By the 14th of September 2019 a strong customer authentication (SCA) will be required for online credit card payments according to the Payment Service Directive II (PSDII) announced by European Banking Authority (EBA).
The cardholder has to authenticate him-/herself with two of the following three authentication factors:
Knowledge: Something you know, e.g. a password, PIN or other security questions only known by the customer.
Possession: Something you own, e.g. a smartphone, token or any other item owned by the customer.
Inherence: Something you are, e.g. a fingerprint or any aspects or biometrical attributes which individually mark the customer.
In order to fulfil the PSDII requirements for online credit card payments a new version of the 3D Secure authentication protocol has been specified by EMVCo, which all stakeholders in the credit card environment (card schemes, issuer, acquirer, merchant) have to support by the 14th of September 2019.
A 3DS 2.0 authentication has to be initiated either as part of the storage of credit card credentials or before an actual credit card payment. The SCA will be performed as a challenge to the cardholder asking for two of the three mentioned authentication factors. Which factors will be used is up to the card issuing bank who will be in charge of the challenge. The challenge window can now be integrated as an iFrame into the checkout, rather than fully redirecting the cardholder to a page hosted by the issuer.
As for 3DS 1.0 also 3DS 2.0 will give the merchant a full liability shift to the issuer if an authentication has been successfully initiated.
As there are much more input parameters supported with 3DS 2.0 (see Parameters) card issuing banks can perform their own transaction risk analysis based on that, wherever this is allowed by the PSDII.
Depending on the outcome of the analysis this could mean that issuers fully authenticate cardholders without any challenge. This will improve the user experience but especially the conversion for merchants a lot compared to version 3DS 1.0.
|3DS 1.0||3DS 2.0|
|3DS 1.0||3DS 2.0|
|Authentication always connected to a payment transaction||Authentication can be initated without a payment|
|Cardholder is sent into challenge by default||Frictionless flow supported by issuers|
|Bad customer experience due to bad implementation with some issuing banks||Improved customer experience due to support of frictionless flow and standardized implementation for all issuers|
|Challenge/authentication via full redirect||Challenge can be integrated as an iFrame|
|Support of SCA is not mandatory||Support of SCA is mandatory|