3DS2 – a new level of security. What’s new and how to transit?

We are considering how to switch to new 3‑D Secure 2.0 protocol without spending a lot of resources on it. And most importantly, how not to lose in conversion and not to harm patency of payments during transition period.

What is 3DS2 and what are differences from classic 3DS?

By the end of 2021, all EU banks will apply new security rules for Internet payments within Eurozone (otherwise they become a subject to heavy fines).

Consequences of innovations:

• An online business that does not switch to 3DS2 protocol will face a serious loss of conversion
• Soon, all online payments on cards that have not passed 3DS2 authentication will be rejected by issuers without consideration.
• Mastercard plans to decommission former 3DS1 security protocol in October 2022. VISA will be ready in October 2021.

The technical essence of innovations is to change some program codes and automatic parameters of notifications and requests to money transfer server and further, for verification and approval to an issuer.

The new protocol forms two money transfer paths: frictionless flow and challenge flow. In the first case, a system verifies a user's familiar device and approves money transfer without confirming it with an SMS password. In the second case, a banking system doubts authentication of payer, and requires you to provide a password or biometric information. It redirects a user to issuing bank's ACS page to enter a one-time SMS password.

How will these changes affect business?

For online businesses and consumers, introduction of the new 3DS2 protocol based on SHA strong authentication standard means a guarantee of security, seamless and high conversion of payments. To confirm each operation, a set of parameters about cardholder and his device, "digital fingerprint" of a payer, is automatically sent to card issuers. If verification program "recognizes" the cardholder, then usual procedure for confirming money transfer with a one-time SMS password is not required. Most transactions will be successfully completed in one stage.

It is also important that 3DS2 authentication (like 3DS1) places responsibility for a possible illegal money transfer on an issuer and removes it from online business. Even more significant for business is support of 3DS2 payments in mobile applications.

Source: https://3dsecure2.com/

How do I switch to new protocol? And how can we help

To independently switch to a new configuration, an online business will need a team of IT specialists and several working weeks (depending on existing money transfer scheme on site).

But there is a better way:

• individual money transfer providers have taught their money transfer platform to make payments with 3-d secure 2.0 support independently.
• no site improvements are required from business side, and money transfer scheme for online seller and user remains same as for 3DS1.

So, inside Payneteasy, this service is called Proxy 3DS, and in documentation it is listed as basic authentication scheme. This is a kind of "adapter" between core of our platform (Core) and Access Control Server (Access Control Server or ACS).

Proxy 3DS is a free service. It already works for existing Payneteasy clients and is enabled by default if integration with site goes through API (host2host). When connecting via money transfer page, all money transfer processing, including 3DS authentication, as before, goes on side of money transfer provider.

If cardholder's issuing bank supports 3-D Secure 2.0 protocol, money transfer platform generates an alert in usual 3-D Secure 1 format in response to request, but address of our Proxy 3DS service will be specified as URL instead of ACS.

When redirecting a user to Proxy 3DS, two scenarios are possible

• frictionless flow-displaying a window hidden for user (iframe) and exchanging data with ACS in background. In other words, Frictionless Flow allows issuers to approve a transaction without requiring manual data entry from cardholder.
• challenge flow-redirects user to issuing bank's ACS page to enter confirmation information (for example, a one-time password).

Either one of these scenarios or two scenarios can be executed sequentially. Choice is up to an issuer.

Proxy 3DS works according to basic authentication scheme. service supports 3-D Secure 2 protocol based on previous version without modifications, but requires additional user redirects.

The extended scheme is optimized for features of 3-D Secure 2.0 protocol and eliminates intermediate redirects. However, it assumes that trading site already knows how to work with frictionless and challenge flow schemes.

To make transition to advanced version of service as easy as possible, our team implemented backward compatibility between authentication schemes. system administrator of site is required to independently change only one parameter in one of requests. For more information, see our documentation.

Source: https://usa.visa.com/visa-everywhere/security/future-of-digital-payment-security.html

The transition of money transfer systems and banks around world to new 3DS2 protocol is a matter of very near future. But in conditions when not all issuing banks, even in EU, have made this transition, any online business may face an unexpected decrease in conversion or frequent refusals for transactions of any issuer. Proxy 3DS is optimal tool for transition period in European online money transfer security system.

Payneteasy clients that integrate money transfer gateway via API work with 3-D Secure 2 via Proxy 3DS. This saves them from numerous improvements to support new version of protocol. To find out how to simplify transition to new protocol, contact our experts!