3DS2: Everything you need to know and how to prepare for it

3DS2: Everything you need to know and how to prepare for it

3DS2 is an updated payment authentication method meant to provide an additional protection layer against fraudulent transactions for online merchants and their customers.

The new protocol is getting a lot of attention right now from online marketplaces and platforms, not least because its predecessor, 3DS1, sacrificed user experience and conversion rates for added security.

Australian companies taking online card payments need to understand this tool to see how it works for them and where it fits in their payment infrastructure because it may become an inescapable part of their business in the near future.

Since 3DS2 represents a potential game-changer for Australian digital commerce, we decided to write this article to help you understand what it means. After sitting down with our in-house team of payment experts, we’re providing you with information on 3DS2, including:

Ready to give your platform the secure payment options your users want, like 3DS2? Zai’s here to help. Contact us now to learn how we can improve every step of your online payments journey.

What Australian merchants need to know about 3DS2

3-D Secure 2.0 (3DS2) is the next evolution of the EMVCo-created 3-D Secure 1.0 protocol, which provides additional payment card authentication for online payments. 3DS1 arose at the end of the last century when the first wave of digital commerce was taking off and credit card schemes looked to secure their networks.

While beneficial for reducing fraud, the customer experience was lacking as 3DS1 would take users off the platform and onto a separate payment page, often resulting in site and cart abandonment.

As technology progressed and the use of mobile devices increased, digital commerce evolved. It became apparent that 3DS1 needed an update, which led to 3DS2 going live globally in 2019.

3DS2 means better UX, more security and fraud reduction for online transactions

One of 3DS2’s improvements over 3DS1 is that it puts the user experience (UX) first, which in turn, helps merchants increase conversion rates. The technology:

  • Works on all mobile devices and not just desktop web browsers. 3DS1 only supported browser transactions. As web 2.0 created mobile shopping apps and digital wallets, the original protocol struggled to keep up with increased activity on smartphones and mobile apps.

  • Embeds directly into the check-out flow without disrupting the user experience. 3DS2 was designed with mobile devices in mind, meaning there are no page redirects that interrupt the user checkout experience.

  • Moves much faster than the original protocol. Payments get verified much quicker in 3DS2, which reduces check-out time and abandonment.

3DS2 also looks to secure the entire payment process. From the customer’s card issuer to the acquiring merchant and their respective banks, all parties involved can benefit from a more secure experience.

Of course, 3DS2 is not a catch-all for reducing malicious payment activity. Rather, it's one of the many tools and controls online merchants should have in place to protect users. Still, it goes a long way in meeting some of those needs.

Combined with significant UX improvements for both parties, 3DS2 lets merchants be more competitive while offering a “frictionless flow” between themselves and their users at checkout.

How does 3DS2 work?

When the card networks formulated 3DS2 through their joint operation, EMVCo, they began by rebuilding the authentication process. Under this new update, the payment workflow goes like this:

  1. The merchant sends the transaction into their payment gateway, flagging it for 3DS2 verification.

  2. The transaction goes into 3DS2’s server, which collects key data points that it sends to the issuer’s access control server (ACS) for verification and risk assessment.

  3. If the server validates the payment and the card and deems the transaction low risk, the transaction finishes without friction, and the cardholder receives the payment confirmation.

  4. If the server decides to apply additional controls or the acquirer has already set additional controls in place, a message is sent to the cardholder and their bank. The cardholder will see a pop-up or embedded window at the checkout screen, asking them to validate the transaction via their banking app. Cardholders can quickly verify their identity through two-factor authentication methods like one-time passwords or biometric authentication, without ever leaving the merchant’s site or app.

  5. If the cardholder’s bank verifies the transaction, then the 3DS2 server confirms it with the merchant, sending the payment confirmation to their bank. If the server rejects the transaction, it notifies the cardholder and terminates the process.

The entire process takes a matter of seconds and can originate from an app, website, or even a digital wallet.

3ds2ZaiBlogDiagram1

3ds2ZaiBlogDiagram2

Will 3DS2 become mandatory in Australia?

When 3DS2 came about globally, the intention in Australia was to follow the EU’s lead and make it one of the mandatory protocols for secure authentication.

Even though it seemed 3DS2 would become mandatory in Australia, a date of when it will be enforced is yet to be determined.

In short, many Australian online merchants have avoided adopting the protocol because their experience with 3DS1 led them to believe it increased shopping cart abandonment.

With such low adoption rates, there was a high likelihood of mass disruption if Visa continued to require it.

However, with fraudulent card transactions amounting to 468 million dollars in Australia in 2020, 3DS2 remains an optional though recommended security payment measure for Australian online businesses.

How can Australian online merchants and platforms prepare for 3DS2?

Even if 3DS2 isn’t mandatory, there are some best practice steps that all Australian online merchants and platforms can follow to keep their payment infrastructure secure while being ready for the future.

Prepare for 3DS2 to become mandatory in Australia at some point

Even if 3DS2 is optional today, there’s no guarantee that it won’t be mandatory sometime in the near future. If Visa reverses its decision on 3DS2 (also known as Visa 3-D Secure) or the market authorities decide to mandate it, getting caught without an action plan in place will leave you scrambling to catch up.

Therefore, it’s crucial to have a framework in place to move quickly within your impacted teams if it does. Additionally, it’s worth keeping up with the latest industry news to see developments as it happens. As Australian payment experts, we’re always watching the trends and posting them to our blog.

Become familiar with the protocol and how it will interact with your services

Let your tech team and product managers examine how a 3DS2 integration would look across your front and backend. During an examination exercise, product and IT managers should be finding answers to key questions like

  • How will 3DS2 fit within our current stack?

  • What does adding it do to our UX and UI?

  • Will we need to make significant changes to our current checkout experience if needed?

  • How quickly could we roll out 3DS2 if suddenly required to?

The responses might not always be the most optimistic, but knowing them will go a long way to creating a fast and efficient implementation if the need arises. It could also be worth consulting with a local payments expert for additional perspective.

Run a pilot program to test 3DS2 in production

The best way for you to see how 3DS2 will work in your system is to launch it as a pilot. Here, you would deploy the protocol to a small set of users and then test and measure the impacts.

Ideally, you’ll be looking to see how users interact with it, if abandonment rates change, and how well it meshes with your tech stack. Like with any online activity, there’ll be lots of data to sift through, which will no doubt give you new insights into your business.

If you can start using 3DS2 today, you’ll be more prepared to implement it across your platform should it become mandatory down the road.

Consider “tokenizing” verified cards for recurring payments

Australian online merchants and platforms already using a payment gateway can make recurring payments and cards on file more convenient by tokenizing their registered users’ payment cards. This technique assigns a unique identifier or token to each of your user’s payment cards, known only to your payment gateway and the issuer.

If you set up recurring transactions on your platform, the cardholder needs to go through strong customer authentication (SCA) only for their first transaction. Their following transactions will no longer require SCA because future recurring payments will be exempt from 3DS2 rules. You only send the token and not the card details to the issuer which then verifies the payment.

For example, here at Zai we already tokenize all card payments. Tokenization ensures you can stay PCI compliant because your customer’s card details are safely stored in a secure vault.

Network tokenization is also a best practice, but the technology is still very new. A network token will tokenize the cardholder’s primary account number (PAN) into a single network token. Since card schemes, such as Visa and Mastercard, maintain these network tokens, the information will remain current even if the underlying card data changes, which can happen when a customer loses their card or their card expires and they get a new card with the same issuer and account.

Which types of Australian businesses benefit best from 3DS2?

While every online business in Australia can add 3DS2 to its payment flow, some business models and industries benefit from it more than others. For example:

Digital commerce that sells high-ticket items

3DS2 is a good fit for Australian platforms selling high-ticket physical goods. For example, an electronics retailer will regularly sell computers, TVs, and other items that cost hundreds if not thousands of dollars, or a luxury goods e-commerce that offers clothes and accessories often with three and four-digit price tags.

In both cases, the potential for fraud is high since fraudsters can use stolen credit cards to purchase high-ticket goods, and then quickly sell them for cash on an underground market.

3DS2 can go a long way in preventing bad actors from using compromised cards on these platforms, which in turn reduces fraud and chargebacks.

Online businesses where customers prefer guest checkout

While brand loyalty and repeat business works for many marketplaces, other digital sites have a one-off relationship with their customers. Likewise, some shoppers just prefer using guest checkout without registering an account.

In these cases, 3DS2 offers both the platform and its users secure and quick payments.

How Zai helps you set up 3DS2 as your silent back-end payments provider

As payments orchestration experts, we’ve been helping online businesses in Australia and beyond build complex payment infrastructures for over a decade. We’ve been following 3DS2 closely, which has given us a deep understanding of what local online merchants and platforms firms need to do to incorporate this protocol.

If you wish to add 3DS2, we’ll first connect your tech and product managers with our experts to learn about your payment schema and UI needs. From there, we provide you with our suggested changes and then help you implement them.

When you connect directly to Zai, you no longer have to connect to the payment gateway directly because we connect to the payment gateway and the acquirer on your behalf. Once live, our system will route eligible payments directly into the 3DS2 system via our payment networks, with no additional work on your end.

Our speciality, however, is being your silent payment back end, which gives you access to our powerful payment tools and APIs through one connection point. Our tools are excellent for adding 3DS2 and other payment authentication methods to your carefully crafted check-out flows. However, we’re also able to provide you with front-end integrations if it fits better with your business needs. We can also help you prepare for and implement PayTo.

Want to learn more about our technical capabilities? Check out our API reference guide and docs.

A secure solution for growing Australian merchants

3DS2, while not mandatory, offers Australian online merchants an additional security method for their platform. The enhanced protection, along with ancillary benefits can help companies selling online to securely grow while staying on top of future payment trends.

Zai can help online marketplaces and platforms in Australia add 3DS2 – either as a production payment feature or to help them understand it better in a live environment.

Our tools enable growing companies like yours to handle complex payment infrastructure, including 3DS2, without adding workloads to your already busy teams.

Speak with us today to see how we can put 3DS2 and an entire exciting ecosystem of payment solutions to work in your growing business.