Liability shifts from merchants to issuers
When a consumer’s card is enrolled in a 3DS program, the liability for fraud-related chargebacks on that payment transaction shifts from the merchant to the card issuer. Merchants have fewer things to worry about, spend less money and resources on resolving such issues and provide an overall better experience.
3DS2 is a major component of the payments’ evolution we’re currently experiencing, but it’s not the only one. PSD2 one leg transactions are transactions that happen between a merchant and consumer when one of the two parties is not within the EU or EEA. How much of what we know about PSD2 still stands in such a scenario?
PSD2 One Leg Out
A two-legged transaction determines that both the payment receiver (merchant) and the customer are located within the EU or EEA. Hence, PSD2 Strong Customer Authentication (SCA) is required on all payer-initiated transactions.
In cases where only one of the two aforementioned parties is within the EEA, the SCA may not be required but is advised. This type of transaction is known as PSD2 One Leg Out transaction, and it falls within the scope.
EU/EEA merchant vs non-EU/EEA customer
Assuming that a US consumer will avoid SCA is faulty, and they might be affected if a merchant does not abide by the PSD2 regulations. Even though a US consumer is outside the EU/EEA, and it has nothing to do with the SCA or PSD2, the regulations are still enforced on the merchant.
The PSD2 directive does not force banks and PSPs outside the EU and EEA to use Strong Customer Authentication. However, it might lead to rejected payments for the consumers making purchases within the EU and EEA.
The confusion might arise when a US customer initiates a transaction on an EEA merchants website. The merchant’s PSP will apply the SCA protocols to the consumer's bank, and thus the transaction may be denied if an Issuer Bank does not support it.
To avoid these complex circumstances and retain the high percentage of successful transactions coming from overseas, a merchant should take the SCA exemption route.
With the Strong Customer Authentication exemption, the issuer knows that there are legitimate reasons why this transaction is exempt from SCA. In such a case, it is ensured that the PSP is not in breach of PSD2 compliance and there is no liability shift towards the Issuer for not supporting SCA.
EU/EEA customer vs non-EU/EEA merchant
The SCA applies to all businesses within the EU/EEA area. Therefore, if a US business receives a transaction from an EU/EEA customer it must ensure that it’s PSD2 and SCA compliant. If this business decides to withdraw these regulations, then there is a high likelihood that the majority of the transactions will be declined and will fail transaction authentications.