3-D Secure 2.0: the threat of systematic authentication & workflow with or without friction
- 2 min read
THE THREAT OF SYSTEMATIC AUTHENTICATION
This regulatory evolution induces a profound paradigm shift. With implementation of EMVCo. 3DS 2.0 or 3DS2, new rules for liability shift allocation are set in Europe: banks will now have to support the obligation to reach defined fraud thresholds.
In order to be able to meet these thresholds, banks will have the opportunity to require strong authentication on all transactions (except regulatory exception). Thus, this potential friction at the end of the purchasing process could have an impact on the conversion rates of online merchants and in fact on their turnover.
3-D Secure 2.0 introduces a new authentication workflow, known as “frictionless”. Frictionless flow happens when cardholder is not explicitly asked to authenticate himself/herself in-app or via browser.
In this workflow, following steps occur:
1. Payment Authentication is initialized
2. Authentication Request/Response
3. Communication of results
4. Authorization messages
Customer authentication is finalized without additional intervention from the cardholder.
Special cases of Frinctionless workflow
Some specific payment operations will be considered out of the RTS SCA scope:
CONDITIONS TO GRANT FRICTIONLESS WORKFLOW
On the other hand, when a Strong Customer Authentication (SCA) is required by the Acquiring PSP or the Issuer, the authentication flow is referred as “challenge”. Challenge flow steps may be compared with prior 3-D Secure 1.0 experience.
In this workflow, the same initial steps as Frictionless flow occur, then:
4. If a strong authentication is required: Challenge is requested either by Acquiring PSP and/or Issuer
5. Request results are shared between Acquiring PSP and Issue
6. Results are forwarded to the Merchant
7. Authorization messages
Conditions to strong authentication
Strong Customer Authentication (SCA) validity is defined when using at least 2 of the 3 following criteria:
- Knowledge: something only the user knows (PIN, password, etc.)
- Possession: something only the user possesses : Credit card, smartphone, etc.
- Inherence: something only the user is : (biometric identification like fingerprint, iris or voice recognition…)
Discover our special folder to prepare your company to new European requirements and anticipate the impacts on your turnover.