PSD2 progressively began entering into force between January 13, 2018, and September 14, 2019. However, there are still different understandings of the regulation in terms of regulatory compliance. One of those topics concerns SMS OTP (one-time-password) and whether it is an approved authentication method. Is it applicable for online payment verification? If yes, does it count as a possession or knowledge element under SCA? To find out, we did some research and provided answers. Keep reading!

SMS OTP PSD2 compliance online payments services directive

SMS OTP Authentication

SMS one-time-password (OTP) is a well-known, simple form of authentication. It enables users to authenticate themselves with a dynamic code from an SMS message. Often used for 2FA (two-factor authentication), SMS OTP is commonly used as a second factor necessary for gaining access to a particular network or service, usually combined with a static PIN/password. Although two passwords are better than one, SMS OTP is not the most reliable method for verifying identity. That is due to an array of risks revolving around the method. Some of them include SIM swapping, SIM hacking, intercepting the message, account takeover, etc.

SMS OTP within PSD2 & SCA

Until recently, SMS OTP was one of the most convenient ways of authenticating an online transaction or logging into a payment account. The user would simply enter the received OTP into their payment application and approve the transaction. In such cases, SMS OTP commonly contains additional information regarding the transaction, including the transaction amount and the payment beneficiary. To conduct 2FA, banks and payment service providers combine static PINs and SMS OTP, PIN being a knowledge element, and SMS OTP representing a possession factor.

The second payment services directive (PSD2) enforces Strong Customer Authentication, demanding online payment authentication using two out of three security elements. Those elements include Knowledge, Possession, and Inherence. By definition, SMS OTP, which is a possession element, in combination with a static PIN/password, is an acceptable authentication method conforming to the PSD2 SCA requirement. SMS OTP alone is not a possession element. The SIM card associated with the respective mobile number represents possession.

EBA's opinion on the matter is as follows:

For a device to be considered as possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device.

In this context, a one-time password sent via SMS would constitute a possession element and should therefore comply with the requirements under Article 7 of the Delegated Regulation, provided that its use is ‘subject to measures designed to prevent replication of the elements’, as required under Article 7(2) of this Delegated Regulation. The possession element would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number.

To conclude, SMS OTP is PSD2 compliant when combined with a static PIN/password or another authentication method. This method needs to include either knowledge or an inherence security element.

However, SMS OTP is subject to a variety of security concerns. A considerable amount of risk revolves around using SMS as a channel. This is primarily due to possible interception of the message and man-in-the-middle attacks. Further on, SIM swaps performed to receive the message originally sent to the victim, containing OTP, present a threat. Being a well-known authentication method, fraudsters have more than enough knowledge necessary to crack the system.

EBA's Opinion

Although SMS OTP is PSD2 SCA compliant, EBA's opinion on the matter is a bit more complex. Another component introduced by PSD2 raised questions about SMS OTP compliance, that being Dynamic Linking. 

Dynamic linking aims to specifically link each transaction to its amount and the recipient of the payment. The end goal is to prevent man-in-the-middle and similar attacks. Dynamic linking connects the transaction amount or order details to the authentication code and sends it to the user. If any of the information is altered, a new authentication code will be generated, and the fraudulent attempt would fail. One of the requirements of Dynamic Linking states that the payment information must be protected.

EBA's opinion on the matter is as follows:

In addition, regardless of whether a strong customer authentication element is possession, knowledge or inherence, Article 22(1) of the Delegated Regulation requires that “payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication” and Article 22(4) of the Delegated Regulation states that “payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards”.

We are talking about an SS7 - telephony signaling protocol, which is not secure. Any information regarding the transaction amount or the order details in the SMS has to be encrypted. The decryption of the content would require significant effort on the user side, cause confusion, and create friction. The conclusion drawn from EBA's opinion the following; SMS OTP for Dynamic Linking is not PSD2 compliant unless the content of the message is not protected with additional encryption or sent through a secure channel.

When to Use SMS OTP?

Although it is among the top authentication methods, use it with caution. Consider it as an alternative authentication method rather than a standard one. Enabling SMS OTP as a fallback method is a good practice; if all else fails, you can rely on SMS OTP. Another tip is to consider delivering OTP through a more secure channel. Most banks have their own mobile applications which use secure TLS/HTTPS protocols to communicate with the server. Also, if the population is less tech-savvy, i.e., the older population which is not familiar with smartphones, they will appreciate the option to use SMS OTP as one of their primary methods of authentication.  

For more information, contact our team at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.

Although there is a lot of talk about PSD2, we understand that the information contained in the directive can be, and indeed is, overwhelming. To understand the primary motivation behind the PSD2 regulation, we covered key points relevant to you and your business on a single page. 

PSD2 the second payment services directive, online payment security, credit card, user, wallet, wifi

What is PSD2?

As stated by the official summary of the PDS2 directive, the main goal of the regulation is to provide a legal foundation for the further development of electronic payments within the EU. It is a comprehensive set of rules aiming to make payments within the EU simple, efficient, and secure. Motivated by offering a broader set of choices and better prices for consumers, PSD2 advocates opening up payment markets to new participants, to create more competition, leading to greater efficiency and strengthening consumer's trust.

The directive strives to enhance the existing set of EU rules regarding electronic payments. It emphasizes innovative and emerging payment services, such as internet and mobile payments. Rules stated in the directive concern security requirements, i.e., safeguarding consumer's financial data, promising secure authentication, and reduction of online payment fraud rates. Transparency is another key point that PSD2 advocates in order to provide accurate and timely information about requirements regarding the payments services. PSD2 establishes the rights and obligations of participants involved in the online payment environment. The users, as well as providers of payment services.

Several notable suggestions regarding leveling the payments playing field are pointed out, and those are the following:

  1. Expanding the EU payments market – PSD2 advocates opening the payment market to new participants in an effort to decrease the monopoly banks have over the customer's accounts and payments services, promising increased efficiency without compromising the security of online payments,
  2. Empowering consumers – consumers have reduced liability for non-authorized payments, unconditional refund rights for a predefined period of time (8 weeks), eliminated surcharges for the use of a consumer credit/debit card,
  3. Restricted interchange fees – PSD2 limits interchange fees between banks for card-based transactions in an effort to reduce merchant costs for accepting credit/debit cards as a means of payment.

What happened to PSD?

The first payment services directive dates from 2007. While it set out good practices and regulated guidance on rules regarding payment services, as of today, it is obsolete. With the rapid evolution of ''all things digital'', new e-commerce trends, authentication methods, and the overall innovative approach to payment markets, PSD was outdated and needed an upgrade. Now that we had a brief history lesson let's get back to our main topic.

PSD2 participants

With new regulation came new terminology, and below are the ones concerning PSD2:

AISPs (Account Information Service Providers) – Providers that can ask for permission to connect to a bank account using an API. They use that bank account information in order to provide a service. Having access to such data implies a ''read-only'' approach, i.e., they can't move the fund from the account.

ASPSPs (Account Servicing Payment Service Providers) – A customer's issuing bank that provides and maintains payment accounts. They publish APIs so that the customers are able to share their account data with TPPs in case they want them to initiate payments on their behalf.

PISPs (Payment Initiation Service Providers) – Authorised PISPs are able to move funds on the customer's behalf upon connecting to the bank account. An example of a practical use case is the automatic transfer of funds to a customer's savings account.

TPPs (Third-Party Providers) – Third-Party Providers are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).

PSUs (Payment Service Users) – Users of any of the above mentioned service providers.

What changes PSD2 brings?

PSD couldn't foresee trends in the payment industry ten years in advance, and that is why PSD2 steps in. It brings a fresh set of rules in an effort to enable modern, innovative payment services to users. PSD2 provides them with the highest level of security in terms of online payment fraud, which is constantly present. A comprehensive list of the most important payment threats published by the Europen Payments Council makes you think twice before entering your card data to process an online payment, and it should. Take a look.

The 2019 Payment Threats and Fraud Trends Report provides an overview of the most important threats in the payments landscape, including:

  1. social engineering,
  2. malware,
  3. advanced persistent threats (i.e. sophisticated targeted malicious attacks aimed at a specific individual, company, system, or software),
  4. mobile device-related attacks,
  5. denial of service attacks,
  6. botnets (i.e. a network of private computers infected with malicious software and controlled as a group),
  7. threats related to cloud services and big data, IoT, virtual currencies

Strong Customer Authentication

In order to combat fraud, PSD2 introduced Strong Customer Authentication (SCA). PSD2's weapon of choice protects customers by demanding them to authenticate with two out of three authentication elements, namely:

  1. Knowledge - something the user knows (PINs and passwords, for instance)
  2. Possession- something the user owns (a token or a mobile phone)
  3. Inherence - something the user is (biometric authentication including fingerprint, face recognition, voice scan)
Strong customer authentication SCA security elements possession, knowledge, inherence

Initially, this put pressure on issuers and merchants. They were wary of the effects it will have on the overall traffic. The added authentication steps could potentially drive away the customer from their purchase. But there is a cure for this disease, and it comes in the form of SCA exemptions within the scope of the SCA mandate.

SCA exemptions

SCA exemptions include various scenarios where SCA is not necessary. The customer is not asked for an additional authentication step during the processing of a payment. SCA exemptions are the following:

  1. Low-risk transactions – within other innovative approaches in the payments industry, shared information about customer's account data-enabled risk scoring or the so-called Risk-Based Authentication. It enables risk assessment of an individual transaction, deeming a transaction either high, medium, or low risk. In case a transaction is classified as low risk based on predefined parameters, additional authentication is not needed.
  2. LVP (Low-Value Payment) – transactions less than or equal to 30EUR are considered low-value transactions and do not require additional authentication. This rule is applicable for up to five consecutive payments equal to or less than 30EUR and in cases when the cumulative value since the previous SCA is equal to or less than 100EUR.
  3. Merchant Whitelist – The cardholder is able to whitelist a merchant (if they are eligible for whitelisting, this is managed by the issuing bank) and avoid additional authentication because they believe that the merchant is known and can be trusted.
  4. Corporate payments – processing payments with a card that belongs to an entity rather than an individual.
  5. Recurring payments – Subscriptions, loans, and similar payments with a fixed amount require SCA only for the first payment. In cases where the amount changes, SCA is mandatory for each individual change.

Out of scope - SCA

There are other scenarios that are out of the scope of the SCA requirement but are not classified as SCA exemptions.

  1. Merchant-initiated transactions – payments initiated by the merchant on the customer's behalf based on an agreement.
  2. Mail order/Telephone order – commonly known as MOTO transactions, they are out of the scope of the SCA requirement.
  3. One leg out transactions – Cases where either the card issuer or acquirer (or both) are outside the EEA.
  4. Anonymous transaction – Cases where a gift card is issued to a customer without identifiable cardholder credentials.

3D Secure 2.0

3D Secure is a protocol that enables Strong Customer Authentication and protects online payments by adding an additional layer of security. It is the main determinant for PSD2 compliance and enables both payment service providers and merchants to achieve alignment. You can get more insight on the latest version of the 3D Secure protocol in our blog post. 

How to achieve PSD2 compliance?

If you're a merchant or a PSP, main question of the day is: Am I PSD2 compliant? If not, how do i become PSD2 compliant?

Merchants need to decide between two options. One option suggests that they pick a PSD2 compliant PSP. This relieves them from all the administrative aspects of compliance and enables them to focus on their primary business. The second option advises merchants to integrate authentication into their checkout process. This requires more effort financially but enables them to be PSD2 compliant and in charge of the customer's checkout experience.

If you're an issuing ar an account-holding institution, you want to follow the following steps: create APIs in order to enable transactional payment data access, provide access to accounts to TPPs, make sure you have a Consumer Identity and Access Management solution set up in place, and finally implement the network and API security infrastructure.

Lastly, Third-Party Providers must take care of their PISP or AISP license. They need to establish a trust framework with banks and financial institutions. Next, they need to develop secure apps including user consent and fraud monitoring. Lastly, TPPs need to implement a consumer IAM solution.

Key takeaways

Although PSD2 is causing a stir in the online payments industry by demanding fast onboarding and regulatory compliance, it brings an array of new opportunities for new players in the payments environment. Increased competition most definitely increases efficiency and boosts customer trust. By introducing innovative approaches in regards to online payment security, it reduces payment card fraud, as well as opens doors for further improvement in the risk assessment department enabled by extensive data sharing. Even though PSD2 enforces strict rules and binds the participants to comply, it is done in an effort to assure more quality services that do not compromise on security.

Need help with 3D Secure? Contact us at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.

False declines are frustrating. Whether you're a cardholder, merchant, or issuer, false declines are never pleasant and you should avoid them at all costs. They result in a missed opportunity for a pinned sale, reduce revenue for both merchants and issuers, and most notably, send customers packing right in the hands of the competition.

False declines - 3D Secure by TriDES

False declines are legitimate transaction attempts that are declined because of suspected fraud. They are the so-called ''false positives'', fully valid transactions classified as invalid, and rejected by the Access Control Server (ACS).

Picture this - you're about to purchase something online, let's say a new smartwatch. You spend some time researching all of the functionalities. You find the best deals offered to you from various merchants. That's it! After hours, maybe even days of researching online, you are finally ready to make a purchase. You enter all of the required details necessary to finalize your purchase, and – your order declines. Frustrating would be an understatement for this situation.

Now let's examine the next steps. The cardholder will most likely turn to the competition or use a different credit card in order to process their order successfully. Either way, there will be a loser at the end of this story. The cardholder will keep this unpleasant situation in their mind. The chances of them using the same declined credit card or returning to the ''problematic'' merchant are slim to none.

And there it is; a missed sale, reduced revenue, and an unhappy customer - the three horsemen of false declines.

Why do false declines happen?

The occurrence of false declines is closely connected to the anti-fraud solution used by the merchant, issuer, or acquirer. The cardholder is usually presented with a generic message such as ''transaction refused''. This offers no additional information that explains the decline or guides the cardholder to take the next step.

Common reasons for false declines involve the following:

  1. Merchant side issue – anti-fraud solution rejected a valid transaction.
  2. Acquirer side issue – anti-fraud solution rejected a valid transaction, e.g., false positive in address verification.
  3. The Risk-management solution configuration is too strict.
  4. The issuing bank is suspecting fraudulent activity.

Also, anti-fraud solutions based on behavioral analysis might classify a transaction as fraudulent, while it is, in fact, a valid one. Let's say that the cardholder has a pattern of purchasing low-value items online, not more than 10 EUR per transaction. All of a sudden, that same cardholder decides to book an all-inclusive trip online. Regardless of sufficient funds and correct card information during checkout, the transaction might be blocked because the pattern is unusual, and the system flags it as suspicious or fraudulent activity.

Balancing between false positives and false negatives

There is a fine line when it comes to configuring the ACS solution in order to identify suspicious transactions correctly. False negatives represent transactions that are fraudulent but are valid according to the system. On the other hand, we have false positives, which represent valid, honest transactions that end up as false ones. Configure the system ''too loosely'', you're going to end up with false negatives. Set it up ''too strictly'', you are risking a high number of false positives, i.e., false declines.

False declines vs. Fraudulent transactions

If we examine the end impact of fraudulent transactions, we need to keep in mind that the loss is not equal to the amount of the processed fraudulent transaction. It can be anywhere from 100% (gold) to 0% (digital goods) of the amount displayed in the web store. If we take sneakers as an example, the total cost of loss will be equal to the manufacturing cost. It is usually as low as 5% of the displayed price.

When talking about false declines, the end impact is much more significant. After receiving a notification about an invalid transaction, the cardholder doesn't have any guidance on the next steps. They will most likely use a different credit card or look for the same product/service in the neighbor's yard, the competition. Either way, they are leaving with an unpleasant experience with the overall service, and it is not likely that they will use the same rejected credit card or revisit the same merchant.

Riskified surveyed 5000 US-based consumers in order to find out more about their online shopping experiences and fraud. Regarding our topic, the survey discovers that almost one third of shoppers in every segment are wrongfully rejected during a purchase, resulting in a false decline. After being rejected, 42% of shoppers abandon their cart immediately and move on to the next best thing. If we look at the big picture, that means that all acquisition costs and efforts went through the window because of a ''single'' false decline.

False positives are extremely expensive. The Global Fraud Survey published by the Merchant Risk Council states that the average online store rejects 2.6% of all transactions under the claim they might be fraudulent. The pricing pattern says that the higher the price, the higher the percentage of declines (e.g., merchants decline around 3.1% of orders over 100$).

3D Secure 2 and False Declines

3D Secure 2 enables issuers to access ten times more transaction data than before, which results in more precise risk analysis and profile creation of the cardholder. The end result? Less false declines, among other benefits, of course. Both merchants and issuers are able to increase profits and keep their customers satisfied and returning to use their service.

For more information, contact our team at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.

How can something that sounds so innocent cause so much trouble for merchants and issuers? After all, how can fraud be described as friendly? The name comes from the simple virtue of convincing the merchant that the actual fraudster is the victim of fraud by making plausible and honest-like claims. Imagine the backlash you, as an issuer or merchant, would get if you neglected a legitimate dispute under the claim that you're suspecting it is an attempt of friendly fraud. Now that you understand the complexity of the problem, let's start from the beginning.

Friendly Fraud 101

The first distinction between friendly fraud and conventional fraud in online payments is the fact that the fraudster is not using a stolen credit card or credentials, but their own (or from a friend, family member, etc.). The initial intent of the ''friendly fraudster'' is to receive and retain goods and services while asking for chargeback under the claim they did not make the purchase nor receive goods or services.

A common scenario is the following; a cardholder purchases goods from a merchant and claims they did not make the purchase, did not receive the goods, or received a partial order. This gives the cardholder enough ground to file a chargeback, demanding a full refund.

It is evident that there is a common denominator when it comes to friendly fraud - chargebacks. That is why friendly fraud is often referred to as chargeback fraud. The cardholders with ''unfriendly'' intentions have figured out how to game the chargeback process. In order to benefit from it, they claim legitimate purchases to be fraudulent.

Chargeback: Returning funds to the cardholder by revoking funds from the merchant based on a reported fraudulent activity.

Friendly Fraud: Any scenario where a cardholder wrongly files a suspicious charge, either by mistake or with malicious intentions.

Now that we cleared up the difference, it is good to know that 86% of all chargebacks (Paymentsource) are likely to be friendly fraud. A  mechanism used for protecting the customer is being abused, and merchants' hands are tied.

Types of Friendly Fraud

The truth is, not all friendly fraud is malicious. There are cases where an honest misunderstanding took place. But that makes things even more complex when it comes to detecting and preventing such fraudulent activities. Let's go through our list and distinguish the ones which are malicious from unintentional ones.

1. Chargeback vs. Refund

An average cardholder does not understand nor cares about the difference between chargebacks and refunds. Instead of contacting the merchant to file for a refund, they go to their issuing bank to reverse the charges. This results in a chargeback, which harms the merchant.

2. Auto-Pilot Mode

Good memory or bad memory, living in today's fast-paced world often results in unintentional fraud reports. Recurring payments and transactions made in a rush tend to fade out from our memory, causing confusion when we take a look at our transaction history. What do we do? File a chargeback dispute.

3. Unfamiliar Descriptors

There are cases where the cardholder is not able to recognize the company name on the billing statement. This can be due to rebranding or the business simply being registered under a name different from its legal business name because of branding. Red flags are automatically raised in the cardholder's head, and the only logical option is to open a dispute.

4. Bad Communicators

In some cases, people share, even borrow credit cards from their family, partners, coworkers, etc. Despite there are no ill intentions, we fail to inform one another about particular purchases. This results in confusion, suspected fraud, and finally, a chargeback.  

5. Malicious Intentions

This one is for the cardholders who tend to abuse the chargeback process. They game the system by falsely reporting transactions made by themselves. Typical claims involve unsuccessful delivery, unapproved authorization, partial delivery of the purchase, all resulting in chargeback processes harming the merchant. 

Who is to blame?

Given all the facts, friendly fraud resulting in chargebacks damages the merchant, leaving the fraudster without consequences and with full pockets. The question of the day is: Why do we tolerate this behaviour?

Banks and card associations have created an environment that puts customers first. If an issuer wants to issue or receive payments from a particular card scheme, they need to comply with the card scheme's rules and regulations. Since the end goal for card schemes is to increase the number of cards used by cardholders, they encourage consumer-first policy and guarantee rights regarding transaction disputes.

By association, issuers are adopting the consumer first policy, favoring customer rights over merchant rights. Unless the merchant has solid proof that the cardholder disputed a chargeback with ill intentions, the chances of coming out victorious are slim to none.

How to Find a Way Around Friendly Fraud?

Fraud can't be terminated, but it can be influenced. Friendly fraud is a specific genre of online fraudulent activity. No matter the circumstances, if a cardholder with malicious intentions is determined to game the system through the chargeback process, the chances are, he will execute it. But keep in mind, only one out of five mentioned types of friendly fraud involves intentional fraud.

By undertaking some specific fraud-prevention actions, you can reduce the likelyhood of friendly fraud. Here are a few tips on how to approach this issue:

The Future is Looking Bright

Friendly fraud as such is not in the primary scope of 3D Secure. However, 3D Secure 2 is very much focused on transaction risk scoring. It provides a frictionless user experience by identifying low-risk transactions. Risk scoring services in 3D Secure evolve through the year by deploying machine learning, behavior analytics, and artificial intelligence algorithms in risk scoring.

So the answer lies in gaining in-depth data about customers,enabling quality prediction and a better understanding of where threats are coming from.

AI-powered analytics are able to provide insight into unusual behaviour patterns. It is useful for detecting suspicious activities involving friendly fraud as well. More data will provide more knowledge about frequent chargeback and refund abusers, making them blacklisted.

Merchants should be able to set certain parameters such as refund limit per customer or prevent customers from demanding a refund for a specific period.

For more information about 3D Secure and fraud prevention contact us at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.

3D Secure is up and running since 2001 when VISA came up with an interoperable protocol in order to authenticate Card-Not-Present (CNP) online payments. After more than a decade, EMVCo has taken ownership of the 3D Secure protocol from VISA and designed the second generation of 3D Secure, EMV3DS, or better known as 3D Secure v2. Since adoption to EMV 3DS1 is taking longer than expected, the end of support for 3D Secure v1 is recently prolonged from December 2020 to October 2022.

This will cause two additional years of possible headaches for issuing banks, knowing that those two protocols coexist independently and demand separate infrastructures. Most of the Access Control Server (ACS) software providers have built a new ACS compatible with 3DS2, so issuing banks are mostly turning to ACSs for the next two years.

Cardholder Confusion

Running two ACSs is not the most critical point, even though it makes additional operational costs for issuers. One card shouldto be enrolled (according to MC/VISA suggestions) on both 3DS platforms. This is necessary for supporting authentication on the merchant side in cases when the merchant has not upgraded to 3DS2. Statistics show that most non-EU merchants did not upgrade to 3DS2.

3DS2 offers a much broader set of functionalities and authentication methods (e.g., push notification, Risk-Based Authentication, frictionless authentication, Merchant Whitelist, etc.). This is the result of efforts put into providing the cardholder with the best User Experience possible. All of the mentioned features are not supported in 3DS v1. That means that buyers might encounter a very different user experience when purchasing from different merchants. The ones which upgraded to 3DS2, and those that did not.

Deploy ''frictionless like'' Authentication on 3DS1

3D Secure solutions, which have a modular architecture (ACS core, Authentication Service, Risk Scoring Service built as separate but interoperable modules), enables integration of those modules with 3DS1 platform as well, i.e., ACS that runs 3D Secure v1. This architecture brings two significant enhancements for buyers:

Knowing that adoption of 3DS1 was not well received by the cardholders because of poor User Experience, in the following two years of the transition period, cardholders will be able to process more frictionless transactions, and thus, transaction abandonment rates will be reduced.

Know Your Customer (better)

The most notable User Experience benefit of 3D Secure v2 is Risk-Based Authentication and frictionless flow. Transaction risk assessment is based on the cardholder's transaction history and previously created a behavioral profile. In case of any deviations which do not align with the cardholder profile, the issuer will require Strong Customer Authentication.

Separation of 3DS1 and 3DS2 transactions in situations where a significant number of transactions is still in 3DS1 means that the customer profile in 3DS2 is not complete. This is due to the fact that behavioral data is yet to be performed. To override this issue, issuers can deploy a single risk scoring service for both ACS1 and ACS2. It enables them to complete the buyers' profile and make a more precise risk assessment.

Having two coexisting 3D Secure protocols is not an easy task to handle on the issuer side. However, there are solutions that help overcome this challenge. The solution for technical issues is modular architecture. It allows issuers to adapt to any protocol for the successful processing of a given transaction. Regardless of the implemented protocol, 3DS1 or 3DS2. The most notable challenge is to ensure a smooth and uniform user experience in both cases. This makes the cardholders confident in the security of their online purchases. Different checkout experiences make the buyers wary during the processing of online payments, possibly causing cart abandonment rates to soar.

For more information, contact our team at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.

Since the first 3D Secure protocol was launched in 2001 by VISA, the online payments ecosystem changed substantially regarding regulation and channels used for conducting online payments demanding improvements regarding the user experience of the solution and a more flexible approach. The new versions of the protocol enable SCA on mobile apps, support biometric authentication, and allow exemptions. All in order to provide the stakeholders with a solution that brings benefits to all parties.

Importance of 3D Secure

Online payments have been around for quite a while. However, last year marked with the Covid-19 pandemic, caused a big spike in the number of stakeholders who went online. For reference, Office for National Statistics states that online sales in the UK accounted for 35,2% of all retail in January 2021.

A 2021 report from Retail Economics and Natwest reports that 46% of UK consumers bought goods and services online that they, prior to the pandemic, only ever purchased online. What makes this a new trend is the following fact; 32% of consumers state that they plan to continue with their new shopping habits in the future.

Such numbers pose new opportunities as well as threats. As more and more people turn online to purchase goods and services, those with ill intentions do not waste time. Security questions regarding online payments have popped up, and that is where 3D Secure steps in. In order to provide ultimate security in the online payments ecosystem, EMVCo's specification reflected on current and future market trends to support security, performance, and user experience.

Issuers are still on the fence when it comes to adopting new 3D Secure versions. But there is no doubt about the benefits they bring to the table. From security matters to user experience improvements, 3D Secure ties it all together. Key benefits the protocol provides are the following:

3DS v2.1 Overview

Since the previous 3D Secure v1.0, there had been a lot of changes in the online payments industry. One of those major changes was extending to mobile apps and securing mobile payments, impacting both security and user experience positively. Secondly, since mobile emerged as one of the alternative online payment channels, alternative authentication methods, which are becoming today's standard, were introduced. We're talking about supported biometric authentication, which provides a high level of security without tampering with user experience during the checkout process.

Following, 3D Secure v2.1 collects ten times more data than the previous version, allowing issuers to conduct a more precise risk analysis, resulting in fewer step-ups and false declines. A new feature introduced in this version enables Merchant-Initiated Transactions, such as subscriptions. The first payment requires SCA, but the following identical payments do not. One of the essential upgrades revolves around the PSD2 SCA requirement, making the 3D Secure v2.1 a fully compliant solution.

3DS v2.2 Overview

3D Secure v2.2 includes all features provided in the v2.1 upgrade, plus some extra benefits. Supported SCA exemption flags allow for a more flexible approach. This is thanks to enhanced risk analysis which resulted in low-value payment exemptions as well as merchant whitelisting. The cardholder is in control when it comes to choosing the authentication method they want to apply during checkout. It makes the solution more user-friendly and the authentication process straightforward. Moreover, decoupled authentication introduced in this version allows authenticating the transaction at a time different from when the transaction occurred, which comes in handy in scenarios such as recurring payments or split shipments. Another feature included in the v2.2 is delegated authentication, which means that issuers can enable third parties (merchants, acquirers, etc.) to conduct the authentication on their end. This method eliminates unnecessary friction and provides a better customer experience.

To sum up

A considerable leap happened between 3D Secure 1 and 3D Secure 2, influenced by the fast-moving global digitalization, demanding more security and less friction. New versions of the 3D Secure protocol successfully overcame all of the obstacles 3D Secure 1 encountered. They are compliant, flexible, secure, and user-friendly.

If you want to find out more, contact our Asseco 3D Secure Team at [email protected] or download the datasheet.

The interdependence of security and user experience is an everlasting topic. A common denominator that ties these two together is the authentication method used during online payment processing. Explore which authentication methods provide a seamless user experience while keeping you secure from fraudulent attacks.

Authentication methods in a nutshell

The definition of authentication can be explained as a process of identifying a user requesting access to a particular service. Until recently, simple credentials in the form of a username and password would suffice, but with today's security standards, we need something much stronger.

Different business requirements demand different security levels, achieved by carefully choosing or combining various authentication methods available. When it comes to user experience, it plays a significant role in user satisfaction during online payment processing. Therefore, the authentication method applied must provide convenience and security at the same time. If the authentication process does not offer convenience and runs smoothly, it causes high cart abandonment rates. On the other hand, if the authentication does not provide appropriate security measures, the threat of fraudulent activities involving payment cards rises and results in chargeback costs.

Balancing between security and user experience is a challenge, but we at ASEE know how to approach this issue. The answer lies in Strong Customer Authentication (SCA) that enables various authentication methods tailored to the user's needs.

PSD2 driving innovation in online payment security

As a part of the PSD2 regulation from September 2019, Strong Customer Authentication (SCA) requirement is in force. SCA presents an additional layer of security in online payments and is based on at least two authentication factors from the following categories:

This means that stakeholders needed to get creative and adopt a variety of authentication methods available for the end-user in order to be able to process a seamless and secure online payment.

Our top 5 authentication methods

We prepared a comprehensive list of authentication methods that provide both security and convenience during the processing of an online payment. Let's dig in!

1. Biometric Authentication

Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today. Additionally, it causes less friction during the authentication process in comparison to previously mentioned methods, making for a great user experience. Most common identifiers include fingerprint scans, facial recognition, and voice-based identification. 


Hard to spoof – biometric identifiers such as fingerprint and retina are unique by definition for each individual. Also, when combined with Dynamic linking (i.e., adding additional transaction data in authentication data), spoofing is almost not feasible.

Simple to use – does not require memorizing various PINs and passwords, a straightforward authentication process.

Fast and reliable – biometric authentication provides more security and is less time-consuming.


Privacy concerns – one of the major issues users have with this method is privacy concerns. Even though this feeling is very subjective, it prevents a significant number of cardholders from using it. Biometric data are stored in a trusted environment, encrypted and inaccessible to regular operating systems.

Possible errors – errors including false acceptance and false rejection of an authentication attempt.

2. QR Code

QR code authentication is typically used for user authentication and transaction validation. A typical flow for transaction verification starts with the user logging into their internet banking web application and opening a payment order. The internet banking application offers the user to process this payment using a QR code presented on the screen. To process the payment, the user needs to scan the QR code with their smartphone using authenticator software (can be apart of their mobile banking application). To finalize the payment, the user is presented with transaction details and, upon inspecting the validity of the showcased data, the user additionally confirms the online payment.


Simple to use – authentication process is straightforward.

2FA proof – easily combines with other authentication factors for increased security.

No additional hardware – independent from third-party hardware.


Lack of familiarity – the general public is not widely familiar with this particular authentication method, resulting in a possible poor customer experience.

Device dependence – requires the use of smartphones alongside correct reader software capable of scanning the QR code.


This simple yet effective authentication method involves sending an SMS message to the user's mobile phone, containing a one-time-password used for finalizing the authentication of online payments.


Simple to use – the authentication process is straightforward.

Access – in case of suspicious activity, only the user who has the device in their possession can verify the transaction's validity by entering the received OTP.

Familiarity – SMS OTP is one of the oldest forms of two-factor authentication, making it widely accepted by both users and security protocols.


Data network requirement – if a user is unable to use their phone network (e.g., the connection is down), they won't be able to receive the OTP. Also, SMS OTP delivery might not happen in real-time, causing a delay, and the authentication time could run out.

Compliance – SMS OTP authentication is not entirely PSD2 compliant, e.g. if a mobile phone is not in possession of its rightful owner, the fraudster can easily receive SMS OTP on the stolen device and process a transaction.

4. Push Notification

A push-based authentication system sends a notification to an app on a user's device, informing them about an authentication attempt. The user is able to inspect the details of the authentication attempt, and based on their knowledge about an, e.g., the transaction taking place, either confirm or deny request verification. 


Simple to use – if the authentication details do not raise any suspicion, the user simply confirms the authentication request.

Efficient fraud protection – push-based authentication enables simple implementation of Dynamic linking, which proves to be efficient in preventing phishing and MITM (man-in-the-middle) attacks.

Low cost – this method leverages user's existing mobile phones, eliminating additional hardware costs and maintenance costs.


Data access – notifications are sent through data networks, so in order for this method to be applied, the user must have data access.

Security issues – the user might accidentally approve a fraudulent transaction because of our habit of automatically approving incoming notifications.

Dependency – Push notification authentication demands having an appropriate mToken application installed on a user's device, as well as mToken activation, i.e., it requires certain actions to be undertaken in order for the authentication method to be available to the cardholder.

5. Behavioral Authentication

Behavioral authentication verifies a user's identity based on unique patterns recorded during interaction with devices (e.g., smartphone, tablet, computer). Identification factors include everything from the angle at which the user is holding their phone to pressure applied while typing. This type of authentication method allows for a genuinely frictionless experience without having to worry about the level of security it is providing the user with.


Simple to use – straightforward authentication process.

Hard to spoof – just like the fingerprint and retina are unique by definition for each individual, the same applies to the way a user interacts with their device.

Great user experience – the authentication process is passive, and friction is out of the equation.


Case sensitive – can be affected by the user's physical state and emotional behavior.

Invasion of privacy - major issue users have with this method is privacy concerns. What disturbs users the most is not knowing what data is actually collected, who has access to it, and how it is going to be used in the future. How far is too far?

If you want to find out more about the most reliable and user-friendly authentication methods, contact your Asseco 3D Secure Team at [email protected] or download the datasheet.

Interested in TriDES2?

Subscribe to our newsletter
© Asseco South Eastern Europe 2021. All rights reserved
download linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram