New Changes Coming in EMV 3-D Secure Version 2.3

January 10, 2022

After four years of great anticipation, EMVCo released the new 3DS specification -- 3DS 2.3 at the end of September 2021. Multiple financial institutions and merchants have raised some common questions, such as, "What are the differences between the updated version and the old one, and will it bring more benefits?" The answer to this is definitely a "Yes".

Over the past few years, the credit card market has increasingly adapted to 3-D Secure authentication. Even though EMVCo introduced frictionless authentication from the previous version, 3DS 2.1 released in 2016, a large number of issuers still see challenge authentication () as the only method. The high dependence on challenge authentication not only compromises customers' shopping experiences, but also indirectly increases the likelihood of failed transactions.

Frictionless V.S. Challenge

Within EMV 3DS, there are two different types of authentication flows that are Frictionless and Challenge.

Frictionless Authentication

Issuer performs Risk-based-authentication (RBA) using rich data received from authentication message and considers the transaction to be low risk. The customer will not be asked for additional proof that the real cardholder is making the transaction.

Challenge Authentication

Issuer presents an authentication step up and redirects cardholder to challenge page, where cardholder is required to confirm identity using OTP, Face ID, etc.

EMVCo and international card schemes are working hard to increase the volume of frictionless transactions and reduce the transaction failure rate. Many updates in 3DS 2.3 are designed to achieve this goal. This is a benefit not only to the issuers, but to the merchants and acquirers as well.

Overview of EMV 3D Secure version 2.3 features

Below are some of the highlights among the new features of EMV 3DS version 2.3.

Optimize User Experience

SPC authentication is introduced as part of the new version 3DS 2.3 to enhance transactional security and improve the user experience by preventing one-time passwords (OTP) and page redirect errors. In addition, the common problems encountered in previous versions have been rectified, such as automatic out-of-band (OOB) redirection.

Expand Usage Scenarios

Split-SDK divides the default-SDK into a server and client, enabling 3-D Secure to be applied to more devices without a full set of SDK functions, such as intelligent household appliances and smart cars.

Increase Frictionless Authentication

More transaction data is added to authentication messages, including token, recurring transaction, and device binding information, which allows issuers to have better visibility on the transactions and make subsequent risk decisions.

Improve Success Rate

In addition to simplifying the OOB navigation process, the SPC authentication and Operating System Message can also reduce the transaction failure rate from different aspects to enhance users' confidence.

Enhanced Security

FIDO is officially integrated into the authentication flow, which improves the application of biometric identification and provides consumers with a safer online transaction ecosystem.

SPC Authentication

SPC (Secure Payment Confirmation) is a new authentication method in 3DS v2.3, and officially integrates FIDO into authentication flow, effectively replacing traditional OTP with biometric identification. Since FIDO can also be applied to other banking services (e.g. mobile banking logins), EMVCo's inclusion of FIDO allows issuers to provide a more consistent authentication method and shopping experience for their consumers.

Split-SDK Applications

Products with a complete SDK function are known as Default SDK, which is divided into a Split-SDK client and Split-SDK Server by functions in 3-D Secure v2.3, allowing 3-D Secure to be used on more devices (e.g., IOT devices). The 3-D Secure payment process keeps the transactions secured when cardholders shop on smart appliances.

Default SDK is divided into Split-SDK client and Split-SDK Server by functions. The Split-SDK has multiple variants depending on the Consumer Device and the 3DS Requestor environment. These variants include the Limited-SDK, Shell SDK, and Browser SDK.

Operating System Information - O Message

Operation Message provides DS with the ability to communicate operational information to 3DS Server or to ACS. Operation Message is expected to reduce the transaction failure caused by poor product conditions by communicating more system information.

Automatic Redirection of OOB Authentication

OOB (out-of-band) provides opportunities to apply a diverse range of authentication methods. By reducing their dependence on OTP, issuers can widely use Face ID, fingerprint recognition, etc. with a higher degree of safety. However, in previous versions, cardholders were asked to switch between the merchant app and authenticator app, easily resulting in transaction failures. The new version simplifies the manual operations conducted by cardholders, and introduces automatic redirection, which is expected to greatly increase the transaction success rate.