Through recent technology advancements, biometrics have become a part of everyday life and customer experience has laid the foundation for the latest consumer-centric financial products. PSD2 (Revised Payment Services Directive) sets up common standards across the EU and highlights the importance of security by enabling a safe open banking experience. Through these updates standards and protocols have been forced to adapt. The 3D Secure 2.0 security protocol is one of the key changes deriving from PSD2 and the SCA(Strong Customer Authentication) amendments.
What is 3D secure?
3D Secure was developed in 2001 by the Arcot Systems company. The main purpose was to provide better security for online payments. To enhance security, the 3D Secure protocol uses XML messaging and SSL communication.
Visa was the first to introduce it on a large scale for their internet payments. For obvious reasons, others like MasterCard and American Express followed.
The 3 D’s stand for the three-domain model: Acquirer Domain(the bank and the merchant receiving the payment), Issuer Domain(the bank that issued the card) and Interoperability Domain(the infrastructure).
Some benefits of 3D Secure protocol for both payment service providers (PSPs) and payment service users (PSUs) include:
- Liability shifted to the issuing bank in case of a chargeback.
- Fraud prevention through securing against fraudulent chargebacks.
- Access to lower interchange fees and longer payment terms.
- An extra level of security to protect sensitive data.
Security: passwords bite the dust?
The 3D Secure protocol has often been targeted by critics. The main issues derived from the fact that the first iterations could not keep up with the fast-paced technological environment. Launched in 2001, the security protocol was never meant to be used in mobile environments and has always been a step behind the digital transformation.
Therefore, the protection provided was not enough. Security loopholes like pop-up windows forced the cardholder to decide on the authenticity of the window and differentiate between a fraudulent phishing website and a legitimate one. Also, the script-based framework was unable to provide proof of security certificates.
In addition, end-users were prompted to set up new passwords in order to sign transactions. Since it was applicable 18 years ago, this model couldn’t continue in the era of biometrics.
3D secure 2.0 – what’s new?
EMV® 3DS 2.0 specifications were published in October of 2016 making security and customer experience much improved through a less intrusive iteration. The new PSD2 regulation has played an obvious role in shaping the new protocol and making it compliant with the EU’s SCA mandates.
According to the new PSD2 regulation and it’s SCA – Strong Customer Authentication specifications, any authentication process will have to use two out of three factors such as knowledge, possession or biometrics(inherence).
In a nutshell, the EMV® 3DS 2.0 protocol will allow passive or out-of-band authentication through API integrations, two-factor authentication via one-time-password(OTP) or biometrics such as keystroke dynamics or facial recognition.
Other EMV® 3DS2 improvements
EMV® 3DS also allows the risk analysis of data from transaction context, merchants and cardholders. In this way, risk-based authentication can be implemented and meet PSD2 regulation provisions which include a risk assessment before signing transactions. Before PSD2, merchants could opt for implementing the 3D Secure protocol and decide to further secure high-risk transactions based on payment solution rules.
With this new regulation, all EU transactions over 30 EURO fall under SCA. Even if some low-risk transactions will not require authentication, banks can choose to not honor these exemptions and request that the customer completes an authentication. In order to avoid massive user drop off, all businesses operating in the EU must be PSD2 ready.
No more frames or popups
Payments will be enabled maintaining the same look and feel across device & interface type. This is also an important security feature as the possibility of third party phishing will be eliminated.
The new protocol will make digital authentication possible on a large scale or amount of devices. Therefore it will enable payments in applications and browser-based solutions, on mobile and other consumer connected devices.
Secure payments for the mobile-first approach
The new protocol will support more than just card-based payments as it will be also be used for other transactions such as in-app and digital wallet payment methods.
To make sure the new SCA regulation applies to your business, you must check all of the points below:
- The business is based in the European Economic Area (EEA) or creates payments on behalf of connected accounts based in the EEA
- You work with customers in the EEA
- You accept cards (credit or debit)
By offering keystroke dynamics authentication compliant with PSD2 and SCA, TypingDNA enables businesses across multiple domains to keep up with the latest regulations. TypingDNA supports companies to achieve seamless authentication and stellar security for both clients and employees.
Schedule a personalized demo or simply send us your questions on SCA compliance here.