3DS or Three-Domain Secure represents a user authorisation protocol for card-not-present operations. It provides an additional layer of security for e-commerce transactions. This protocol allows for the exchange of data between the merchant, the card issuer and, if necessary, the consumer to confirm that the original account holder initiated the transaction.
A 3DS payment gateway is a gateway that utilises the 3D secure protocol for user authorisation when they pay for their purchases in an online store.
The concept of 3DS payment gateway arose since three domains are involved: a merchant or an acquirer, who requests the payment card data, a payment system that redirects the payer to a password confirmation page, and the card issuer’s domain or a specialised service, where a confirmation page is formed, and the entered security codes are checked.
So, the first authentication step requires the card number, expiration date, cardholder's name, and authentication code (for example, CVC2).
In the second step, using the 3D Secure protocol, the store's website shows the page of the card issuing bank and requires entering an additional security code. Bank clients can receive it via a message to their mobile phone, using a one-time code card, or a particular application. The code can also be permanent and pre-set by the clients.
3DS 2.0 is a next-generation version of the 3DS protocol developed and owned by EMVCo. It aims to eliminate the pain points of version 1.0 and significantly increase the attractiveness of the technology in general for market participants, the quality of the assessment of the transaction legitimacy, and the need for its authentication.
Compared to 3D Secure 1.0, the following changes have been made in version 2.0:
The 3D Secure technology minimises card fraud risks for merchants since the issuing bank is responsible for the transactions performed with this type of verification. All the authentication data provided by the customers is stored on the payment server of the issuing bank. The online store does not have access to it, except for a part of the information on the payment card details but in the amount allowed by PCI DSS. All these aids in data security.
With 3DS 2.0 updates, merchants can receive more data when interacting with issuing banks and payment gateways. It allows them to collect valuable data on transactions after the order was made. For instance, the number of times a customer was redirected to the 3DS checkout page, as well as the percentage of authenticated payments, can provide a more complete picture of customer behavior. This, in turn, provides analysts with important statistics on fraudulent activities and helps improve the protection system.
The transition to 3DS 2.0 is objectively necessary against the background of a fragmented payment landscape, including the widespread use of mobile devices, unpredictable changes in user behavior (for example, due to a pandemic), higher requirements for usability, stability, and speed of payment instruments.
At Corefy, we empower our clients to switch to the new security standard and access its unique advantages. Our integrations team has been actively adapting our PSPs connectors to 3DS2, trying to make the transition seamless for a customer. The more providers offer support for 3DS2, the more connectors we can adapt to the new standard.
