Ai Editorial: Stepping up authorization for digital transactions via 3D Secure 2.0

First Published on 8th May, 2017

Ai Editorial: 3D Secure 2.0 is a data-driven initiative that supports digital payments and features expanded capabilities in terms of security and user experience, writes Ai’s Ritesh Gupta


The experience of searching for a flight and trip essentials can be a laborious one. In an era when travel e-commerce brands are jostling for winning “micro-moments”, losing out a conversion owing to an additional authentication layer at the time of checkout isn’t good news.

We all dread those few extra seconds, or the need for entering a password (which aren’t easy to remember) for a transaction to pass through.   

Even for airlines, as merchants, it isn’t easy to verify the authenticity of transaction as one can pay via a browser, mobile app, or connected device. So being in control of the purchase experience as well as controlling the chargeback level or fraud is always a tricky situation for airlines. 

Of course, 3D Secure has been around for a while, but airlines can’t go ahead with a binary view to such payer authentication; implement it across all transactions or don’t implement it at all. Travel e-commerce brands have been diligently looking at ways to choose the authenticate type and avoid unnecessary checkout issues, and getting better with “liability shift”.

3D Secure 2.0

3D Secure sets up an authentication data link between online merchants, payment networks and financial institutions to assess and share more intelligence about transactions. It has been widely acknowledged that the specification 1.0 was set up for PCs, and there wasn’t enough to deal with friction in the customer experience. A major issue with the traditional approach of 3D Secure today is transactions via mobile. 

Among the latest developments, 3D Secure 2.0 is being termed as a potential boost for digital commerce with quick, secure authentication, propelled by robust fraud-related intelligence. It strengthens the quality of real-time predictive risk scoring for both merchants and issuers. The new specification that would support app-based authentication and there would be integration with digital wallets, too.

Early adoption of the new specification is scheduled to begin in the second half of this year.

The two versions will run in parallel at this juncture. So support for both the versions would be critical as adoption rates of the updated specification among card issuers and merchants will vary.

For their part, EMVCo, a company which is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, introduced specifications for 2.0 in the last quarter of last year.

The industry is gearing up for 3D Secure 2.0. Merchants and issuers are already working on their implementations.

For their part, Visa has stated that in order to ensure issuers and merchants “have time to test, pilot, refine and fully roll out solutions, current Visa rules for merchant-attempted 3-D Secure transactions will extend to 3-D Secure 2.0 beginning April 2019”.  




There are several areas, encompassing the shopping experience, mobile transactions, support for digital payments, cutting down false positives etc. that are being addressed with this new specification.

This new messaging protocol elevates the buying experience by facilitating intelligent risk-oriented decisioning that would result in frictionless authentication. Also, it lists use of numerous choices for step-up authentication, including one-time passcodes as well as biometrics.

The 3D Secure 2.0 is a data-driven initiative, and it means that passing data earlier offers merchants the ability to decide whether to authenticate a transaction or not. There would be a streamlined authentication, based on data elements shared through the protocol. The requirement of having to authenticate via static passwords would be done away with. The data available includes transaction related information as well as details about the device being used for the transaction. In fact, the 2.0 protocol will make extensive use of device data. This update also comes with the possibility to use token-based and biometric authentication, instead of passwords. So in the future a 3D Secure authentication will take place entirely in-app, with the touch of a finger.

There is a need to ensure a simple integration for additional data fields. The update paves way for a real-time, safe, information-sharing pipeline that merchants can pass on transaction attributes that the issuer can avail to validate users more precisely without asking for a static password or cutting down the pace of shopping experience. By supporting additional data during transactions, risk-based decisions will be possible on whether to authenticate or not.

As we highlighted in one of our recent articles, rigidity due to pre-constructed rules can now be combated with data sharing and data intelligence. And the release of 3D Secure 2.0 specifications, too, needs to be followed for the same. One way to ensure the decline rate is relatively lower could be via availability of quality data. Giving issuers a chance to interject themselves into the checkout can improve upon the risk assessment. So what was being done sporadically can be done in a widespread manner i. e. enabling issuers to amend their authorization risk settings and tie the authorization to the authentication. Enriched data flow with stakeholders with a better ability to approve “good” transactions.

The need to come up with 3D Secure 2.0 also grew owing to the prominence of non-browser-based, card-not-present payments used in-app, mobile and digital wallets. So as for mobile-related focus, one of the objectives of the new specification is to make the message interface and authentication flows amenable to mobile platforms.

As highlighted by Adyen, customer pain points are expected to be sorted out. For instance, the authentication will take place within a website’s environment, removing the need for a redirect. Also, importantly, it will feature SDKs that make it possible to set up authorization flows in-app, greatly enhancing the mobile experience.

Specialists have already underlined the significance of an analytics-driven approach to risk-based authentication, and issuers need to gear up for the highest granularity of control over the risk decision featuring advanced analytical methods.


Follow Ai on Twitter: @Ai_Connects_Us