Scalable, on-demand senior engineers.

Engineers on your time zone, experts in rapidly delivering web and mobile applications across all tech stacks.

Explore all our services

Industries

When technology is the way to differentiate. When complexity stands in your way. We can help. We serve SMEs, large enterprises, and independent software vendors across a broad range of industries, with specialisations in:
Request a consultation
Get ready for Strong Customer Authentication

3-D Secure 2.0 payments

Blankfactor’s proven expertise in payments can help merchants, large and small, with 3-D Secure 2.0 (3DS) compliance through consulting, technical implementation, and custom software solutions. 3DS meets the Strong Customer Authentication (SCA) requirements going into effect in Europe next year. Merchants who are not compliant with SCA risk having transactions blocked by the card issuer, resulting in frustrated customers and loss of business.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a set of requirements introduced by the EU Revised Directive on Payment Services (PSD2). It requires payment service providers within the European Economic Area to comply with SCA by January 1, 2020 (September 14, 2021 for the U.K.).

SCA is a multi-factor authentication based on the use of two or more elements categories as possession, inherence, and knowledge. These categories are independent from each other, so that the breach of one form of authentication does not compromise the reliability of the others. SCA is designed to protect the confidentiality of the authentication data.

Possession
Something the customer owns such as a cellphone, a hardware token, etc.
Inherance
Something inherent to tha customer; for instance, biometrics.
Knowledge
Something the customer knows. For example a passcode or passphrase.

When is Strong Customer Authentication required?

The more robust authentication requirements have increased the need for innovation in card-not-present transactions for merchants, card issuers, and payment service providers.

Payment service providers are required to use SCA when a payer accesses online accounts, initiates electronic payments, and/or carries out remote actions that imply risk.

  • 1
    Accessing payment account online
  • 2
    Initiating electronic payment transactions
  • 3
    Carrying out remote actions through channels which may imply a risk
“[Merchants] not only have limited time to prepare; the knock-on effect of approval rates and therefore lost revenue, is potentially staggering.”
Toby McFarlane

Head of approvals and fraud, CMSPI

The impact of declined transactions

In 2017, $118 billion were lost to false declines across all online transactions in 2017 (Javelin Strategy), 66% of mobile transactions were abandoned at checkout (Jumio), and, 32% of users plan to stop shopping at the retailer where they were declined (Javelin Strategy).
32
%
Users would not return to a retailer if declined
Source: Nudata Security
66
%
of mobile transactions had cart abandonment
3-D Secure 2.0: <br>An European requirement with worldwide opportunity

3-D Secure 2.0:
An European requirement with worldwide opportunity

To comply with the new European standards, EMVCo published specifications for 3-D Secure 2.0. The new protocol is designed to be less intrusive and meet the stringent requirements of PSD2.

New vs. old

3-D Secure 1.0 was launched in 2001, but the protocol has not kept up with technological innovation and has been plagued with issues. 3-D Secure 2.0 offers better fraud protection, user convenience, and technology.

3DS 1.0
Standards

3DS 2.0
Standards

Benefits of
3DS 2.0

Method

Static passwords, security
questions and risk-based
authentication

Eliminates static passwords
for stronger two-factor
authentication

  • Greater security
  • Greater convenience

Interfaces

Browser dependent

Supports different
payment channels
(in-app, IoT, browser, etc.)

  • Better UX
  • Great control by merchant
  • Wider applications

Data

Only 15 data elements available

Enables 10x more data
to be exchanged

  • Increased accuracy
  • Improved decisioning

Use cases

Supports guest checkout only

Supports guest checkout with additional use cases (wallets, tokenization, etc.)

  • Expanded use
  • Greater security

Decisioning

Merchants bound by issuer decisioning

Enhances decisioning by
increased flow of data

  • Greater flexibility
Source: Mastercard
Stronger authentication
Better customer experience
Multiple device support
Merchant opt-out
Stronger authentication
Stronger authentication
3-DS 2.0 has the ability for merchants to share up to 150 data points, including cardholder’s key addresses, browser language, location data, etc. The more data shared between merchants and issuers, the better the fraud assessments will be, thus further reducing the rate of false declines.
Better customer experience
Better customer experience
3-DS 1.0 required a static password. If a cardholder couldn’t remember their password, this often led to cart abandonment. 3-DS 2.0 is optimized to work across platforms (web, mobile, IoT) and uses familiar authenticators suchs as biometrics and one-time-passwords to verify risky transactions.
Multiple device support
Multiple device support
Smartphones didn’t exist when 3-DS 1.0 was released. 3-DS 2.0 is optimized to work across platforms such as web, mobile, IoT and allows for in-app purchases and digital wallet payments.
Merchant opt-out
Merchant opt-out
Merchants who enrolled in 3-DS 1.0 were bound to the issuer decision whether a charge was accepted or not. With 3-DS 2.0, merchants are able to opt-out of the authentication process and use their own risk models to approve or deny a sale. If merchants choose to do so, however, they will assume the liability of a fraudulent transaction.
Frictionless authentication

Merchants and card issuers will have a far greater opportunity to easily authenticate transactions with user behavior analytics to identify high risk transactions and reduce fraud, while still providing a seamless user experience.

Information- only requests

Information-only requests allow a merchant to share transaction data without risk of failed authentications. This helps improve authentication rates without any risk of failed transactions.

Decoupled authentication

Authentication can be separated from the payment transaction and can still take place up to 7 days after the actual payment. Allowed for authentication to take place outside of a typical e-commerce flow, when the cardholder may not have immediate access to a web interface.

Worldwide liability shift

Visa and Mastercard have both created policies where merchants who utilize 3-DS 2.0 can receive a liability shift in the event of fraud related chargebacks when they attempt authentication. Even if the card issuer is not ready to support it. This liability shift extends globally this year.