This post is not a primer on 3D-Secure 2.X (3DS2)

If you are looking for a better understanding of this topic before diving in, here’s a list of resources that we’ve curated to answer the following questions: 

• What is 3D-Secure?
• What’s the current state of 3D-Secure?
• Why was there a delay to the PSD2 enforcement date?
• What are merchants doing right now?

As we know, regulation in Europe through Payment Services Directive 2 (PSD2) is driving the current implementation deadlines for 3DS2 in Europe, as it is the most well-known solution to achieve strong customer authentication on card payments. Yet, no matter the card scheme, previous versions of 3DS—3DS2.1 and 3DS2.0—all failed to meet the European Banking Authority’s (EBA) compliance requirements for PSD2’s SCA requirement. Outside of Europe, Issuers in Canada, Latin America, and the U.S. are mobilizing to support 3DS 2.2 and dynamic linking this year, even though these countries have no regulation prompting these updates. Dynamic linking is a critical aspect of the 3DS2.2 implementation for meeting PSD2’s requirements for SCA. 

Considerations for implementation

Looking past the COVID resource crunch, the implementation difficulty for 3DS2 will vary from merchant to merchant. While implementing 3DS2, Bryan Penny (American Express) calls out four critical considerations for merchants:

1. How will 3DS2 integrate into the merchant’s existing architecture and payment flows? 
2. How much will 3DS2 cost the merchant? 
3. What are the merchant’s latency requirements? 
4. How much fulfillment time does the merchant have before shipping the order?

All four are valid questions that need to be jointly answered by both the fraud and payments teams within a merchant organization. These answers will differ from merchant to merchant, but generally, they are heavily dependent on each merchant’s current payments architecture. The availability of the PAN is critical in these decisions since the Access Control Server (ACS) won’t grant 3DS authentication approvals without it. To shield the PAN, merchants often use tokens provisioned by their PSPs, but these tokens are not interchangeable with other PSP tokens. Thus, each merchant must qualify how vital it is to have flexibility and redundancy between providers on this soon to be mandatory functionality.

The OpEx cost factors with 3DS are also considerable. Merchants with a single PSP relationship may get bundled pricing on their authentications and authorizations. For merchants leveraging a multi-processor model, they will expect to pay a flat per-transaction fee for each 3DS call. As 3DS2 isn’t widely in production yet, we don’t know if this additional fee justifies the cost of sending every transaction to a network’s Directory Server for the opportunity of better approval rates.

What we do know is that in markets without an SCA mandate, 3DS2 approvals can lead to declines in authorization rates. Accordingly, when the network stands in for the issuer, authorization rates drop. Fortunately, we also know that when an issuer approves a hard challenge to a 3DS2 request, approval rates lift, thus fulfilling the promise of SCA’s safer and improved approval rates. Critically, we also know that latency is a massive concern with the 3DS2 protocol. As noted in Payment Insecurity: How Visa and Mastercard Use Standard Setting to Restrict Competition and Thwart Payments Innovation: “The architecture of 3DS2 is essentially similar as 1.0, but now with greater amounts of data passing through (theoretically). There were timeout conditions that led to greater cart abandonment with 3DS1 and this is the same with 2.” (p. 42)

At the 2019 EMVCo Annual Forum, there were only a handful of live implementations of 3DS2; none were able to complete a “frictionless flow” authentication in under 10 seconds. Even the Mastercard Authentication Guide for Europe admits that “declined authorizations followed by an authentication and another authorization will add an estimated 10 seconds latency, [so] some Cardholders may abandon such transactions.” (p. 28)

Let’s get to the bottom of this

First, let’s assume a merchant’s known latency (from their gateway to their 3DS Server to the Directory Server) takes no more than 400 milliseconds round trip. Let’s also incorporate the fact that many issuer implementations are being passed a risk score from their ACS, not the actual data transmitted in the 3DS fields. A decision on such a risk score takes milliseconds. Let’s use CardinalCommerce as an example:

It is our opinion that the increased latency lies with the Directory Servers because they are single-threaded gates that connect the CardinalCommerce 3DS server and the CardinalCommerce ACS. Given that the most significant two card schemes maintain their servers on company-owned soil, latency to support global transaction volume was already a concern. It will be interesting to see how the cardholder data they collect for fraud scoring will achieve compliance with the recent Data Transfer ruling in Europe and Brexit. (One wonders how long it takes to buy land and build a data center in Europe during a pandemic.)

But isn’t there any good news for merchants?

Yes. First and foremost, Julie Ferguson and Una Dillon of the Merchant Risk Council have done a fantastic job bringing the current state of 3DS awareness to the forefront. If you haven’t visited yet, here it is again: What’s the current state of 3D-Secure? Yes, it’s that informative. Secondly, there are still paths merchants can take to achieve compliance and maintain their flexibility.

When we assembled the 2020 Payment Vendor Report, we found it necessary to identify the gateways and hubs that support their own (“homegrown”) EMVCo-certified 3D-Secure servers. Two participants in the report can offer their clients this setup, ACI Pay.On and Mastercard Payment Gateway Services (MPGS). Neither has to acquire a merchant’s transaction to perform 3DS services, nor is either product is subject to PSD2 regulations.

The connections both gateways offer greatly assist merchants in achieving 3DS2 compliance by minimizing the number of parties to a transaction and by providing merchants the flexibility to route transactions to best lift approval rates. As testified by Nilixa Devlukia (Open Banking) and Helene Ofer-Zaher (EBA), SCA rests with the issuer, so changing acquirers would not make a difference.

We expect to see merchants leveraging load balance transaction routing strategies, currently employed to improve approval rates or mitigate chargebacks, towards delegated authentication, whitelisting, and transaction risk analysis. Pay.On and MPGS provide some of the base to accomplish those goals.In addition to its hundreds of payment connections, PAY.ON Payments Gateway is EMVCo-certified for 3DSecure versions 1.0 and 2.1. ACI also operates its own Merchant Plug-In (MPI) for in-line 3DSecure support and supports authentication processing to third-party providers such as Cardinal Commerce. MPGS supports 3-D Secure 1.0 directly and is integrated with Mastercard’s 3-D Secure 2.2 server, allowing merchants to leverage the latter and fallback to the former. MPGS offers authorization processing directly to the Issuer via Banknet, referenced as Switch-to-Issuer. Switch-to-Issuer allows the MPGS to perform authorizations through the Mastercard network without needing to connect to the merchants’ acquirers. After authorization, a draft capture file is sent to the merchant’s acquiring bank to trigger settlement. This unique flow allows for fewer authorization hops, faster response times, and higher availability.

To learn more about MPGS and ACI Pay.On as well as other services providing payment gateway and orchestration services, download a free edition of the 2020 Payment Vendor Report.