3-D Secure 2.0

01 / 01 / 2019

With 3-D Secure 1.0, cardholders have to verify their identity in online transactions in an additional step. In April, a new standard will be introduced: 3-D Secure 2.0. The new standard simplifies card payments in e-commerce for you and your customers thanks to a wide range of data, biometric authentication and an improved, standardised online experience.

2 min.

Payments News
3-D Secure 2.0

Online merchants, acquirers, card issuers and customers are facing a new challenge in e-commerce: From 14 September 2019, all card payments must be validated with two security features (two-factor authentication). This is set out in the second EU Payment Services Directive PSD 2, which enters into force on that date. The credit card organisations Visa and Mastercard have revised the 3-D Secure procedure for precisely this purpose. The new 3-D Secure 2.0 standard will be introduced as early as April and must be integrated into the payment processing flow by online retailers. This change, therefore, affects all online merchants in the EU and Switzerland.

A better shopping experience for your customers

3-D Secure 1.0 was not deemed to be customer-friendly, often leading to unwanted payment cancellations. That will now change with 3-D Secure 2.0. Customer authentication is fully integrated into the 3-D Secure 2.0 sales process.

3-D Secure 2.0 analyses the contextual data of merchants and asks customers to verify their identity in the case of an online transaction, by providing two security features. At the same time, low-risk transactions are identified in the so-called "frictionless flow". It allows authorisation without additional cardholder interaction. The checkout process thus takes place without any interruption from the perspective of the cardholder.

Benefits for merchants of using 3-D Secure 2.0

  • Smooth payment process (frictionless flow)
  • Fewer payment disruptions thanks to risk-based authentication
  • Increased conversion rate
  • Full integration into online shops and apps
  • Reduction in credit card fraud thanks to intelligent fraud detection mechanisms

What does "strong customer authentication" mean?

With strong customer authentication, all payment transactions, apart from specific exceptions, are "strongly" secured. In order to do so, at least two out of the three factors must be used: knowledge, possession or inherence.

Knowledge

Password
PIN
Secret question
Numerical sequence

Possession

Smartphone
Wearable devices
Token
Smartcard

Inherence

Fingerprint
Voice recognition
Iris recognition
Facial features

In concrete terms, a physical object such as a smartphone must be combined with a unique password or fingerprint before a payment can be made. Static passwords are no longer sufficient for 3-D Secure 2.0. 

Exceptions from strong customer authentication

Not all transactions have to be "strongly" secured by cardholders. To minimise the cost of card payments, there are some exceptions:

Small amounts

Payments up to EUR 30, up to the limit of EUR 100 in total or five consecutive payments.

Recurring payments

From the second transaction to the same recipient and the same amount.

Whitelisting

The cardholder creates a whitelist for trusted merchants.

Low risk

Risk assessment of a transaction with amounts within defined thresholds.

The following are not affected by the strong authentication:

  • Anonymous prepaid cards
  • Mail order and telephone orders (MOTO transactions)
  • Interregional / "one leg" transactions
  • Transactions initiated by the payee