EMV 3-D Secure 2.0

January 4, 2017 - What's new and what are the advantages?

The boost of e-commerce has provided us with convenient services and payment methods that have led to a significant increase in the number of card not present transactions. At the same time, this growth has meant the equally rapid growth of fraudulent activities in this area. Being liable for fraud, merchants have had to carry the ultimate responsibility of theft. Issuers in their turn have to spend considerable resources to handle chargeback processes.

The industry's response to these challenges has been 3-D Secure (3DS 1.0). This first version of 3DS is a set of security standards developed by Visa, and implemented also by other schemes. Their implementations can be recognized by their brand names `Verified by Visa' or `MasterCard SecureCode'.

3DS allows the issuing bank to authenticate their cardholders during the Card Not Present (CNP) transaction. In this case liability for fraudulent transactions shifts away from the merchant towards the card issuer, reducing chargebacks to the merchant. To use 3DS, the cardholders needs first to complete a one-time enrollment process with their issuing bank and activate the 3DS service. At time of use, the cardholder receives a pop-up window, requiring him to for example enter a password in order for the issuing bank to authenticate the cardholder.

Challenges of 3DS 1.0

Although 3DS 1.0 helps to reduce number of fraud and offers an extra layer of security for both cardholder and merchant, it does not solve all the problems. First of all, 3DS adds an extra step in the checkout process that complicates the payment process. During the checkout, the cardholder needs to enter his password in a separate pop-up window or enroll to the 3DS service if this has not been done before. This introduces a disruption on customer journey, which confuses customers and can lead to a reduction in the conversion rate. Additionally, 3DS 1.0 supports only browser based purchases while in-app purchases were not supported.

When implementing 3DS 1.0, the merchant can benefit from the liability shift from merchant to the issuer in case of fraud for 3DS authorized transactions. On the other hand, the merchant needs to invest in additional components which may even increase the scope of their PCI-DSS certification. Moreover, the risk of dropping the conversion rate due to complication of the checkout process holds some merchants from implementing 3DS.

Lastly, 3DS v1.0 can potentially be vulnerable to phishing and “man in the middle” attacks. This is caused by the redirection to another URL for the 3DS process. An attacker can generate a similar looking pop-up window that can steal personal information or download malicious content on the computer of the customer.

Introduction of EMV 3-D Secure 2.0

To deal with the challenges discussed above and to reflect the current and future market requirements, the 3DS specifications have been updated. The purpose of this update has been to enhance security, support app-based authentication and improve the cardholder experience during the checkout process. In October 2016 during the Money 20/20 conference in Las Vegas, EMVCo released a new version of the 3-D Secure specification under version number 2.0 (EMV 3DS 2.0).

The main enhancements of EMV 3DS 2.0 compared to 3DS 1.0 are:

  • Support of in-app purchases on mobile phone and other customer devices.
  • Enable merchants to integrate the authentication process into their checkout experiences, for both app and browser-based implementations.
  • Enable the issuing banks to perform risk-based decisions on the transaction authorization that enables frictionless consumer authentication when the customer is not required to perform an additional authentication to the bank.
  • Enables non-payment customer authentication that allows services like Identification & Verification (ID&V) for mobile wallets and secure request of tokens for card on file.

A typical transaction: 3DS 1.0 vs EMV 3DS 2.0

There are a number of differences between the transaction flow between 3DS 1.0 and EMV 3DS 2.0. The typical transaction flow for each version is shown in the figure below followed by a high-level overview of the differences between the versions in terms of system components, flow and messaging.


Figure 1 Typical transaction in 3DS 1.0 (left) vs EMV 3DS 2.0 (right). Step 1-3: A transaction is started and an authentication request is sent to the issuer. Step 4-5: If needed the customer is authenticated by the issuer. Step 6: Results of the authentication are communicated either through the customer (1.0) or through the DS (2.0). Step 6-7: Completion of the flow. After this the normal Payment flow is followed (dashed line).

New components
EMV 3DS 2.0 introduces new components to the 3DS ecosystem to support the new authentication flows. The Merchant Server Plug-in (MPI) is replaced by the 3DS Server and is included in the “3DS Requestor Environment”. A collective term for the components in the merchant’s domain. This includes the 3DS Client, the 3DS Requestor and 3DS Server.

  • The 3DS Client is the component that communicates with the cardholder. This can be done via in-app (3DS SDK) and browser based purchases (3DS Method). Both allow for integration with the 3DS requestor for a smooth online shopping experience.
  • The 3DS Requestor initiates the Authentication Request (AReq) messages and is the pipeline for the 3DS related data from the mobile application/website to the 3DS Server.
  • A 3DS Server that provides an interface between the 3DS Requestor Environment and the DS.

New flows
The Frictionless flow is one of the fundamental differences between 3DS 1.0 and EMV 3DS 2.0. In Figure 1, this flow is represented by green path (step 1-4). In this flow the issuer can approve a transaction without cardholder interaction based on risk-based-authentication performed in the ACS.

Another difference can be found in the way the result of a challenge is communicated from the issuer to the merchant. In 3DS 1.0 this is done via the cardholder while in EMV 3DS 2.0 this is communicated through the DS. In figure 1 this is shown in step 6. In this way, the merchant is informed about the authentication results via a separate channel, enhancing the security

EMV 3DS 2.0 also supports non-payment customer authentication. This functionality can be particularly useful for cardholder Identification & Verification (ID&V) for mobile wallets and the secure request of tokens for card on file. The non-payment customer authentication flow is similar to the EMV 3DS 2.0 authentication flow during a purchase on the merchant’s website while it does not include steps that are specific for remote payment (e.g. payment initiation, payment confirmation etc.)


New messaging

Phase

3DS 1.0

EMV 3DS 2.0

Preparation

CRReq/CRRes

PReq/PRes

Authentication

PAReq/PARes

AReq/ARes

Challenge

VEReq/VERes

CReq/CRes

Result

-

RReq/RRes


Table 1 Overview of message names difference between 3DS 1.0 and EMV 3DS 2.0 for different phases of a 3DS transaction.

Version 2.0 introduces new names for the messages that are exchanged between the components, as shown in the table above. A new message type is the Result message (Result Request and Result Response). This message is exchanged between the Issuer (ACS) and the merchant (3DS Server) and communicates the result after customer verification. The messages are structured in JSON in 2.0 compared to XML in 1.0 and new data elements are added to support the new functionalities of the system.

Advantages of EMV 3DS 2.0

The introduction of EMV 3DS 2.0 has several advantages that allows enhanced security of e-commerce transactions while optimizing the cardholder’s experience. Merchants will be able to make their checkout process smoother and available through different channels/ devices without compromising security. EMV 3DS 2.0 allows the non-payment authentication flow that enables merchants to offer additional secure non-payment services. Furthermore, EMV 3DS 2.0 allows for further development of risk based authentication techniques for cardholder authentication. Based on their internal rules, issuers would be able for example to authorize low value transactions without additional interaction with the cardholder.

Dismissing of the 3DS requirement to authenticate the customer in a different screen than the merchant’s website will not only enhance the user experience but also reduce the chance of phishing and “man in the middle” attacks. Moreover, not relying on the static password will allow the use of new authentication options such as biometrics through Out-Of-Band (OOB) or One Time Password (OTP).

Another notable difference between 3DS 1.0 and EMV 3DS 2.0 is that EMV 3DS 2.0 standards development includes input of the major global card brands such as American Express, Discover, JCB, Mastercard, UnionPay and Visa. EMV 3DS 2.0 focuses on interoperability not just across various card association services but across both eCommerce and mCommerce. Besides, the powerful driver of EMV 3DS 2.0 in the EU can be Payment Service Directive 2 (PSD2) that requires the use of strong customer authentication for both types of payments: in-app and browser based payments. EMV 3DS .2.0 allows both of these types of payments and thus implementation of EMV 3DS 2.0 may be interesting for both merchants and issuers.

As a conclusion, EMV 3DS 2.0 tends to solve multiple technical pain points of 3DS v1.0. Such as the reduction of customer confusion, making the checkout process smoother for both browser based and in-app purchases, the introduction of a frictionless authentication flow, non-payment authentication flow and enhanced security. However, to ensure success of EMV 3DS 2.0 both issuers and merchants need to actively participate in the EMV 3DS 2.0 program. Otherwise there is a risk that EMV 3DS 2.0 may share similar technical and business challenges as 3DS v1.0.

Join UL's EMV 3-D Secure 2.0 Masterclass, for a deep-dive into the newly released specifications. Prepare yourself for the changes, the impacts and take advantage of the new features. Click the link for course dates and for further information. 

Disclaimer

These are the personal opinions of UL’s employees and its guests and should not be misunderstood as representing the opinion of UL's clients, suppliers or other relations.