In the past, 3DS authentication was performed with an OTP (One Time Passcode). The updated 3DS process aims to reduce false declines and improve user experience all around — creating a faster and more secure checkout experience.
What the EMVco* realized was that online fraud is expanding and companies need to validate the security of transactions and customer identification. The earlier version of 3DS also caused a drop in conversion rates due to unfriendly checkout flows.
New best practices for 3DS2
Designed around the principles of Strong Customer Authentication (SCA), the significant difference between 3DS 1 and 3DS 2 is that user authentication now uses at least two of the following identification methods: “something the user knows” (e.g., password), “something the user is” (e.g., fingerprint), “something the user owns” (e.g., mobile device).
3DS 2 flow corresponds with the data accumulated from actions the user performs in the device (such as fingerprint authentication, device ID, IP address, and more) and responds accordingly to finalize the user’s authentication.
Strong Customer Authentication (SCA) has become mandatory for all online transactions in Europe. Card Issuers (Banks) need to implement the aforementioned two-factor authentication for all card payments. While some exemptions apply, merchants are advised not to rely on exemption-flows and adhere to the most secure flows to ensure the highest approval rates.
How 3DS benefits merchants
In spite of the challenges, 3DS 2 has many benefits to both merchants and customers. It allows payment providers to send more data to the cardholder’s issuing bank, e.g., device and order history. The bank can use this data for future recognition and prevent recurring requests for the user’s identity authentication, making frictionless authentication a common practice. 3DS 2 also gives buyers more options to authenticate their identities, e.g., via a thumbprint, app-based authentication, or a one-time password. Authenticated transactions end up having a better approval rate in the authorization step.