3DS2: the authentication standard
The 3D Secure v2 (3DS2) improves the payment security as well as the user experience. It is based on an intelligent and dynamic risk analysis. It allows to reduce the number of abandoned payments and interactions with the buyer.
To do this, more information is used by the issuer in order to evaluate the transaction risks.
If the issuer determines that the level of risk for the transaction is low, authentication will be performed without interacting with the buyer (Frictionless).
If the issuer estimates that the risk for the transaction is high, interaction with the buyer is necessary. In this case, it is a Challenge.
During this challenge, the buyer must pass at least two authentication factors. This authentication method is called SCA (Strong Customer Authentication).
- Possession: an object that the customer owns (such as a phone for e-commerce payment or a bank card for payment in the shop);
- Knowledge: information known only to the client (such as a password);
- Inherence: biometric element that identifies the client (such as a device fingerprint, vocal or facial recognition).
SCA is required only if the issuer and the acquirer are both located in the European Economic Area (EEA).
SCA is not mandatory for transactions made with a card issued outside the EEA, nor if the merchant has a contract with an acquirer outside the EEA, even if the card is issued in the EEA (case referred to as “one-leg”).
The card issuing establishments are increasingly using the so called strong two-factor authentication method all across the world.
- Authentication in pop-in mode replaces redirection to the ACS page.
- the authentication is better suited for new payment channels such as in-app payments and mobile payments.
More information exchanged between the different participants:
Transaction & client details:
Contains mandatory or optional information retrieved during the customer journey on the merchant website and using the transaction details:
- card number and expiry date;
- billing address;
- shipping address;
- merchant name;
- URL of the merchant website;
- country;
- MCC code;
- acquirer BIN;
- MID;
- amount;
- currency;
- transaction type.
Merchant details:
- Information about the merchant risk:
Details that can only be verified by the merchant using the order details and used for risk analysis:
- shipping to the billing address;
- store delivery;
- shipping e-mail address;
- shipping delay;
- purchase of gift cards;
- available products or pre-order;
- first purchase or not;
- Result of the risk analysis made by the merchant.
- Information about the cardholder’s user account:
Information relative to the details or the history of the user account on the merchant website:
- date of creation;
- date of update;
- date of last password change;
- number of transactions;
- suspicious activity;
- etc.
- Information about the merchant risk:
Information about the equipment:
Information about the equipment (browser / native iOS application / native Android application):- IP address;
- language;
- screen size;
- time zone;
- User-Agent;
- HTTP headers;
- equipment model;
- name of the OS;
- version of the OS;
- date and time;
- screen resolution;
- GPS coordinates;
Depending on operating system, dozens of details can be exploited (IMEI, fonts, Subscriber ID, etc.).
Authentication data:
- Authentication on the merchant website:Concerns buyer authentication (not 3DS) for access to the merchant website:
- authentication method;
- date and time of the connection;
- authentication data.
- Previous strong authentication:3DS authentication details issued from a previous transaction made by the same cardholder with the same payment method:
- authentication method (frictionless or challenge);
- date and time of 3DS authentication;
- authentication details (ACS transaction number).
- Authentication on the merchant website: