Is 3DS2 Relevant For U.S. Merchants In 2021?

The explosion of eCommerce and a thrust towards online business models has led to an abundance of fraud that merchants weren’t plagued with at brick and mortar retailers.

In order to combat fraud, there have been numerous tools and protocols designed to help merchants and payment processors. 3DS2 is an advanced multi-factor authentication protocol created to aid in fraud prevention and provide more security.

Whether your business maintains a physical or online presence, you’ve likely heard about 3DS2, PSD2, and SCA. This article will provide an overview of exactly what they are and what they mean for U.S. merchants.

Currently, under PSD2 in Europe, Strong Customer Authentication is required on all transactions if the card issuer and acquirer are within the European Economic Area. If only one of the two is within the EEA, then SCA is not required. A business based in the U.S. with a U.S. bank would not be obliged to enforce SCA.

So, how does this affect U.S. merchants? Let’s grab a quick understanding of PSD2, SCA, and 3DS2.

What Is PSD2? (Payment Services Directive)

PSD2 is the European Union’s directive which regulates payments and payment service providers. It aims to make payments more secure in Europe, boost innovation, and help banks adapt to technological changes.

PSD2 requires centralized regulation for all European banks and financial institutions, including third-party payment service providers such as wealth management apps and bill payment apps.

What Is Strong Customer Authentication?

SCA or Strong Customer Authentication was a requirement that was born from PSD2. Every credit card/debit card transaction now requires at least two of the following three:

  • Something in their possession (Mobile phone or hardware token)
  • Something they know (Pin/password)
  • Something that’s a part of them (Fingerprint or facial recognition)

SCA implementation has faced a number of setbacks and it is now set for September 14, 2021.

3DS2

3DS2 is the second 3D secure authentication protocol for online card payments. It outshines its predecessor, 3DS1, as it offers a much smoother experience.

3DS2 is currently used primarily in Europe; however, South Africa and India are also using it with great results.

Merchants can authenticate identity without negatively affecting their customer’s experience within the merchant’s website.

Why Are Merchants Hesitant To Implement 3DS2?

Risk reduction with 3ds2

Merchants are hesitant because the rollout of 3DS1 came with several significant issues. Merchants suffered from cart abandonment and high declines as the interface was cumbersome and not intuitive. On the contrary, 3DS2 is lightyears away from its predecessor’s clunkiness, and it is in the best interest of merchants to have their payment processing provider implement 3DS2.

On top of this, merchants are worried that a decrease in sales could come in rural areas. 29.1% of the European population lives in rural areas in which mobile areas can be spotty at best. In order to combat this, merchants should look into card readers and in some cases landline codes.

Even with implementation dates being pushed back tremendously, there is still a significant lack of awareness from merchants, which could pose to be the biggest problem with implementation.

Let’s take a look at the significant differences between 3DS2 and its predecessor below.

3DS2 VS. 3DS1

3DS2 is superior to 3DS1 in every way. The main focus of the upgrade was to make sure that user experience was improved, specifically through a more frictionless experience. Merchants have the ability to send more data to the issuing bank than 3DS1 is able to.

This makes it such that 3DS2 does not require users to remember passwords just for this purpose. Instead, 3DS2 relies on dynamic authentication, with the only prompt typically coming in the form of a text message to the user’s phone number that is associated with their credit/debit card.

Frictionless Flow: With 3DS2, issuers can apply frictionless flow which means the checkout process goes as smooth as it possibly can.

The awkwardness has been removed from 3DS2, therefore increasing user experience and trust. Conversions are also higher due to the removed hurdles in the checkout process.

Speed kills. The checkout experience is 85% faster than 3DS1. If a customer is in a hurry or on the fence about a purchase, this increase in time can complete the sale.

3DS2 works with all devices, whereas 3DS1 was designed for the desktop experience. Merchants can be reassured that more transactions will be processed, as risk-based authentication helps determine if the transaction is trustworthy.

3D Secure 1 is compliant with the SCA mandate, however, it is coming to an end in October of 2021. This is another reason why merchants should implement 3DS2. If merchants do not upgrade to 3DS2 by October of 2021, they will lose the liability shift.

3DS1 was designed before mobile phones were used for purchases and this is one of the main reasons why merchants struggled with conversion rates with 3DS1. Upon checkout, users can be hit with screen blocking popups that can resemble a cyber attack. This often leads to users bouncing from the sales page.

Soft Declines: 3DS1 is incapable of recognizing soft declines, whereas 3DS2 recognizes them. 3DS2’s technology leads to a decrease in the chance of the transactions being declined by the issuer and cart abandonment.

Merchant-Initiated Transactions: 3DS1 is not capable of setting up merchant-initiated transactions, whereas 3DS2 is. In this day and age where subscription services and recurring payments are the norm, this is essential. With 3DS2, only the first transaction requires SCA and then payments can be put on autopay.

How Does 3DS2 Work?

3DS2 follows an AI-driven risk-based authentication algorithm that determines whether transactions should be accepted or declined through a process called Transaction Risk Analysis.

3DS2 analyses over 100 key data points, including all of the merchant’s contextual data, and then provides one extra layer of fraud protection.

The way 3D Secure works is as follows:

  • The cardholder enters their credit/debit card details during checkout.
  • The merchant’s 3D Secure service provider sends the authentication request with data to the issuer.
  • The data will include a variety of information from the cardholder and the device, depending on the area’s law restrictions.
  • Data points include: Device ID, MAC address, geo-location, prior locations, cardholder spending, and behavioral patterns, etc.

Once this information is transmitted, the risk is assessed. If the transaction is deemed to be typical of the cardholder’s patterns, the transaction is processed.

If the transaction is deemed unusual, transaction risk analysis will come into play, asking the cardholder for additional information. Usually, this is simply achieved via a short string text message to the user and is a very frictionless experience.

An example of this would be a purchase coming from another country at an unusual time according to the cardholder’s behavioral patterns.

What Are The Benefits Of 3DS2 For U.S. Merchants?

Here is a quick list of some of the benefits that merchants can expect from 3DS2:

  • The checkout experience is 85% faster than 3DS1, according to Visa.
  • 3DS2 collects 10x more data than its predecessor, leading to a smoother checkout experience.
  • Mobile Support: Since many transactions occur via mobile, 3DS2 aims towards enhancing the experience for mobile devices.

3D Secure 2 or EMV 3D Secure offers significant benefits for merchants as well as consumers. Merchants can expect a frictionless user experience along with ample security.

3DS2 has eliminated the clunky popup windows and redirection pages, often requiring strict passwords that led to a significant increase in cart abandonment. Once the transaction is accepted, customers can purchase their services and wait for a confirmation message. Should the transaction not be trusted, the user will have to further identify themself.

Risk-Based Authentication (RBA) comes into play. RBA helps facilitate the exchange of over 100 data points during the transaction to assess the risk prior to the transaction being accepted.

3DS2 Reduces The Risk Of Fraud

One of the most prominent selling points for 3DS2 is that it dramatically reduces the risk of fraud. The additional security helps merchants make sure they are accepting card payments only from legitimate consumers.

Say the customer’s card number has been used fraudulently, it is far less likely that they would have access to the 3DS pin or OTP required to complete the transaction, ultimately stamping out fraudsters.

3DS2 Shifts Chargeback Liability For Merchants

3DS2 is an important piece of technology for merchants in the U.S. because it shifts chargeback liability, saving merchants money. The liability is shifted from the merchant to the cardholder’s bank.

Because of the chargeback liability shift, it is common for customers to have to enter additional information for high-ticket purchases.

An example of this would be when booking a vacation. Should 3DS2 be implemented, customers will need to enter additional information at checkout, which decreases the chance of fraud. The extra protection comes into play here if the consumer disputes the charge. The merchant will no longer be liable for either the dispute or the chargeback costs.

While 3DS2 significantly reduces chargebacks, it won’t eliminate all chargebacks. 

The liability will only be shifted to the bank if the type of chargeback was considered non-fraudulent. This occurs when a customer is unimpressed by the goods or services they purchased. The customer contacts the bank and asks for a refund, ultimately getting their money back. 

If it has been established that it was a fraudulent transaction, the liability will be shifted to the bank.

Another exception to the liability shift is those operating in the adult industry. In the USA, as of April 2021, adult entertainment MCC code 5967 does not receive protection from the liability shift that is associated with 3DS.

3DS2.1 VS. 3DS2.2

3ds2 vs 3ds1

Risk Based Analysis is a major feature for both 3Ds2.1 and 3DS2.2. With 2.2, merchants can request exemptions through their acquirer.

3DS2.2 introduces delegated authentication meaning that a third party can do the authentication, rather than the issuing bank. The third party could be the merchant, a digital wallet provider, or the acquirer. By doing this, a better user experience with less friction is delivered.

Decoupled authentication is also supported by 3DS2.2, which is when a user authenticates through a separate methodology than the main authentication flow. An example of decoupled authentication would be if a customer completes SCA on their android or iPhone to allow for authorization on another device such as a tablet.

Will the U.S. Mandate 3DS2?

The U.S. will likely mandate 3DS2 and SCA in the future. Now that Europe has these regulations in place, you can expect the rest of the world to follow suit at some point.

Even if the U.S. doesn’t mandate SCA or 3DS2 immediately, it is a good idea to stay ahead of the curve by exploring implementation of 3DS2 now.

Should Merchants in the U.S. Implement 3DS2?

Absolutely. Having a payment service provider implement 3DS2 for your business is the most intelligent way to go about this.

As online fraud is increasing in each year, having another level of security is essential for your business.

Many merchants are hesitant to implement 3DS2 as 3DS1 led to a decrease in conversions. With 3DS2, this is not expected to occur as there have been some significant changes.

Another note is that merchants operating in a high-risk industry will want to have 3DS2 implemented as there is generally more fraud.

For example, a high-risk merchant account operating in the online dating industry will likely see rampant chargebacks and friendly fraud. 3DS2 can help mitigate this by confirming the customer’s identity at checkout.

If merchants do not perform 3DS2 and SCA on card transactions where available and supported, they are likely to see an increase in bank declines. Merchants in the U.S. should familiarize themselves with 3DS2 and prepare so that they do not see declines from banks when more regulations are required.

Closing Thoughts

While 3DS2 is not yet mandatory in the United States, it is still highly effective, and it should be implemented as part of your merchant services solutions, primarily if you process CNP transactions.

Corepay guarantees compliance with regulations, and we are prepared to get merchants integrated with 3DS2 as another mechanism to fight against fraud.

At Corepay, we believe that optimizing your conversions is crucial to a successful business. Implementing 3DS2 enhances the user checkout experience, leading to increased conversions.

If you are a U.S. merchant who currently doesn’t have 3DS2 implementedcontact us today to see how we can help get your payment solutions 100% up to date.