Blog / Business Insights /

EMV 3-D Secure, a new era in strong customer authentication

EMV 3-D Secure, a new era in
Strong Customer Authentication

Julien Gabillet

Product Management and International Business Development - Payment Security and Innovation

As the European leader in the e-payment market and an EMVCo Business Associate, Worldline is fully involved by participating in the review of these new specifications and will deliver a fully 3DS 2.0-compliant WL Access Control Server (ACS) in accordance with the payment schemes timeline expectations.

A specification tailored to adapt security to new mobility behavior

In the current context of digitization, e/m-commerce is becoming the channel with the best business growth for merchants (see global figures in the below graphic).

They always want to bring more services to their customers and respond to their needs via the web, mobile devices, and the Internet of Things. Consequently, remote payments are key in this ecosystem. That’s why banks need to provide security in their customers’ transactions to prevent fraud, and merchants need to provide their customer with trust and a good user experience when shopping.

Liability shift and 3DS payments have significantly improved e-Commerce security. But since the deployment of the first version 15 years ago, usages have changed dramatically, with mobile devices, tablets, and payment banking apps. Today, e-Commerce growth and security depend more on merchant payment apps, because they are gaining traction in increasing customer loyalty.

Besides, whatever the channel, the current security authentication process has a negative impact on the user experience and decreases the conversion rate of online purchases.

The 3DS protocol then had to be improved to contribute to a better conversion rate, integrate the deployment of these new trends, and also support new European regulations (PSD2) regarding the potential introduction of Risk-Based Authentication (RBA).

How to improve the optimum security level in the apps used in e/m-commerce and, in parallel, encourage the adoption of security measures for e-Commerce

To reach this target, technical body EMVCo has published new 3-D Secure specifications named EMV 3-D Secure – Protocol and Core Functions Specification v2.0.0 (EMV 3-D Secure 2.0). This new version brings several important improvements:

- It puts the end user at the center of the strategy. The aim is to reduce friction in the payment workflow, ensure a smooth journey on any device, and find the right balance between security and user experience.

- The 3-D Secure process fully integrates the merchant’s mobile applications and customer devices. It brings a consistent user experience for both app-based (native or HTML) and browser-based merchant interfaces, with the same look and feel across devices, channels, and implementations.

- By enabling the issuer’s ACS to get additional data from the context of the transaction and the merchant’s and cardholder’s risk profile, it introduces the Risk-Based Authentication (RBA). For instance, the new message format will include billing and shipping address, email, shipping method, and other usual cardholder behavior information with this merchant. Thanks to this risk information, issuers can apply two different strategies depending on the risk of each transaction. High-risk transactions will be challenged with a state-of-the-art authentication method, while low-risk transactions will follow the “frictionless” workflow where no additional interaction with the end user is required.

- On top of these improvements, the specification from EMVCo also enables interested parties to create a framework for authentication for digital environments, to extend the usage of the specification from card-based payments to other payment means and other non-payment use cases that require strong customer authentication.

Impact for issuers

In order to comply, the issuer’s ACS will have to:

- Process the authentication workflow using the new message formats set by EMVCo

- Manage new user interfaces (in App and HTML)

- Provide Risk-Based Authentication using data available in the authentication requests

- Accept non-card-payment use cases

- Set up new security measures

Mastercard has already clearly laid out its strategy to replace the current version with the new one:

- All issuers will have to support EMV 3-D Secure 2.0 on Dec 31, 2018.

- All merchants will have to use EMV 3-D Secure 2.0 on Dec 1, 2020.

- During the transition period, the two versions of the protocol will run in parallel and merchants need to be able to initiate both 3DS 1.0.2 and EMV 3-D Secure 2.0 depending on the capability of the issuer’s ACS compliance.

With this new version, we can say that issuers and merchants will have the opportunity to increase security and fight fraud, while maintaining a good level of user experience. Thanks to these new specifications, we believe that EMV 3-D Secure 2.0 will provide the basis to improve 3-D Secure adoption globally.