3D Secure v2
A new authentication protocol
Olivier leads authentication efforts at Stripe to help businesses prepare for Strong Customer Authentication (SCA)
The 3D Secure protocol, often known by its branded names like “Verified by Visa” or “Mastercard SecureCode” aims to reduce fraud and provide added security to online payments. Beginning in 2019, banks are expected to gradually start supporting a new version of 3D Secure. 3D Secure v2 adds “frictionless authentication” and improves the user experience.
A look back at 3D Secure v1
Before we dive into the improvements being made in 3D Secure v2, it helps to keep in mind why the authentication protocol was developed in the first place.
Though credit cards have become the preferred method for online payments in many countries, they’re also a prime target for fraudsters. Despite additional security measures, such as the Address Verification System (AVS) or the CVC used in some markets, credit card payments can still be at a high risk of fraud. (In fact, it is because of this very risk that customers have the ability to dispute fraudulent payments made with their card.)
To address this problem, card networks implemented the first version of 3D Secure in 2001. If you regularly buy items online, you may be familiar with the 3D Secure flow: you enter your card details to confirm a payment, and are then redirected to another page, where your bank asks you for a code or password to approve the purchase. Because the authentication page is often co-branded by the card network, most customers are more familiar with branded names for the protocol, such as “Verified by Visa” or “Mastercard SecureCode.”
What’s new in 3D Secure v2
EMVCo, an organization made up of six major card networks recently released a new version of the 3D Secure protocol. EMV 3-D Secure (3D Secure v2) aims to address many of the shortcomings of 3D Secure v1 by introducing less disruptive authentication and a better user experience.
3D Secure v2 will allow businesses and their payment provider to securely send over 100 data elements on each transaction to the cardholder’s bank. This includes payment-specific data like the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history.
The cardholder’s bank can use this information to assess the risk level of the transaction and select an appropriate response:
If the data is sufficient for the bank to trust that the real cardholder is making the purchase, the transaction follows the “frictionless” flow and the cardholder never sees any sign of 3D Secure being applied.
If the bank decides it needs further proof, the transaction follows the “challenge” flow and the customer is asked to provide additional input to authenticate the payment.
Although a limited form of risk-based authentication is already supported with 3D Secure v1, the ability to share much more data is likely to increase the number of transactions that can be authenticated without further customer input.