3D Secure 2.0 Authentication

In October 2016, EMVCo published the specification for 3-D Secure 2.0; it is designed to be less intrusive than the first version of the specification, allowing more contextual data to be sent to the customer’s card issuer to verify and assess the risk of the transaction.

3D Secure 2.0 (also known by its brand names: Visa Secure, Mastercard Identity Check or American Express SafeKey) allows customers in the UK and Europe to meet the Strong Customer Authentication (SCA) requirement under the PSD2 regulation. It also shifts liability for fraudulent transactions to the issuer. 

3DS2 is also recommended for US merchants, as it means the liability for fraud-related chargebacks shifts from the merchant to the issuing bank.

When 3DS2 is involved in a transaction, it could initiate a redirection to the card issuer’s website to authorize the transaction. Each issuer can use any kind of authentication method, such as biometrics or one-time passwords.

Only the riskiest transactions will go through additional cardholder verification. The rest are authenticated invisibly and receive liability shift. When the issuing bank has enough data about the customer and can approve the transaction without the cardholder having to input more information, the payment will qualify for frictionless authentication.

3DS2 also helps you reduce the risk of losing money through chargebacks, as the liability for fraud-related chargebacks shifts from your business to your issuing bank.

If you’re using Pay.com’s Pay Components hosted field solution or the Pay Checkout hosted payment page, then implementing 3DS2 is as simple as including an extra field (Request_threed_secure) within the payment API call. The rest, including any issuer authentication requests, will be handled by Pay.com on your behalf.

The request_threed_secure field within the Create Payment API call allows merchants to control the 3DS2 challenge flow by passing their preferred authentication method.
The options are:
None - No 3DS2 is performed. Available for US merchants only, as 3DS2 is mandatory in the UK and the EU.
Automatic - The card issuer makes an informed decision on whether the transaction is stepped up to 2-factor authentication or authenticated via a frictionless flow.
Challenge - This forces a step up and asks for the cardholder to authenticate themselves regardless of the issuer’s decision.
Exemption - This request will look to authenticate the transaction via a frictionless flow by asking the issuer for a TRA (Transaction Risk Analysis) exemption. This is only available to approved merchants due to the liability shift toward merchant & acquirer.