History
The 3DS protocol was originally introduced in 1999 to prevent unauthorized use of credit cards for online purchases. It ties together the acquirer bank, the issuer bank, and the infrastructure supporting the protocol. These three parties are called ‘domains’ (hence 3D).
In the early 2000s, VISA (one of the original co-developers of the protocol) deployed 3DS1. The system generally received praise but also some (deserved) critique. Credit card holders had to create a static password that was used for authorization which partially compromised the security. In case of a forgotten password, users were redirected to their bank, leading to lower conversion rates for businesses since many customers didn’t recreate their password and didn’t finish the transaction.
3DS2
Learning from these mistakes and reflecting the technological advancement, 3DS2 was introduced in 2016. The biggest change was in the flow of the process. When making a purchase, the customer’s bank is first notified to verify and assess the transaction. Only if the transaction is considered high risk, the customer will be prompted to authenticate themselves. Among the authentication methods used is also ‘out-of-band authentication’ via the mobile app of customers’ bank. 3DS2 is compliant with the Strong Customer Authentication (SCA) requirement set forward by the EU in 2019.
EU vs the World
As mentioned, 3DS fulfils the requirements set by the EU and is currently the most used solution in the region. Although initially introduced by VISA, it is now developed and maintained by EMVCo., a joint operation of VISA, Mastercard, American Express, Discover, and others.
While merchants from outside the EU are exempt from the SCA directive, the situation could change. Several countries outside the EU have proposed their own version of SCA. On top of that, several studies have also shown that 3DS2 drastically reduces checkout time for most users and cart abandonment. 3DS2 helps both the merchant and the customer to complete the transaction swiftly and safely.
3DS2 in SignatureSatori
So how does exactly 3DS2 work in SignatureSatori? Well, in most cases customers won’t even notice it running in the background. If it manifests, it will be in the form of a pop-up window asking them to input a verification code during a transaction. Depending on their card issuer and individual settings, the verification code will be shared with the bank’s authentication app on a mobile device tied to the card – or sent to that device via SMS. It will look similar to the image below (the text and design are managed by the card issuer and may slightly differ).
You can learn more information in a dedicated article 3D Secure 2 implementation in SignatureSatori.