comet-melrose
Blog post

Goodbye 3DS1, Welcome 3DS2 (Everything You Need to Know About It)

Goodbye 3DS1, Welcome 3DS2 (Everything You Need to Know About It)
13 Oct 2022

3DS1 sunset dates are upon us. Between today and tomorrow, card networks will cease support for 3D Secure 1.0.2.

In this short article, we will explore:

  • Why this is happening
  • The differences between 3DS1 and 3DS2
  • How you can align your business to the new regulations

Let’s dive right in!

Why is 3DS1 Being Dropped?

3DS1 was first introduced by Visa in 2001, and it quickly became a standard for SCA (Strong Customer Authentication) to prevent fraudulent transactions. In 2021, 36% of online businesses used 3DS as a fraud prevention tool.

In the space of 20+ years, technology has significantly improved, as have fraud techniques. In short, 3DS1 might not be cutting it anymore, so EMVCo has developed 3DS2, which is a fundamentally better way to handle SCA, making secure transactions easier for both merchants and customers.

How Does 3DS Work?

One might think that 3DS2 is just an upgrade of 3DS1. Well… that’s not entirely correct. The way the two technologies assess the risk of a transaction are different, and the impact on the customer experience—as we’ll see—is drastically in favor of 3DS2.

Let’s look at how 3DS works in general:

  1. The customer inputs their card details
  2. The system confirms that the card is enrolled in 3DS
  3. The customer is redirected to the 3D secure page of the card provider
  4. The customer has to solve a challenge to authenticate themselves
  5. If the challenge is successful, the identity of the cardholder is confirmed and the payment can proceed

To delve a little deeper, 3DS operated across three domains (hence the name):

  • Acquirer domain. This is the domain of the merchant and its acquiring bank
  • Issuer domain. This is the domain of the issuer of the card used for the payment
  • Interoperability domain. It’s the infrastructure that allows the communication between the acquirer and issuer domains, and it’s provided by the card scheme (i.e., the card brand. Visa, Mastercard, etc.). The interoperability domain includes the Directory Server (DS) and Access Control Server (ACS).

Basically, the merchant requests the authentication via the 3DS server to the DS. The DS passes the request to the ACS, which can confirm the authentication, decline it, or request a challenge to the cardholder.

If the cardholder is challenged, then the 3DS server initiates the challenge and presents it to the customer. This can be a password, an OTP, or biometric verification (e.g., voice, or fingerprint). After the challenge, the ACS either confirms or declines the authentication.

This is the gist, if you want to dive into the subject even deeper, the all-knowing Wikipedia will help you.

Let’s take a look at how each type of 3D Secure works, where they differ, and why 3DS2 offers a better, safer, and faster payment experience.

How Does 3DS1 Work?

First things first, as of October 2022 3DS1 not only will not provide SCA compliance for PSD2 any longer, but it will not work at all.

Anyway, it’s good to know how this technology works (or rather, used to work) in order to be able to compare it to 3DS2.

3DS1 relies on pop-up windows and HTTP redirects for authentication. This technology was developed before smartphones, so it makes the mobile experience frustrating. If we consider that the largest amount of online purchases today is made on mobile, it’s easy to see how the additional friction can be a turn-off for customers and an issue for merchants.

How Does 3DS2 Work?

3DS2 has been around for a while (since 2016 in fact). The most important thing to know about 3DS2 is that it can handle much more data about the cardholder than 3DS1. This enables 3D Secure 2 to provide what’s called a Frictionless Flow, when authentication happens on the basis of things like the user’s transaction history, without requiring the manual input from them.

Furthermore, 3DS2 uses more advanced and less intrusive authentication challenges:

  • It doesn’t require redirection to a page outside the merchant’s site
  • Is mobile-first
  • It uses biometric challenges rather than password-style authentication

According to Visa, these features allow 3DS2 to reduce cart abandonment by 70% and increase checkout speed by a whopping 85%.

3DS2.1 vs 3DS2.2

3DS2.2 adds three interesting features to SCA:

  • Exceptions. Merchants can apply for TRA (Transaction Risk Analysis) through their acquirer to avoid authenticating low-risk transactions. Please be aware that different card schemes have different rules, you can get in contact with your processors to find out more.
  • Delegated authentication. Instead of the issuing bank handling all the authentications, these can be delegated to the processor, the wallet provider, or the merchants themselves. For example, if a customer logs in to the website with an SCA approved method, there is no need to authenticate the transaction.
  • Decoupled authentication. 3DS2 allows authentication to happen on another device or even offline. For example, if you are purchasing something from your laptop, you could complete the 3DS2 challenge on your mobile.

FAQs About the Shift to 3DS2

To be 100% confident that you are fully compliant with the latest regulations, and that you are offering the best and most secure payment experience, you should always contact your payment provider. Here, we will try to answer some of the most common questions about 3DS.

Is It Mandatory to Switch to 3DS2?

The implementation of 3DS2 is not mandatory, but it is widely considered the easiest way to comply with SCA.

How Can I Implement 3DS2?

As this article explains, implementation can be a burden for many merchants. Delegating it to specialized third-parties like payment gateways is often the easiest and most cost-effective solution.

Can BridgerPay Handle 3DS2?

Yes! At BridgerPay we are always on top of the latest regulations, and we constantly upgrade our technology to the highest standards. Get in touch to find out more about 3DS2 and how to offer it to your customers.

Final Thoughts

3DS2 and the retirement of 3DS1 are a big step forward for both payment security and customer experience.

Merchants should consider adopting 3DS2 as soon as possible to be SCA compliant and improve their conversion rates.

Get in touch to find out how BridgerPay can help you upgrade your payment handling effortlessly.


Recent news

BridgerPay is the world’s first payment operations platform, built to automate ALL payment flows, empowering ANY business.

Eleftherias street, 153 Limassol, 3042, Cyprus
Derech Menachem Begin 144, Tel Aviv-Yafo, 6492102, Israel
Ariba Network logo
Verified by Visa logoMasterCard SecureCode logoVisa Secure logoPCI DSS logoSSL Encryption logo
BridgerPay is not a PSP (payment service provider), or an acquiring service, and we do not provide any processing merchant accounts. Bridger is a SaaS (software-as-a-service) company that allows businesses to utilise one API to consume all payments from any method or provider that is connected within BridgerPay’s ecosystem.