The 3-D Secure procedure is being further developed.
The globally standardized 3-D Secure Protocol (3DS) offers merchants and consumers additional security when authenticating credit card transactions. Online shoppers verify that they are the legal cardholder vis-à-vis their card-issuing bank (issuer). As an additional security feature, 3-D Secure requires the buyer to enter a code in order to successfully complete the order process. 3-D Secure accepts liability for fraudulent transactions that have been successfully executed despite the use of this procedure from the card-issuing banks. The prerequisite for the use of the procedure is that 3-D Secure is supported by both the card-issuing bank of the purchaser and the relevant online shop.
How does 3-D Secure 2.0 differ from the conventional method?
3-D Secure 2.0 is a further development of the conventional 3-D Secure protocol. The faster automated transmission enables issuers to replace the previously static code query with a real-time risk analysis. The decision as to whether an additional security code query is required in individual cases will thus in the future be based on the transaction data transmitted. Analysis software calculates a scoring for each transaction based on data signals indicating possible fraud attempts. If a transaction is classified as low-risk, it is released without the buyer being asked to enter an additional code. If, on the other hand, there is an increased probability of fraud (applicable to a maximum of 5 percent of all credit card transactions), the buyer is requested to reconfirm his identity by SMS or e-mail.
Why is 3-D Secure 2.0 being introduced?
The declared goal of 3-D Secure 2.0 is to remedy the weaknesses of the conventional procedure, which have been criticized by merchants and buyers alike, and to meet the requirements of strong customer authentication (SCA), which will become legally binding for electronic payment procedures from September 14, 2019. In addition, the individual, data-based risk assessment of each transaction promises even better protection against fraud.
Is a conversion to 3DS 2.0 mandatory? What deadlines must be observed?
Neither the responsible industry association EMVCo nor the credit card companies set a binding deadline for the integration of the new standard into online shops. The fact is: 3DS 2.0 itself does not represent a legally prescribed standard. The decisive question for merchants, on the other hand, is whether it will be possible to provide a procedure for processing credit card transactions in their own online shops by September 14, 2019 that meets the requirements for strong customer authentication (SCA).
As a “minimum solution”, the existing 3DS 1.0 procedure is available for this purpose. Its basic functionality meets the requirements of SCA, but contains numerous opaque exceptions under which a query of the 3DS code is not mandatory. Therefore, by continuing to use 3DS 1.0, merchants run the risk of violating the requirements for strong customer authentication if the exception rules are applied incorrectly. The solution preferred by the credit card industry and SCA-compliant in every respect is therefore 3DS 2.0. However, merchants who have integrated the previous 3DS version 1.0 do not face any acute need for action. Even after September 2019, 3DS 1.0 will continue to be used as the default fallback option for an indefinite period if the new 3DS 2.0 procedure is not yet supported by the merchant or issuer.
EVO Payments will approach partners and customers at an early stage as soon as there is a need for action. If you do not receive a notification from EVO Payments, there is no need for action for your online shop.