EMV 3-D Secure 2.3: User-centric Enhancements to Fight Fraud

The post-pandemic rise of online shopping and e-commerce platforms has led to a major increase in transaction fraud. According to reports by Statista, e-commerce losses to online payment fraud were estimated at USD 41 billion globally in 2022, up from the previous year. The number is expected to increase even more to USD 48 billion by the end of 2023, calling for comprehensive solutions from issuers, acquirers, merchants, and users to combat against fraud.

What is EMV 3-D Secure?

EMV 3-D Secure, also commonly abbreviated as EMV 3DS, is a messaging protocol that serves as a solution to the credit card online fraud problem. When applied, it enhances security during the consumer's card-not-present e-commerce transactions by adding an extra layer, often referred to as cardholder authentication.

Since its initial development and introduction back in the 90s, the protocol has regularly been reviewed and updated to continue securing online payments amid the growing security threats in e-commerce. In the latest version released by the EMVCo, EMV 3-D Secure now provides operators and consumers with enhanced features to improve usability while reducing the friction experienced by consumers.

Elevated User Experience

In version 2.3, EMV 3-D Secure significantly improves the payment experience for end-users through streamlined authentication, in a variety of ways explained below.

Device Binding Support

With 2.3, the system supports user device binding. This allows e-commerce and card-on-file merchants to remember devices. During the consumer payment process, cardholders are asked if they wish to be saved for future transactions, at the challenge screen.

Many might think that this would spark consumer concerns about data storage, however, merchants enrolled in 3-D Secure 2.3 will be storing tokens that are bindable to the cardholder’s devices, instead of actual card data. One of these devices can then be used as an additional authentication factor for future transactions from the same cardholder.

Device binding drives a streamline authentication process, while not leaving any negative impact on the shopping experience. Due to the reliance on an additional authentication factor (another device owned by the same cardholder), in most cases, the hassling step-authentication can be avoided.

OOB Transitions Done Automatically

If you're familiar with the architecture of the EMV 3-DSecure checkout process, you would know that OOB (out-of-band) authentication can lead to transaction failure. While OOB is widely used as a type of 2FA (two-factor authentication), use of verification through a separate communication channel may not be as stable.

To better understand, let's look at an example. When a customer wants to make a purchase on their laptop, they will receive an OTP (one-time password) through text message on their mobile phone. Within this procedure, issues associated with the transitioning of information between the merchant’s application and the authentication application could result in a failed transaction. That is to say, part of the authentication process is reliant on the mobile device's receipt of the OTP.

In EMV 3-D Secure 2.3, automated OOB is supported with automatic redirection to improve transaction success rates.

Increased Transaction Data

In this latest version, EMV 3DS provides more data on recurring transactions. This concerns situations where a cardholder is approving recurring payments such as a monthly subscription. The new features help simplify the authentication process for cardholders' future purchases.

Additionally, issuers, merchants, and consumers can gain better visibility into the payment details, making it easier to be identified and approved. 3-D Secure 2.3 extends to support a wider range of scenarios, they include:

• Free trial period + a recurring subscription fee (only authenticate at trial registration)
• Varying amounts of payment
• Varying frequency of payment based on cardholder's usage

In general, version 2.3 has more EMV payment token data, helping card issuers make more informed risk-based decisions in the process of approval.

More Devices Integration

Based on past experience, the EMVCo began developing enhancements for integrating new types of devices in payment to apply into version 2.3, turning the authentication process into convenience for users. It applies to virtual assistants (Siri, Alexa, etc.), IoT appliances (smart home). This works by using a payment SDK to create payment applications on these devices.

In the previous version of 3-D Secure, certified universal SDKs were included, letting merchants integrate a single SDK into their website or application to satisfy data and compliance requirements. However, in 2.3, the SDK is updated using a split server model with multiple variants. It divides functions into a server and client, simplifying merchant integration.

With this, trusted third parties are provided with enhanced device and biometric data from the merchant's application to improve transaction approval rates, those parties include:

• Delegated authenticators (often the merchants)
• FIDO-reliant parties (can be merchants or issuers)
• Risk engines (similar to HiTRUST Veri-id)

New Methods for Authentication and Fraud Prevention

Beside the inclusion of new and enhanced features, EMV 3DS 2.3 supports WebAuthn (Web Authentication) and SPC (Secure Payment Confirmation) authentication to facilitate the process of identifying fraudulent transactions.

WebAuthn

As a response to growing fraud threats and the unnecessary friction added to consumers' buying process in e-commerce, the W3C (World Wide Web Consortium) developed Webauthn as a standard for passwordless login.

Technically speaking, WebAuthn is an API standard that allows servers, applications, websites, and other systems verify and manage registered users without the need of a password. To authenticate passwordlessly, users will be using biometric and possession-based authenticators.

While supporting the most common web browsers (Chrome, Edge, Firefox, and Safari) and their mobile versions, WebAuthn also improves security by avoiding the weaknesses of passwords and the systems built upon them. With support for a wide range of browsers and operating systems, this is a versatile solution to the password problem.

SPC (Secure Payment Confirmation)

SPC is another API under the development of the W3C, designed to support more streamlined authentication in transactions. SPC is built on top of WebAuthn, adding a payment layer so that the issuer can provide a consistent, non-disruptive payment experience to cardholders.

SPC can be broken down into two steps.

Step 1: Cardholder links their device to a relying party (issuer or bank)

Step 2: Cardholder uses the registered device to authenticate directly from the merchant's platform

Upon registering an authenticator with a relying party, cardholders can use the authenticator on different merchant sites without having to sign up for or bind their device again.

Regarding new authentication methods, SPC allows integration with Fido (Fast Identity Online) into the EMV 3-D Secure process, which operates based on the public key cryptography architecture to replace traditional OTPs. But more on that later.

An Updated Version for Enhanced Operating Systems and User Experience

Within the EMV 3-D Secure ecosystem, the directory server transmits operational information to the 3DS or ACS in a message. Under 3-D Secure 2.3, the operation message will contain more information, helping to reduce transaction failures.

With continuous development and updated releases of the global protocol, EMV 3-D Secure ceaselessly serves to further streamline the payment process, while delivering more informed data points and reports for better communication and operation.