What is 3D Secure 2.0 ? Payment Service Directive 2 and Strong Customer Authentication

EMV 3-D Secure Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo to enable consumers to authenticate themselves with t...

EMV 3-D Secure Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP (Card not present transaction) transactions and protects the merchant from CNP exposure to fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the Payment Systems.

EMV originally stood for "Europay, Mastercard, and Visa", the three companies that created the standard and are now managed by EMVCo, a consortium of financial companies. The most widely known chips of the EMV standard are: 

  • VIS – Visa
  • Mastercard chip – Mastercard
  • AEIPS – American Express
  • UICS – China Union Pay
  • J Smart – JCB
  • D-PAS – Discover/Diners Club International.
  • Rupay – NPCI
  • Verve

Visa and Mastercard have also developed standards for using EMV cards in devices to support (CNP) card not present transactions over the telephone and Internet. Mastercard has the Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of modes. Visa has the Dynamic Passcode Authentication (DPA) scheme, which is their implementation of CAP using different default values.

In February 2010, computer scientists from Cambridge University demonstrated that an implementation of EMV PIN entry is vulnerable to a man-in-the-middle attack but only implementations where the PIN was validated offline were vulnerable.

Hence 3D Secure xml based protocol over SSL connections with client authentication was introduced to avoid online frauds. It has been years passed and payment systems have changed a lot to support payment services across multiple devices. With respect to support and improve security on online payments, In 2013 ECB - European Central Bank requested for strong customer authentication.  Hence an updated payment services directive was introduced [PSD2 SCA] and made it a requirement. 

PSD2 SCA: Payment Service Direct 2 and Strong Customer Authentication, next generation 3D Secure Protocol : 3D Secure 2.0 .  In 2016, Visa criticized the proposal of making strong customer authentication mandatory, on the grounds that it could make online payments more difficult, and thus hurt conversion rates / sales at online retailers.

Better intelligence on 3D Secure 2.0: 

By Visa

Most European countries, starting 14 September 2019, will be using SCA solution for all digital transactions, as part of PSD2. All digital transactions will require 2-Factor Authentication under the new PSD2 regulations. Moreover all card issuers and merchants/acquirers must support an SCA solution, which requires two of the three types of identification listed below.


These are the 30 countries that will be complying with the PSD2 SCA requirement: 

  • Austria 
  • Belgium 
  • Bulgaria 
  • Czech Republic 
  • Cyprus 
  • Denmark
  • Estonia 
  • Finland 
  • France 
  • Germany 
  • Greece 
  • Hungary 
  • Iceland 
  • Ireland 
  • Italy 
  • Latvia 
  • Liechtenstein 
  • Lithuania 
  • Luxembourg 
  • Malta 
  • Netherlands 
  • Norway 
  • Poland 
  • Portugal 
  • Romania 
  • Slovakia 
  • Slovenia 
  • Spain 
  • Sweden 
  • United Kingdom
The Reserve Bank of India mandates strong authentication for online transactions. Bulletin  , Reference 1  , Reference 2

Architecture of 3D Secure 2.0 protocol:
By Visa

Architecture of 3D Secure protocol:
By GPayments
When 3D Secure protocol was enabled, the conversion rates effected for most of the countries and below is an analysis on few:
By Fibonatix

Benefits of 3D Secure 2.0:

By Visa

Let us see how 3-D Secure 2.0 would effect conversion rates in the coming days.

You Might Also Like



Flickr Images