Skip to main content
You are viewing content for . View content for other locations.
×
Resources
article

3D Secure 2: Next-generation Authentication


Last updated October 1, 2019.

Although the September 14, 2019 enforcement date for PSD2: Strong Customer Authentication (SCA) requirements has come and gone, many merchants still have questions about how to ensure that their transactions are SCA-compliant. (For the latest information on the ever-evolving regulatory landscape in Europe, please refer to our SCA cheatsheet.) While the regulations and requirements may seem complex, the solution is simple: 3D Secure 2 (3DS2).

3DS2 is Braintree’s recommended solution for meeting SCA requirements and can help ensure cardholder authentication and protection against fraudulent transactions. The latest 3DS update, which lets issuing banks verify cardholders during transactions, also means benefits for merchants: It can help transfer liability for fraud disputes to issuers, help reduce costs associated with chargebacks, and even help increase conversion.

What is 3D Secure?

3DS is a security protocol that provides an extra layer of protection for online credit and debit card purchases. It was first deployed by Visa as "Verified by Visa" and later renamed "Visa Secure.” Since that initial rollout, payment-authentication services based on 3DS have been adopted by Mastercard, American Express, and other major issuers and schemes.

The protocol connects merchants, card networks, and financial institutions to authenticate transactions and share data. An additional verification step helps protect both cardholders and merchants during checkout -- a lookup determines if the cardholder is enrolled in 3D Secure and whether they will need to authenticate the transaction.

3DS2: an enhanced customer experience

The original 3D Secure protocol, 3DS1, was developed long before the smartphone, and it showed -- 3DS1 became known across the industry as a “conversion killer” due to its friction-heavy transaction process.

But 3DS2 was specifically designed to help reduce that friction, especially for mobile checkout, thanks to a seamless mobile experience and native SDKs for both Android and iOS. And while its primary purpose is to meet SCA requirements for biometrics and two-factor authentication, 3DS2 can help improve conversion by making checkout faster and easy for customers.

Bar chart showing 70 percent decrease in cart abandonment and 85 percent reduction in transaction time versus 3DS1

1-2. "Frictionless Experience with Verified by Visa," Visa, 2018

More benefits of 3DS2

This next-generation solution provides automated fraud protection. It’s always on, helping to protect customers and merchants -- no fine-tuning or maintenance beyond updates required. And rather than requiring cardholder involvement, 3DS2 uses device and browser data to accurately make authentication assessments that typically happen behind the scenes. It also offers improved ways to replace static passwords in the event of a challenge.

Shift liability for fraudulent transactions

When fraudulent transactions do occur, with 3DS2 merchants may shift the chargeback liability for those transactions from themselves to the issuing bank.

Lift authorization rates

Issuers may approve more transactions when using 3D Secure.

Simplify SCA compliance

All companies doing business in Europe need to be aware of PSD2: SCA requirements. Enabling 3DS2 is the recommended approach to ensure compliance with the new regulations.

How it works

By adding an authentication step for online purchases, 3DS2 provides another fraud-protection layer for online credit and debit card transactions.

Merchant tokenizes card

  • Merchant tokenizes the customer card or uses the previously tokenized card
  • Merchant requests authentication insight

  • Optional: Merchant requests authentication insight, Braintree's guidance on SCA applicability
  • Braintree advises if SCA is required or recommended
  • Merchant initiates 3DS

  • Optional: Merchant decides to request exemptions; three possible outcomes: 1) exemption applied, 2) exemption not applied and no challenge, or 3) exemption not applied and challenge
  • Merchant does not request exemptions; two possible outcomes: 1) issuer triggers challenge or 2) issuer does not trigger challenge
  • Merchant creates transaction

  • Merchant initiates the verification or authorization
  • Flow chart showing 1 merchant tokenizes card 2 merchant requests authentication insight 3 merchant initiates 3DS 4 merchant creates transaction

    Get more information about various SCA payment scenarios.

    Braintree’s 3DS2 solution

    3DS2 via Braintree provides a simple way to authenticate transactions with a low-friction checkout experience for cardholders -- plus a single integration that manages multiple acquiring relationships. Our newest front-end and mobile SDKs are built to support all 3DS2 authentication paths. This new iteration will include a method for collecting the device and browser data required by each individual issuing bank, as well as customer data elements. Merchants can also take advantage of 3DS2’s chargeback liability-shift benefit to help reduce costs associated with chargebacks categorized as fraudulent.

    With 3DS2, Braintree gives merchants an upgraded weapon in the fight against fraud, plus the benefits of a seamless, secure checkout experience -- all with the peace of mind that comes with an industry-standard authentication solution to meet SCA requirements. Braintree’s 3DS2 solution also offers built-in support for both 3DS2 and 3DS1 protocols and can automatically divert your transactions, so you can be sure your business will be SCA-compliant regardless of issuer readiness.

    Additional reading:

  • Get more background on Strong Customer Authentication here.
  • Learn more about Braintree’s 3DS2 solution here.
  • Learn more about how SCA will affect common payment scenarios here.
  • Get started with integration documentation here.
  • Sign up for our newsletter.

    First name is required
    Last name is required
    Company name is required
    Invalid Company name
    Email address is required
    Title is required
    required
    Total online volume is required
    Please check the box to continue.