3-D Secure 2.0
In 2014, Visa and MasterCard jointly contributed 3-D Secure 2.0 to EMVCo, the global technical body that manages the EMV Specifications and other payments standards. EMVCo has been working on developing an updated and enhanced version of the 3-D Secure specification, called 3-D Secure 2.0.
After two years of work, in October 2016, EMVCo issued the Protocol and Core Functions Specification for 3-D Secure 2.0.
The new specification includes updates and enhancements to address the need for a more seamless online payment experience for consumers, while accommodating new devices and payment methods.
The main features of 3-D Secure 2.0 are:
- Supports app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions.
- Improves the consumer experience by enabling intelligent risk-based decisioning that encourages frictionless consumer authentication by facilitating a greater exchange of data between merchants and issuers.
- Delivers industry-leading security features.
- Specifies the use of multiple options for step-up authentication, including one-time passcodes, as well as biometrics via out-of-band authentication.
- Enhances the functionality that enables merchants to integrate the authentication process into their checkout experiences, for both app and browser-based implementations.
- Offers performance improvements for end-to-end message processing.
- Adds a non-payment message category to provide cardholder verification details to support various non-payment activities, such as adding a payment card to a digital wallet.
EMVCo is collaborating with the PCI Security Standards Council to provide security requirements, testing procedures, assessor training and reporting templates to address the environmental security associated with 3DS 2.0. The related documentation is expected to be released in the first half of 2017.
To ensure that stakeholders in each market have a reasonable amount of time to implement the solution once certified products and services are available, certain rules, such as fraud chargeback protection on merchant-attempted 3-D Secure 2.0 transactions, will not take effect until the program activation date. In Europe, a region that is already relying heavily on risk-based authentication, Visa expects a program activation date of April 2018.