Ai Editorial: Optimizing UX for transactions being “challenged” under 3DS 2.0

4th June, 2019

Ai Editorial: 3DS 2.0 promises to combat fraudulent online transactions, but merchants need to cut down the possibility of losing out payments when authenticated using the new version of 3DS, writes Ai’s Ritesh Gupta


Transition to the new version of 3D Secure is being followed closely, owing to its impact on the shopping experience and in improving security of a transaction.

More so for high-risk transactions or in a market like Europe as the PSD2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers. In Europe, organizations are expected to upgrade to the new version by September 2019, to be ready for the enforcement of the SCA or Strong Customer Authentication. Since this directive mandates changes in how fraud review must be conducted on intra-EU transactions, critical issues such as cart abandonment need to be evaluated in detail. The SCA aspect of the PSD2 directive can have negative impact on revenue generation, and this is what the stakeholders are concerned about.

It is being highlighted that 3-D Secure 2.0 will pave way for a real-time, protected, details-sharing channel that merchants can avail to send an unmatched number of transaction attributes that the issuer can use without looking for a static password. One of the highlights of 3DS 2.0 is data sharing. This data exchange is relatively richer owing to the combination of certified SDKs in the checkout flow, paired with data sharing APIs.  Authorization rates can be stepped up with no perceivable alteration to the checkout flow.

Subject to the sort of data being provided by merchants and their respective payment services providers, the issuer is expected to act in a couple of ways to decide on the course of action related to the payment. In case, the information provided is considered to be apt to assess the authenticity of the buyer, then the particular transaction is eligible for a frictionless flow, and authentication isn’t interrupted from a shopper’s perspective. In case the transaction isn’t in line with the normal purchasing pattern, then it ends with what is being called a challenge flow. Accordingly, a requirement crops where one-time password from the buyer is needed to authenticate the payment. This is where the efficacy of the new version comes in, as the challenge flow is blended into the mobile checkout experience without redirects. Visa states that merchants can embed 3DS 2.0 into a web page or native application. One can customize the user interface elements (e.g., buttons, fonts, inputs) for all content for any challenge method used. The mobile SDKs will set up flows within apps. This indicates that a shopper won’t be required to finish the payment in a separate browser-based flow.

Assessing the impact

Merchants need to be alert about the fact that a refined 3DS 2 user experience alone won’t pave way for optimal acceptance rate. Merchants need to be clear about which transactions require authentication and which don’t.

Rodrigo Camacho, Chief Commercial Officer, Nethone, says merchants shouldn’t push 3DS for all transactions.

“At Nethone we have found that 3DS typically costs merchants anywhere between 2% and 3.5% in conversion rates in Europe and upwards of 15% in the Americas,” mentioned Camacho in a company’s blog post. “Typically we have seen that it’s only necessary to push 3DS to less than 8% of your traffic which will lower the impact on your conversion rates by more than 90%.”

According to another analysis, Ravelin’s data indicated that 3DS with improved user experience still lost 19% of payments.

Being prepared

When customers are asked to verify transactions, they are presented with a challenge flow. The challenge method that's used is determined by the issuer. 

Visa’s recommends 3 UX principles:

  • Keep it clear
  • Think human, not robotic
  • Be trustworthy

As explained by Visa, three verification methods are as follows:

  • One-time passcode (OTP) - Customers verify transactions using a secure code sent by text or email. Issuers can choose which delivery channels to make available for the customer. Both are recommended.
  • Knowledge-based authentication (KBA) - Customers verify transactions by answering knowledge-based questions.  
  • Out-of-band (OOB) - Customers verify transactions by entering a passcode or a biometric feature.  

Also, a customer's purchase can be verified on the existing issuer app by entering sign-in credentials. Visa also states that since many iOS and Android users already have the ability to use fingerprint scanning to access their phones, it recommends using the same method to authenticate customers. Also, the team advises any biometric authentication is used in addition to a passcode. So if biometric authentication issues arise, the customer may switch to a passcode. Other methods of authentication are face recognition and voice recognition, which can be done directly via issuer app or via a connected device linked to an issuer app, such as a digital watch. 

Other than UX, there are technical details that also come into play. According to Adyen, these are the front-end libraries (to securely collect and transmit device information, as well as to display authentication flows) and the 3D Secure server. Both work together to exchange information and request authentication.

What to expect

Sasha Pons, Product Director at Ingenico believes that the deployment of the new version of 3DS is going to be an iterative process, shaping up as version 2.1, version 2.2 and so on.

“Such a huge shift in the way merchants collect and share data will not happen overnight. There will be a period of adjustment, and you can take some comfort in the fact that many merchants like you will be going through the same thing,” Pons mentioned in a recent blog post. “What 3DS v2 asks of merchants will change as the practical realities of the new standard become clearer.”

He expects the particular rules around the format, and quality of data needed will evolve as the time progresses.



Check upcoming Ai Conferences dates or

Follow Ai on Twitter: @Ai_Connects_Us