Content Tech

What is 3D Secure 2.0 ? Payment Service Directive 2 and Strong Customer Authentication

12:52:00

EMV 3-D Secure Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP (Card not present transaction) transactions and protects the merchant from CNP exposure to fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the Payment Systems.

EMV originally stood for "Europay, Mastercard, and Visa", the three companies that created the standard and are now managed by EMVCo, a consortium of financial companies. The most widely known chips of the EMV standard are:

VIS – Visa
Mastercard chip – Mastercard
AEIPS – American Express
UICS – China Union Pay
J Smart – JCB
D-PAS – Discover/Diners Club International.
Rupay – NPCI
Verve

Visa and Mastercard have also developed standards for using EMV cards in devices to support (CNP) card not present transactions over the telephone and Internet. Mastercard has the Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of modes. Visa has the Dynamic Passcode Authentication (DPA) scheme, which is their implementation of CAP using different default values.

In February 2010, computer scientists from Cambridge University demonstrated that an implementation of EMV PIN entry is vulnerable to a man-in-the-middle attack but only implementations where the PIN was validated offline were vulnerable.

Hence 3D Secure xml based protocol over SSL connections with client authentication was introduced to avoid online frauds. It has been years passed and payment systems have changed a lot to support payment services across multiple devices. With respect to support and improve security on online payments, In 2013 ECB - European Central Bank requested for strong customer authentication. Hence an updated payment services directive was introduced [PSD2 SCA] and made it a requirement.

PSD2 SCA: Payment Service Direct 2 and Strong Customer Authentication, next generation 3D Secure Protocol : 3D Secure 2.0 . In 2016, Visa criticized the proposal of making strong customer authentication mandatory, on the grounds that it could make online payments more difficult, and thus hurt conversion rates / sales at online retailers.

Better intelligence on 3D Secure 2.0:

By Visa

Most European countries, starting 14 September 2019, will be using SCA solution for all digital transactions, as part of PSD2. All digital transactions will require 2-Factor Authentication under the new PSD2 regulations. Moreover all card issuers and merchants/acquirers must support an SCA solution, which requires two of the three types of identification listed below.

These are the 30 countries that will be complying with the PSD2 SCA requirement:

Austria
Belgium
Bulgaria
Czech Republic
Cyprus
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Iceland
Ireland
Italy
Latvia
Liechtenstein
Lithuania
Luxembourg
Malta
Netherlands
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
United Kingdom

The Reserve Bank of India mandates strong authentication for online transactions. Bulletin , Reference 1 , Reference 2

Architecture of 3D Secure 2.0 protocol: