About Us Solutions Business Type Contacts Support

3DS2 – a new level of security. What’s new and how to transit?

Boaz Gam

Boaz Gam


Average rating: 4.7
Thanks for the vote!
5 min
Article content
  1. What is 3DS2 and what are differences from classic 3DS?
  2. How will these changes affect business?
  3. How do I switch to new protocol? And how can we help

We are considering how to switch to new 3‑D Secure 2.0 protocol without spending a lot of resources on it. And most importantly, how not to lose in conversion and not to harm patency of payments during transition period.

What is 3DS2 and what are differences from classic 3DS?

By the end of 2021, all EU banks will apply new security rules for Internet payments within Eurozone (otherwise they become a subject to heavy fines).

Consequences of innovations:

  • An online business that does not switch to 3DS2 protocol will face a serious loss of conversion
  • Soon, all online payments on cards that have not passed 3DS2 authentication will be rejected by issuers without consideration.
  • Mastercard plans to decommission former 3DS1 security protocol in October 2022. VISA will be ready in October 2021.

The technical essence of innovations is to change some program codes and automatic parameters of notifications and requests to money transfer server and further, for verification and approval to an issuer.

The new protocol forms two money transfer paths: frictionless flow and challenge flow. In the first case, a system verifies a user's familiar device and approves money transfer without confirming it with an SMS password. In the second case, a banking system doubts authentication of payer, and requires you to provide a password or biometric information. It redirects a user to issuing bank's ACS page to enter a one-time SMS password.

How will these changes affect business?

For online businesses and consumers, introduction of the new 3DS2 protocol based on SHA strong authentication standard means a guarantee of security, seamless and high conversion of payments. To confirm each operation, a set of parameters about cardholder and his device, "digital fingerprint" of a payer, is automatically sent to card issuers. If verification program "recognizes" the cardholder, then usual procedure for confirming money transfer with a one-time SMS password is not required. Most transactions will be successfully completed in one stage.

It is also important that 3DS2 authentication (like 3DS1) places responsibility for a possible illegal money transfer on an issuer and removes it from online business. Even more significant for business is support of 3DS2 payments in mobile applications.

3D-security 2.0-what is it and is it worth using

Source: https://3dsecure2.com/

How do I switch to new protocol? And how can we help

To independently switch to a new configuration, an online business will need a team of IT specialists and several working weeks (depending on existing money transfer scheme on site).

But there is a better way:

  • individual money transfer providers have taught their money transfer platform to make payments with 3-d secure 2.0 support independently.
  • no site improvements are required from business side, and money transfer scheme for online seller and user remains same as for 3DS1.

So, inside Payneteasy, this service is called Proxy 3DS, and in documentation it is listed as basic authentication scheme. This is a kind of "adapter" between core of our platform (Core) and Access Control Server (Access Control Server or ACS).

Proxy 3DS is a free service. It already works for existing Payneteasy clients and is enabled by default if integration with site goes through API (host2host). When connecting via money transfer page, all money transfer processing, including 3DS authentication, as before, goes on side of money transfer provider.

If cardholder's issuing bank supports 3-D Secure 2.0 protocol, money transfer platform generates an alert in usual 3-D Secure 1 format in response to request, but address of our Proxy 3DS service will be specified as URL instead of ACS.

When redirecting a user to Proxy 3DS, two scenarios are possible

  • frictionless flow-displaying a window hidden for user (iframe) and exchanging data with ACS in background. In other words, Frictionless Flow allows issuers to approve a transaction without requiring manual data entry from cardholder.
  • challenge flow-redirects user to issuing bank's ACS page to enter confirmation information (for example, a one-time password).

Either one of these scenarios or two scenarios can be executed sequentially. Choice is up to an issuer.

Proxy 3DS works according to basic authentication scheme. service supports 3-D Secure 2 protocol based on previous version without modifications, but requires additional user redirects.

The extended scheme is optimized for features of 3-D Secure 2.0 protocol and eliminates intermediate redirects. However, it assumes that trading site already knows how to work with frictionless and challenge flow schemes.

To make transition to advanced version of service as easy as possible, our team implemented backward compatibility between authentication schemes. system administrator of site is required to independently change only one parameter in one of requests. For more information, see our documentation.

3D-security 2.0-what is it and is it worth using

Source: https://usa.visa.com/visa-everywhere/security/future-of-digital-payment-security.html

The transition of money transfer systems and banks around world to new 3DS2 protocol is a matter of very near future. But in conditions when not all issuing banks, even in EU, have made this transition, any online business may face an unexpected decrease in conversion or frequent refusals for transactions of any issuer. Proxy 3DS is optimal tool for transition period in European online money transfer security system.

Payneteasy clients that integrate money transfer gateway via API work with 3-D Secure 2 via Proxy 3DS. This saves them from numerous improvements to support new version of protocol. To find out how to simplify transition to new protocol, contact our experts!

Commentaries 4

Jacob B

Thank you for a detailed, but simple explanation of how 3DS2 works! But again, why do we (e-merchants that is) need it? Can’t Visa and others keep things with the online payments just the way they used to be? Thanks, in advance!

3D-security 2.0-what is it and is it worth using Boaz Gam

You’re always welcome!
And here’s a quick answer: alas, they can’t. The problem with the online payment services is that:
a. Malicious actors try to exploit their vulnerabilities.
b. Companies want the authentication process to be simpler for the end user.
So, 3DS2 will employ the Secure Hash Algorithm, which protects the transaction data with the strong, advanced cryptography.
At the same time, the new standard can make payments virtually frictionless. It uses the “digital fingerprint” method, which identifies a certain gadget and ties it to a specific person.
As a result, your customer will be liberated from having to enter security SMS-passwords over and over. This simplicity basically means more sales for you!


Hi, Boaz, thank you for the detailed review! So, how does this protocol increase your conversion again? Thank you from Joan and co.

3D-security 2.0-what is it and is it worth using Boaz Gam

Always a pleasure, Joan & company!
As for 3DS2, the trick is simple. The innovation of this European standard includes the fingerprint authentication.
It is a system, which is in charge of processing payments. It remembers everything related to your device, from the brand and model to your favorite banking app. As a result, it will be much easier and faster to complete authentication later, without extra security steps.
In turn, your customer can buy your stuff online in a flash — odds are they’ll want to return to such a convenient place later again.
So far, 3DS2 requirements are exclusive to Europe. But there’s a chance they’ll adapt them in the US as well. So, join early!

We use cookies What does it mean?

Payneteasy uses cookies to improve its perfomance and enhance your user experience