3D Secure: Getting ready for the unavoidable October 2022 deadline!

Daily, all of the online shoppers around the world, whether using debit or credit card, are somehow experiencing 3D Secure or “3DS” in short, also called Payer Authentication, as an extra layer of security for online purchases. In the Middle East, most Consumers/Cardholders are prompted to enter additional information (e.g: OTP “One-Time Password”) sent to the registered mobile with the issuing bank to complete the transaction to prevent unauthorized use of the card.

The new 3DS version 2, also offers the possibility to authenticate shoppers via a frictionless flow. In this flow, the acquirer, issuer, and card scheme exchange all necessary information in the background through passive authentication using the shopper's device fingerprint, shopper history and other data points. The transaction is completed without further shopper interaction if the issuer decides that the transaction is low risk.

To start with, the three stakeholders of 3DS are:

1-    Merchant’s Acquiring Bank, who is enabling the acceptance of card payments. It is the service provider to the Merchant

2-    Cardholder’s Issuing Bank, who is issuing the debit or credit card to the consumer, and referred to as Issuer. It is a service provider to the Consumer

3-    Payment Infrastructure, such as a card processor, which is the interoperable connector between the Acquirer domain and the Issuer domain

To have a complete 3DS transaction, the three domains have to be ready, operational and support 3DS. And this is where there are still some challenges in the market that I would like to mention.

Payer Authentication revolution

The legacy form of 3DS (Version 1.0), where the Consumer is redirected by the Merchant to the Issuing bank page, to type in the OTP or password, then redirecting back to the merchant, has many break points. The 3DS service provider to the Acquirer or to the Issuer might experience a downtime, which is happening in the region frequently. So, when the OTP might not be received, the Issuer 3DS page might not be triggered, after which the Consumer might enter the wrong OTP or dismiss the transaction

Payer Authentication is no longer a nice to have, with the increasing fraud risk around the globe, there was a need for safer ways to protect the Cardholder, the Merchant and the Acquirer, while offering a seamless payment experience.

This is why 3DS2 or  “SCA (Strong Customer Authentication)” has been introduced globally by EMVCo backed up by the main Card Networks. The precedence was given to European countries, who did heavily plug 3DS2 into the payment’s ecosystems since 2020. Now it is time for the rest of the world.

The 3DS2 protocol into action

The core idea of the new 3DS2 is to smoothen the exchange of the transaction information among the three domains. This will make it viable for Merchants to better prevent fraud and deliver enhanced customer experience.

There was always a gap between the Consumer’s expectation, Issuer needs, Acquirer/Merchant offered experience. The Cardholder is expecting a quick and safe payment experience, while the Acquirer/Merchant is looking for more business and less risk, and Issuers are looking for controlled liability.

3DS2 was built to offer a frictionless experience for Cardholders, with smart decision making on the risk of each transaction. The Consumer who is buying from a Merchant for the first time, should not have the same experience of a returning Consumer to a Merchant. 3DS2 addresses the pain points of the legacy 3DS, and facilitates a Risk-Based Authentication (RBA) with an integrated user experience and support for in-app flows.

Key features of EMV 3DS 2.2 functionality

-       Frictionless payment experience; not challenging the payer where it is not needed

-       3RI (Requestor Initiated Payments) or also called MIT (Merchant Initiated Transaction), the most know use case is recurring payments pre-approved by the Cardholder, so the Merchant can process these transactions without strong authentication, as the Consumer is not present when the transaction is initiated.

-       Delegated Authentication; where the payer authentication is delegated by the Acquirer/PSP to a 3rd party such as the Merchant to directly communicate with the Issuer via the 3DS protocol for an already authenticated payer

-       Dissociated Authentication; authentication stream is separated from the payment transaction stream, and authentication can take place after the actual payment, MOTO transaction is a good scenario for this feature

-       SCA Exceptions. For example, a trusted merchant by the Cardholder, where the Cardholder preference is to whitelist this merchant, there will be no strong authentication for the transactions performed over this merchant. SCA exceptions are applicable only for PSD2 markets.

SCA Factors

For a seamless experience, payer authentication factors have to remain autonomous, means they have to be independent, hence if a factor has been compromised by any way for a cardholder, the reliability of another factor is intact. The payer authentication factor choice is a decision of the Acquirer/PSP, so they can decide which payer authentication to trigger to validate the identity of the payer. Those 3 factors are something ONLY the payer:

1-    Knows; a password

2-    Has; registered phone or token

3-    Is; biometric recognition

Cutoff and Market readiness

As announced by the Card Networks, by October 2022 3DS version 1.0 will be decommissioned and will no longer be accepted as a form of Payer Authentication. Hence the 3 stakeholders of the 3DS formula have to be ready and operational with the EMV 3DS 2 requirements before this date.

The rollout of EMV 3DS 2 has started in the Middle East amid 2020. It became inevitable for Issuers to enroll their card databases for 3DS version 2 to avoid unhappy Cardholders and business loss. The challenge is the late start if issuers, which has been influenced also by the pandemic. It is also important for issuers to improve the authentication flow and introduce a real frictionless experience, not only upgrading the systems.

Adyen, Global Payments Leader

At Adyen, we are always ahead when it comes to technology and innovation. Adyen has launched 3DS version 2 in Europe as one of the first providers. And with the increasing adoption of Issuers in the Middle East in general, and in UAE in specific, we have observed a decent improvement in the 3DS 2 performance with a wide number of Issuers.

On top of the default 3DS versioning, Adyen has built a smart authentication engine which is capable of smart routing the transactions to the accurate 3DS version that secures the highest Authorization Rate for our clients globally.

3DS 2 performance

Now that we are a few months away from a complete switch to version 2, we had a look at market readiness and see where steps can still be taken to be ready for this important milestone.

Overall, in May 2022, we have seen a slight decline in the performance of 3DS 2 for UAE Issuers by -6%↓, which might be an impact of Issuers changing platforms from OTP to the frictionless flow in version 2. Also, some regional banks were migrating their 3DS ACS (Access Control Server), which is the 3DS component on issuing side, from one provider to another, which has resulted an impact on the transactions during the migration process.

We are optimistic about the shift in the behavior toward 3DS 2, especially with a number of big Issuers in UAE (Emirates NBD “ENBD”, Abu Dhabi Commercial Bank “ADCB”, Abu Dhabi Islamic Bank “ADIB”, Dubai Islamic Bank “DIB”, and First Abu Dhabi Bank “FAB”) are transforming heavily toward 3DS 2.

Some of UAE Issuing Banks have consistent good performance of 3DS 2, like ADCB.

We are expecting the gap to diminish and the growth in performance to flip into a positive indicator in the coming weeks, so the market can reach the sunset date of 3DS1 with strong performance of 3DS 2

Feel free to reach out if you have any questions