With the sudden and substantial shift from in-person shopping to ecommerce in the past year, issuers are facing the challenge of making sure their cardholders are safe and their ecommerce transactions are secure.
There have been a lot of questions about the new versions of EMV 3-D Secure, whether issuers should adopt them (and when), and what the difference between them is (and how they are different from 3-D Secure 1.0).
The short answer is issuers should adopt them now, because all of the new versions include features designed to help them – as well as merchants and acquirers – increase their good orders and reduce fraud and false declines. This is especially critical now when so many shoppers are turning to the online world instead of shopping face-to-face, and PSD2 SCA enforcement is happening in Europe.
3-D Secure has been around for more than 20 years, but there has especially been a lot of progress in the past few years to update the protocol.
If you think about how much the digital payments landscape changed between 1999 and 2015 , you can appreciate that 3-D Secure was ready for an update. (Remember, the first iPhone didn’t make its appearance until 2006). All of the major card networks got together, under the EMVCo umbrella, and with other industry participants, like merchants, issuers and processors, developed the specs for EMV 3-D Secure, previously known as 3-D Secure 2.0.
Where are we today?
EMV 3DS version 2.1 is in use around the world, and right now, version 2.2 is being used primarily in Europe. 3DS 1.0 is still being used globally, too. As we anticipated, the transition from version 1.0 to versions 2.1 and 2.2 is taking several years, but the card networks continue to support 1.0, at least for the time being.
How the update process begins
EMVCo controls the protocol, the specs, certification and more. They release the specs and then the networks create their program rules. Each network interprets the specs a little differently, so the providers for access control servers and 3DS servers (the issuer and merchant/acquirer platforms) need to design their solutions to accommodate the network program rules. At this time, there are nine networks supporting EMV 3DS, and Cardinal supports all nine.
There is a lot of work going on in the background to get every release of 3-D Secure ready to be used.
Once the providers complete their work, their solutions need to be tested and certified by EMVCo and their independent testing lab. When this work is finished, EMVCo issues LOAs – letters of acceptance, which show that the providers have completed their solution design, building, testing and certification with EMVCo, for each of the EMV 3DS components (ACS, 3DS server, iOS and Android SDKs, and directory servers).
After EMVCo certifies the providers, there’s still a lot of work to be done. Each network certifies providers individually, and when this is complete, providers can start to offer their solutions to merchants, acquirers and/or issuers.
The certification process is key. In order to be able to process transactions using each version, first EMVCo and then each network certifies every provider. EMVCo posts a list of certified providers (and which versions they are certified to offer) on their website. Every time specs for a new version of EMV 3DS is released, the process starts all over and the development and certification cycle begins again.
What’s the difference?
Version 2.1 is the first commercially viable version of the EMV 3DS spec. For several years, it was talked about as 2.0, but “version 2.0” never was officially in production. They skipped over it and started with version 2.1 as the first version to be used live.
So what benefits does v2.1 provide?
First of all, because it’s the first EMV 3DS version that was released into production, there are a lot of improvements compared to version 1.0.
- Uses more data that can result in more confident risk decisions, fewer step-ups and false declines
- Allows authentication on many devices, especially mobile (instead of browsers only)
- Supports biometrics for authentication challenges
- Provides liability protection for merchants
Because there had been no significant updates to 3-D Secure in about 15 years, these new improvements were pretty substantial, and really changed the face and capabilities of 3-D Secure.
What additional benefits are available with EMV 3DS v2.2?
Version 2.2 provides everything that v2.1 has, plus some other key benefits.
- Regulation flexibility, with support for SCA exemption flags and 3DS challenge indicators, and potential for control of the authentication experience; delegated authentication, where merchants with sophisticated payment systems can stand in for issuers and authenticate in some cases (permitted only in Europe now).
- Additional non-payment support, including the new 3RI (3DS Requestor Initiated) channel for non-payment authentication
- Decoupled authentication, for when the consumer is not available to participate in the authentication process (for example, for split shipments or recurring transactions)
- Expansion of 3RI
The bulk of the benefits included in version 2.2 have been designed to support the PSD2 Strong Customer Authentication (SCA) requirement in Europe, plus capabilities for non-payment support, decoupled authentication and 3RI.
Now we’ll review how some of the networks are approaching EMV 3DS.
First, Visa. Their approach is to activate EMV 3DS by region. As you can see, they activated it in the EU April 2019, Latin America and Canada August 2019, the Asia Pacific and the Central Europe-Middle East-Africa regions in April 2020, and finally, in the U.S. in August 2020.
Mastercard launched EMV 3DS in October 2018, and required the support of version 2.1 in April 2019. Mastercard has accommodated the PSD2 SCA requirements with version 2.1 extensions.
And American Express and Discover both are live with EMV 3DS version 2.1.
Why is Visa’s EMV 3DS version 2.2 important?
EMV 3DS version 2.2 offers a scheme agnostic solution to better optimize the merchant and consumer experience and was designed with European regulation in mind. Important features are:
1. The ability to apply SCA exemptions, like Transaction Risk Analysis (TRA) using specific indicators in the authentication message, which is not supported in the earlier versions.
2. Access to Visa’s new suite of SCA solutions that help issuers and acquirers make best use of the exemptions.
2a. Visa Trusted Listing – enables issuers to create a list of trusted merchants where no authentication is needed for future transactions (risk assessment permitting)
2b. Visa Transaction Advisor – a risk assessment tool that helps determine eligibility for a low risk exemption
2c. Visa Delegated Authentication – a tool that merchants can use to take control of the authentication process on behalf of the issuer
3. Enabling biometric and out of band authentication. EMV 3DS 2.2 results in a better consumer experience, delivering the lower levels of fraud associated with SCA, while ensuring that transactional friction and abandonment rates are minimized.
4. A new feature, 3DS Requestor Initiated (3RI), enables merchants to obtain additional cryptograms upon successful completion of a single authentication for merchants who need to submit several authorizations associated to one single authentication; for example for split shipments or for travel agency purchases where there is more than one merchant of record.
Do issuers have to upgrade to version 2.2 and do they need to be ready by a certain date?
Again, the card networks are addressing issuer adoption of version 2.2 individually.
- As of September 14, 2020, Visa requires that all issuers in Europe must support EMV 3DS v2.1 and v2.2
- Mastercard requires all acquirers and issuers in the EEA support EMV 3DS v2.1 (or alternative SCA solutions) and the message extension fields by July 1, 2020
The other reason issuers (as well as merchants and acquirers) should make plans to upgrade to EMV 3DS version 2.2 is because future versions will build on versions 2.1 and 2.2. That means when version 2.3 comes out (specs expected to be released in early 2021), before an issuer or a merchant can take advantage of the benefits of that version, they will need to do the work to get versions 2.1 and 2.2 in place.
The bottom line … Why does EMV 3DS really matter?
One huge reason is because of false declines. They can happen when merchants and issuers are afraid of fraud losses. If there is a chance that a transaction could be fraudulent, merchants may opt to decline rather than risk a chargeback, and if an issuer’s fraud controls are too strict, the result can be false declines.
Issuers have a dilemma. On one hand, they want consumers to use their payment cards. On the other hand, when a consumer makes a CNP purchase, the issuer may not have a lot of data to determine whether the person initiating that transaction is really the cardholder. That’s where EMV 3DS comes in. More data is shared with the issuer with these updated protocols, which they can feed into their risk engines and compare with what they know about their cardholder, to make more confident risk decisions.
False declines are a serious problem in the CNP space. When a false decline happens to a consumer, they often do one of two things. They pick another card from their wallet, which impacts the issuer of the original payment card, or they abandon the transaction and buy from another merchant, which impacts the original merchant. There’s a possibility in each case that the consumer won’t use that issuer’s card or that merchant’s site again, for a long time. And if the transaction is with a merchant that stores the consumer’s payment credentials, there’s a chance that the issuer loses not only that particular transaction, but future transactions, too.
Some stats show the magnitude of why EMV 3DS matters. The Aite Group, in their 2019 paper “The Ecommerce Conundrum,” projects that card not present sales in the U.S. will be $443 billion in 2021. Think about that in relation to card not present authorization rates, at 80-85% (from the same Aite paper). And card present authorization rates, which are 97%. That’s a gap of 12 to 17% of card present authorizations to card not present authorizations. As a CNP merchant, think about what an improvement of even one or two percent can mean to your bottom line. That’s a real opportunity.
Source: The E-Commerce Conundrum: Balancing False Declines and Fraud Prevention, Aite Group, July 2019
There are definite benefits to upgrading to both EMV 3DS versions 2.1 and 2.2. If you are an issuer in Europe, you should be aware of the ramifications. PSD2 SCA requirements mean you are using version 2.2, which can help manage exemptions and create a better experience for your cardholders.
Beyond that, we have heard that the next version of EMV 3DS, version 2.3, is coming soon. In order to take advantage of it, you’ll have to have both of the previous versions in place.
If you have questions or want to talk about what’s involved, get in touch with your Visa contact. They can walk you through the process.
EMV 3DS can help manage PSD2 SCA’s exemptions. See if they’ll work for you.
At Cardinal, our 2020 resolution is all about building our existing capabilities and expanding our reach in the latest protocols. See what we've got planned for 2020.
Learn how authentication affects Card-not-Present authorization rates and key statistics on fraud in the clothing and footwear industry.
Authentication is core to payment processing in Europe, so if your digital transactions are not authenticated, you will be expected to implement a solution before your business is impacted.
You'll be the first to hear about new products, features, and company updates.