We are considering how to switch to new 3‑D Secure 2.0 protocol without spending a lot of resources on it. And most importantly, how not to lose in conversion and not to harm patency of payments during transition period.
By the end of 2021, all EU banks will apply new security rules for Internet payments within Eurozone (otherwise they become a subject to heavy fines).
Consequences of innovations:
The technical essence of innovations is to change some program codes and automatic parameters of notifications and requests to money transfer server and further, for verification and approval to an issuer.
The new protocol forms two money transfer paths: frictionless flow and challenge flow. In the first case, a system verifies a user's familiar device and approves money transfer without confirming it with an SMS password. In the second case, a banking system doubts authentication of payer, and requires you to provide a password or biometric information. It redirects a user to issuing bank's ACS page to enter a one-time SMS password.
For online businesses and consumers, introduction of the new 3DS2 protocol based on SHA strong authentication standard means a guarantee of security, seamless and high conversion of payments. To confirm each operation, a set of parameters about cardholder and his device, "digital fingerprint" of a payer, is automatically sent to card issuers. If verification program "recognizes" the cardholder, then usual procedure for confirming money transfer with a one-time SMS password is not required. Most transactions will be successfully completed in one stage.
It is also important that 3DS2 authentication (like 3DS1) places responsibility for a possible illegal money transfer on an issuer and removes it from online business. Even more significant for business is support of 3DS2 payments in mobile applications.
To independently switch to a new configuration, an online business will need a team of IT specialists and several working weeks (depending on existing money transfer scheme on site).
But there is a better way:
So, inside Payneteasy, this service is called Proxy 3DS, and in documentation it is listed as basic authentication scheme. This is a kind of "adapter" between core of our platform (Core) and Access Control Server (Access Control Server or ACS).
Proxy 3DS is a free service. It already works for existing Payneteasy clients and is enabled by default if integration with site goes through API (host2host). When connecting via money transfer page, all money transfer processing, including 3DS authentication, as before, goes on side of money transfer provider.
If cardholder's issuing bank supports 3-D Secure 2.0 protocol, money transfer platform generates an alert in usual 3-D Secure 1 format in response to request, but address of our Proxy 3DS service will be specified as URL instead of ACS.
When redirecting a user to Proxy 3DS, two scenarios are possible
Either one of these scenarios or two scenarios can be executed sequentially. Choice is up to an issuer.
Proxy 3DS works according to basic authentication scheme. service supports 3-D Secure 2 protocol based on previous version without modifications, but requires additional user redirects.
The extended scheme is optimized for features of 3-D Secure 2.0 protocol and eliminates intermediate redirects. However, it assumes that trading site already knows how to work with frictionless and challenge flow schemes.
To make transition to advanced version of service as easy as possible, our team implemented backward compatibility between authentication schemes. system administrator of site is required to independently change only one parameter in one of requests. For more information, see our documentation.
The transition of money transfer systems and banks around world to new 3DS2 protocol is a matter of very near future. But in conditions when not all issuing banks, even in EU, have made this transition, any online business may face an unexpected decrease in conversion or frequent refusals for transactions of any issuer. Proxy 3DS is optimal tool for transition period in European online money transfer security system.
Payneteasy clients that integrate money transfer gateway via API work with 3-D Secure 2 via Proxy 3DS. This saves them from numerous improvements to support new version of protocol. To find out how to simplify transition to new protocol, contact our experts!