Contact us

FREE TRIAL

FAQ

Easily find answers to the most frequently asked questions regarding our products and solutions.
#3D-Secure-solution

eCommerce popularity has increased constantly over the last ten years. In the past few years, mCommerce growth has been more than 10% in transactions and volume every year. Both mobile and internet shopping are recognized as convenient purchasing methods for cardholders and merchants, considering a wide offer in all market segments, 24/7 availability, delivery tracking, and convenient online card payment. An increase in the number of online transactions also brought a rise in fraudulent use of payment cards. It is estimated that nearly 80% of all e-commerce and m-commerce chargebacks are fraud.

3D Secure is a protocol designed for increased security during online payments using credit and debit cards (the so-called Card-Not-Present transactions). The main purpose of 3D Secure is to authenticate the cardholder during online payment on the internet or mobile purchasing. To make a parallel with in-store payment (the so-called Card-Present transactions), the cardholder is authenticated either with signature or PIN, which are not applicable during online payment.

The concept of 3D Secure is based on the ''Three-Domain'' model, including all participants involved in the financial transaction. All three domains participate in the authentication process, and compliance in all three domains results in a 100% secure transaction. Non-compliance under any of the domains moves the liability shift towards the weaker party. 3D Secure domains:
- Acquirer domain - 3D Secure transactions are initiated from the acquirer domain
- Interoperability domain - 3D Secure transactions are switched between the Acquirer domain and Issuer domain
- Issuer domain - 3D Secure transactions are authenticated in the Issuer domain

3D Secure component most relevant for Issuers is Access Control Server, ACS. Additionally to ACS, and depending on the chosen authentication method, the Issuer should have an authentication solution implemented, integrated with ACS. Upon implementation at the Issuer side, the solution needs to be certified by card schemes.

3D Secure component most relevant for Acquirers is Merchant Plug-In, MPI. This plug-in enables integration with the merchant's website. In 3D Secure 2.0, instead of MPI, 3DS Server is introduced. A segment containing additional SDK components necessary for mobile purchase applications.

3D Secure 2 specifications by EMVCo, but also card scheme 3D Secure 2 programs (MC Identity Check, Verified By Visa, etc.), are aligned with PSD2 requirements, i.e., when deploying 3D Secure 2, Issuers/Acquirers are aligned with PSD2 for Card-Not-Present online payments. Note that it covers only Card-Not-Present online payments, not account-to-account payments and other PSD2 relevant scopes.

Instead of purchasing ACS products to be implemented on bank premises, Issuing banks can use third-party service providers to outsource the 3D Secure process. Card schemes have been certifying and approving service providers who can provide this service to the Issuing bank.

ASEE has been certified as a MasterCard and VerifiedByVisa ACS service provider. By using this service, Issuing institutions minimize time to market, reduce investment and operational costs for 3D Secure compliance, and at the same time, provide their customers with ultimate fraud protection during online payment.

3D Secure 2.0 contains two authentication flows, namely: Frictionless flow and Challenge flow. Frictionless flow enables cardholders to process online payments without demanding any manual input in order to authenticate the transaction. This is possible because of Risk-Based Authentication, a mechanism that assesses the risk level of a particular transaction based on historical data, including transaction history and provided cardholder information. If a transaction is deemed low risk, frictionless flow is applied. This eliminates the need to require additional authentication steps from the cardholder.

3D Secure 2.0 contains two authentication flows, namely: Frictionless flow and Challenge flow. Challenge flow is applied in cases where the Issuer's ACS deems a transaction as risky. In such cases, the cardholders are required to verify their identity using an appropriate authentication method (e.g., OTP, fingerprint, face recognition).

Trides ACS enables Issuers to provide 3D Secure processing with MasterCard, VISA, Amex, JCB, and Mir cards with two-factor strong authentication in compliance with the existing 3D Secure v1.0.2, as well as the new 3D Secure v2.1 protocol.

Trides MPI v1.0.2 and Trides 3DS Server v2.1.0 with Android and iOS SDK are solutions that enable Acquirers and Merchants to integrate web and mobile purchase applications with multiple interoperability domains and initiate online payments within 3D Secure scheme. ASEE also offers 3DS Mobile SDK implementation.

With 3D Secure mobile SDK, the merchants are able to build in all 3D Secure screens into their mobile purchase application to provide a faster and smoother checkout experience. Without it, the cardholders need to switch to the web browser during 3D secure authentication, inarguably disturbing the checkout process.

If you have any additional questions regarding our 3D Secure solutions or hosting services, need advice or support related to 3D Secure online fraud protection for your customers, don't hesitate to contact your ASEE Key Account Manager, Sales Representative or send an email at mailto:trides@asseco-see.hr.

#3D-Secure-transition

Deadlines for introducing and moving to support 3D Secure 2.0/2.1 compliance for all transactions vary depending on the card scheme.
- VISA announced that it is proposing a deadline for card issuers and merchants to migrate to version 3DS v2.0, October 2022, worldwide.
- MasterCard has shared its expected deadline of October 2022.

MasterCard and Visa plan the shutting down 3DS 1.0 in October 2022. After that, the service won't be available; hence you should switch to 3DS 2.0.

Of course, this is a transition perido, and the Issuers are able to time their implementation. However, since regulations are defined, all the participants on the market will pursuit the implementation of 3D Secure solutions, narrowing down the window for fraudulent transactions. This will leave non-ACS Issuers even more vulnerable to fraud during the transition period, as they will be targeted by criminals due to the lack of security coming from the ACS. In short, the sooner the implementation, the lower the risk.

Issuers who have 3D Secure 1.0.2 deployed or plan to implement it during the transition period should at least apply the following guidelines from EMVCo:

- Abandon user activation or activation during shopping by activating all cards which are enrolled in the 3D Secure scheme
- Deploy two-factor strong authentication methods instead of static passwords
- Deploy simplified risk assessment and Risk-Based authentication to process low-risk transactions without cardholder authentication

When banks implement 3D Secure 2, if they have already supported 3D Secure 1.0.2, they should continue to support 3D Secure 1.0.2 until October 2022. That means that in this period, two schemes will coexist. MasterCard requires running both versions in the transition period.

The most convenient method to migrate from 3D Secure 1.0.2 to 3D Secure 2.0/2.1 is by outsourcing 3D Secure infrastructure and service. Issuers who use ACS hosting services do not have any technical impacts when upgrading to the latest version/platform. There is only paperwork related to enrolling 3D secure 2.x and integration certification (PIT), mostly done by the hosting provider.

The strategy for deploying 3D Secure is mainly driven by the fact that it reduces fraud, and consequently reduces potential for chargeback liability for the Issuer.

Milestones for 3DS v2.x are not clearly announced, test cases and certifications for vendors are not finalized, so vendors cannot provide certified 3DS 2.0/2.1 solutions. It is expected that the final milestone for 3DS v2.0/2.1 will be prolonged.

In order to protect its cardholders from fraudulent online transactions, Issuers can deploy proven 3D Secure v1.0.2 solutions. EMVCo provided guidelines on how to deploy or upgrade the existing 3D Secure process in order to ensure a smooth transition period to 3D Secure 2.0/2.1 with a consistent customer experience and simultaneously instantly deploy available tools for fraud protection.

If you have any additional questions regarding our 3D Secure solutions or hosting services, need advice or support related to 3D Secure online fraud protection for your customers, don't hesitate to contact your ASEE Key Account Manager, Sales Representative or send an email at mailto:trides@asseco-see.hr.

#authentication

The authentication method is left for choice to each Issuer. In the previous version, 3D Secure v1.0.2, which is still live, static passwords were allowed. As of early 2015, ECB issued guidelines for strong authentication on eCommerce transactions. Since January 2016, when PSD2 became official, such guidelines became mandatory with up to two years of the maximum period for adjustment. The new specification for 3D Secure 2.1 strongly recommends two-factor strong authentication methods such as One Time Password, biometric authentication (fingerprint, face or voice recognition), etc.

3D Secure allows methods aligned with the PSD2 requirements, i.e., all methods that are Strong Customer Authentication methods or the use of two-factor authentication methods.
Most common methods include One Time Passwords generated by HW of SW tokens, fingerprint or face recognition biometry methods, and push notifications.

Yes. When the user goes to checkout, ACS presents a screen with an option to choose the authentication method (radio button).

The SCA requirements officially came into effect on 14 September 2019.

However, on 16 October 2019, the European Banking Authority (EBA) published an Opinion stating that it will allow national regulators to delay enforcement of SCA until 31 December 2020.

Most European regulators are aligned with this roadmap.

Currently: Seven countries stated, before the above Opinion, that they would align with the transition timeline set out by the EBA: Cyprus, Czech Republic, Greece, Ireland, Lithuania, Luxembourg, and Slovakia.
Nineteen countries have subsequently aligned themselves with the EBA's 15-month transition period: Austria, Bulgaria, Croatia, Denmark, Estonia, Finland, France, Germany, Italy, Latvia, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovenia, Spain, and Sweden.
France has formally aligned itself with the 15-month transition period but maintains an extra 3-month grace period on a case-by-case basis.
The United Kingdom has confirmed its decision to stick to its own 18-month transition period.
Hungary has yet to announce whether or not it will maintain its previous position of a 12-month transition period.

Regardless of the delay in enforcement, we recommend that you start supporting 3DS 2.0 as soon as possible to avoid any potential issues, particularly where issuers may decline transactions submitted without SCA.

Issuing banks should check national regulations, national bank guidelines, and national PSD2 directives. Some national regulations do not accept this method as two factor SCA authentication method. To mitigate such requirements, an additional password or PIN can be added to OTPbySMS. In this case, this method is the SCA method and can be used in 3D Secure 2. However, card schemes suggest using more confident methods such as a fingerprint.

No. Card scheme 3D Secure programs encourage banks to apply frictionless authentication in as many cases as possible, up to 90%. That means that transactions should be analyzed in order to apply for SCA exemptions, as defined in PSD2 requirements. Exemptions can be based on low-risk assessment, low transaction value considering counter limits, for recurring transactions in case of the same amount and payee, etc.

When choosing the most suitable authentication method, the issuing bank should consider whether cardholders are familiar with the method. Also, they need to consider necessary resources available to their cardholders - do they have the appropriate mobile device tokens; customer segment - are their cardholders willing to download mobile applications for payment authentication; applicable regulations - this includes PSD2 and local regulations. The best way to go about this is to offer a minimum of two authentication methods and allow the cardholders to select their preferred method of authentication. It is important to note that the best authentication rate is achieved in cases when 3D Secure and digital channels use the same authentication methods, simply because the cardholders are used to it.

If you have any additional questions regarding our 3D Secure solutions or hosting services, need advice or support related to 3D Secure online fraud protection for your customers, don't hesitate to contact your ASEE Key Account Manager, Sales Representative or send an email at mailto:trides@asseco-see.hr.

#benefits

(1) 3DS Requestor Initiated (3RI) payments – enabling a merchant to initiate a transaction even if the cardholder is offline.
(2) Decoupled authentication – allowing cardholder authentication to occur even if the cardholder is offline.
(3) Expansion of existing data elements to promote communication of pre-checkout authentication events and associated data as part of the EMV 3DS transaction from systems such as those supporting the FIDO Alliance standards.

The initial version of 3D Secure was launched in 2001 and had a few minor releases. In October 2016, EMVCo released 3D Secure v2.0, and one year later, in October 2017, 3D Secure v2.1 emerged. 3D Secure 2.0 is more than just an upgrade of an old standard. It is designed with the intent to create a frictionless online payment experience for cardholders. It does this by facilitating richer data exchange, allowing Risk-Based Authentication on the Issuer side for low-risk transactions. This eliminates authentication challenges and makes the authentication process almost invisible to the cardholder.

Recognizing the necessity to support new and evolving payment channels, 3D Secure 2.0 includes the ability to support authentication of App-based transactions on mobile and other consumer devices. As mentioned, 3D Secure 2.0 introduces state-of-the-art authentication methods such as fingerprint, face recognition, and voice recognition (biometric authentication).

To summarize, 3D Secure 2.0 brings the following benefits:
- Applicable for mobile device web browser purchasing
- Integration with mobile applications to provide consistent service for mobile application based purchasing services
- Simplified user experience
- Elimination of sign up process during online shopping
- Enables up-to-date authentication methods such as fingerprint, face recognition, voice recognition - Provides Risk Scoring and Risk-Based Authentication
- Enables ''frictionless'' or the so-called silent authentication based on customer and transaction data with no additional demands towards the end-user
- Increased conversion rate

By using the ASEE Trides solution, Issuers are able to provide added value to their cardholders such as user portal or user mobile application which enables the cardholder to monitor their 3D Secure online transactions, maintaining risk parameters such as online purchase limits, geographical restrictions, setup of SMS/push warnings in cases of unexpected purchase, lock/unlock card, define preferred authentication method, change language, etc.

First of all, the buyer will feel more confident knowing that additional fraud prevention was deployed. Secondly, even in case of fraud, card schemes (VISA, MasterCard) granted the so-called Liability shift for the merchant. That means that the issuing bank is liable for fraud and dispute costs, and the merchant won't suffer any losses.

If you have any additional questions regarding our 3D Secure solutions or hosting services, need advice or support related to 3D Secure online fraud protection for your customers, don't hesitate to contact your ASEE Key Account Manager, Sales Representative or send an email at mailto:trides@asseco-see.hr.

#participants

In order to have efficient protection with 3D Secure, it must be implemented on the Issuer and on the Acquirer domain. Therefore, Issuers (financial institutions who issue payment cards), Acquirers, and Merchants who accept cards have to deploy the protocol.

This depends on the card scheme (VISA, MC, AMEX, Diners...). Each of them can have different requirements, milestone deadlines, also considering the geo-location. VISA, for instance, does not mandate the VerifiedByVISA program, but MasterCard mandates MasterCard IdentityCheck in the EU region. However, in the EU region, PSD2 requires SCA authentication for mCommerce and eCommerce payments. By applying 3D Secure, this mandatory requirement is met.

Yes. After the transition period, latest on October 2022, 3D Secure v1.0.2 will no longer be supported by card schemes. Therefore, banks need to migrate to the new version.

Within the 3D Secure environment, even if two-factor strong authentication is applied (as required by PSD2 and 3D Secure 2.1), the Issuer is liable for chargebacks for fraudulent transactions. However, if a cardholder has to pass through another layer of authentication and authenticate themselves during payment, it is less likely that the card is being used in a fraudulent manner. 3D Secure reduces the number of fraudulent online transactions and potential chargebacks.

Issuers have to be aware that card schemes (VISA, MasterCard, etc.) are stakeholders of 3D Secure and promote its acceptance. Through 3D Secure, card schemes introduce liability shift as the main benefit for Merchants and Acquirers. This means that when a Merchant proves a transaction to be a fraudulent one, and the Issuer is enrolled in 3D Secure (or that particular type of card is enrolled in 3D Secure), the Issuer is liable for the chargeback.

If you are a part of any domain, yes, you should implement a solution covering 3D Secure authentication. Cards from Issuers that do not use ACS are more often used in card-not-present transactions simply because fraudulent entities are targeting the weaker part of the chain.

If you have any additional questions regarding our 3D Secure solutions or hosting services, need advice or support related to 3D Secure online fraud protection for your customers, don't hesitate to contact your ASEE Key Account Manager, Sales Representative or send an email at mailto:trides@asseco-see.hr.

Want to learn more about cybersecurity trends and industry news?

SUBSCRIBE TO OUR NEWSLETTER

CyberSecurityhub

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram