3-D Secure 2.0: the threat of systematic authentication & workflow with or without friction

Cyril Blondel
Posted on 18 March 2019 by Cyril Blondel
Reading Time: 2 minutes

THE THREAT OF SYSTEMATIC AUTHENTICATION

This regulatory evolution induces a profound paradigm shift. With implementation of EMVCo. 3DS 2.0 or 3DS2, new rules for liability shift allocation are set in Europe: banks will now have to support the obligation to reach defined fraud thresholds.

In order to be able to meet these thresholds, banks will have the opportunity to require strong authentication on all transactions (except regulatory exception). Thus, this potential friction at the end of the purchasing process could have an impact on the conversion rates of online merchants and in fact on their turnover.

FRICTIONLESS WORKFLOW

3-D Secure 2.0 introduces a new authentication workflow, known as “frictionless”. Frictionless flow happens when cardholder is not explicitly asked to authenticate himself/herself in-app or via browser.

In this workflow, following steps occur:

1. Payment Authentication is initialized
2. Authentication Request/Response
3. Communication of results
4. Authorization messages

Customer authentication is finalized without additional intervention from the cardholder.

Special cases of Frinctionless workflow

Some specific payment operations will be considered out of the RTS SCA scope:

CONDITIONS TO GRANT FRICTIONLESS WORKFLOW

CHALLENGE WORKFLOW

On the other hand, when a Strong Customer Authentication (SCA) is required by the Acquiring PSP or the Issuer, the authentication flow is referred as “challenge”. Challenge flow steps may be compared with prior 3-D Secure 1.0 experience.

In this workflow, the same initial steps as Frictionless flow occur, then:

4. If a strong authentication is required: Challenge is requested either by Acquiring PSP and/or Issuer
5. Request results are shared between Acquiring PSP and Issue
6. Results are forwarded to the Merchant
7. Authorization messages

Conditions to strong authentication

Strong Customer Authentication (SCA) validity is defined when using at least 2 of the 3 following criteria:

  • Knowledge: something only the user knows (PIN, password, etc.)
  • Possession: something only the user possesses : Credit card, smartphone, etc.
  • Inherence: something only the user is : (biometric identification like fingerprint, iris or voice recognition…)

Discover our special folder to prepare your company to new European requirements and anticipate the impacts on your turnover.

PSD2 Folder


Share this article
TwitterFacebookLinkedInCopy Link

Other posts that might
interest you