What is EMVCo 3DS 2.0?

For elevated security to the end customers as well as merchants with regard to their daily transactions, EMVCo 3D Secure 2.0 is introduced. EMVCo is an organization made up of six major card networks.

This organization has released a new version of 3D Secure for the benefit of digital payment users (both merchants as well as its customers).

EMVCo 3-D Secure 2 or 3DS2 is an improvisation over various shortcomings of 3D Secure 1. The new 3-D Secure is brought up for better authentication and an exquisite user experience as a whole.

It is the certification provided to the payment gateway, which helps the merchant in authenticating its end customers.

Thus, the merchant is able to respond well to the legitimate customers’ needs via the web, mobile devices, and the Internet of Things (IoT) without any hurdles.

Implications of 3D Secure 1

In the year 2001, credit card networks implemented the first version of 3D Secure to shift the liability for chargebacks from e-commerce (online business) to the customer’s (cardholder’s) bank.

This is the added layer of protection provided by 3D Secure which is essential for online purchases, especially for the ones that may involve a huge amount of transactions.

Furthermore, it also requests additional information (which helps to build an extra layer of protection) for the online business.

Although 3D Secure 1 provided the aforementioned benefits, it had some drawbacks tagged along.

The drawbacks included the added friction to checkout flow because of an additional step required to complete the payment which led to many customers abandoning their purchase.

Furthermore, cardholders needed to create and remember their own static passwords. Because of the passwords’ inclusion to complete 3D Secure verification, it turned out to be a pesky experience for the cardholders.

This led to higher rates of cart abandonment, as cardholders would forget their passwords frequently. The user experience impact is especially pronounced in mobile apps, where applying 3D Secure may redirect customers out of the native app and onto a bank’s website that isn’t optimized for mobile devices.

These drawbacks also crept in because of the usages having had got dramatically changed over the years.

It was 15 years ago when the first version of 3D Secure was deployed, and since then the gadgets have evolved immensely.

From mobile phones to tablets and payment banking apps, the customers have got adapted to the changing environment with these new inclusions.

In today’s time, e-commerce growth and security are dependent on merchant payment applications since they have gained traction currently.

These apps have tremendously increased customer loyalty but along with that, the first version of the security authentication process had a negative impact on the user experience.

This had decreased the conversion rate of online purchases quite a lot.


The above chart shows the reasons (in the blocks) and problems faced (in the blue pie) by the customers/cardholders with  3D Secure 1.

Benefits of 3D Secure 2.0

  • 3D Secure 2 and strong customer authentication

The enforcement of Strong Customer Authentication (SCA) in September 2019 makes 3D Secure 2 all the more important.

As this new regulation will require you to apply more authentication on payments, 3D Secure 2 will offer a better user experience to minimize the impact on conversion rate.

This would lead to not only an increased conversion rate but also would integrate the deployment of these new trends/usages/devices, and also support new regulations (PSD2) regarding the potential introduction of Risk-Based Authentication (RBA).

Although 3D Secure 2 is the primary method to comply with SCA requirements for card payments, it is expected that the “frictionless” flow will not qualify as a form of Strong Customer Authentication.

This would mean that after the enforcement of SCA, the frictionless flow could only be used for payments that qualify for an exemption (whereas all payments that require SCA would need to be authenticated using the “challenge” flow).

  • Another important improvement is placing the end-user at the center of the strategy

The aim of placing the user at the center of the strategy is to reduce friction in payment workflow, ensure a smooth journey on any device, and find the right balance between security and user experience.

  • It fully integrates the merchant’s mobile applications and customer devices.

The 3D Secure 2.0 has brought consistent user experience for both app-based (native or HTML) and browser-based merchant interfaces, with the same look and feel across devices, channels, and implementations.

  • It enables the issuer’s ACS to get additional data from the context of the transaction and the merchant’s and cardholder’s risk profile.

This enabling will successfully introduce Risk-Based Authentication (RBA). For instance, the new message format will include billing and shipping address, email, shipping method, and other usual cardholder behavior information with this merchant.

Thanks to this risk information, issuers can apply two different strategies depending on the risk of each transaction.

High-risk transactions will be challenged with a state-of-the-art authentication method, while low-risk transactions will follow the “frictionless” workflow where no additional interaction with the end-user is required.

  • On top of these improvements, the specification from EMVCo also enables interested parties to create a framework for authentication for digital environments

This will extend the usage of the specification from card-based payments to other payment means and other non-payment use cases that require strong customer authentication.