Ready for EMV 3DS Secure 2.0 ?

Among cashless payments, the damage caused by fraudulent use of credit card payments is conspicuous. With the increasing trend year by year and the need to prevent unauthorized use, 3D Secure has been introduced. Currently, several international brands have announced that they will end support for this 3D Secure 1.0 by October 2022.  

 3D Secure is a service that requires a password that only the person can know in addition to entering credit card information, and only the person is authenticated. Even if your credit card information is stolen or a counterfeit card is created, it cannot be used without a 3D Secure password, and it is possible to prevent unauthorized use by a third party. Are you, card manufactures, ready for EMV 3DS Secure 2?

• In 3D Secure 2.0, risk-based authentication is adopted, and if the risk is evaluated and it is low, the authentication process can be omitted to improve usability.  
•  Since a password that only the person knows is required, unauthorized use by a third party cannot be easily performed. If you do not move to the authentication screen, you suspect a malicious site.  
•  There is a chargeback system that will refund you if your credit card payment is fraudulent. If the merchant does not verify their identity, the merchant may be required to charge back.  
•  Since purchased items will not be returned, 3D Secure can prevent credit card fraud and prevent chargebacks so that no loss will occur.  
• Entering a password impairs user convenience. Also, password management is a hassle. In the case of 3D Secure 2.0, simpler and more reliable personal authentication such as one-time password and biometric authentication issued only at the time of authentication can be adopted.  

The actual authentication and authorization procedure is as follows, corresponding to the figure. The actors that appear here are 

ACS providers： In the 3-D Secure protocol, the ACS (access control server) is on the card issuer side. Currently, most card issuers outsource ACS to a third party.  

 MPI providers: Each 3-D Secure version 1 transaction involves two Internet request/response pairs: VEReq/VERes and PAReq/PARes.[8] Visa and Mastercard do not permit merchants to send requests directly to their servers. Merchants must instead use MPI (merchant plug-in) providers. 

 Merchants: The advantage for merchants is the reduction of "unauthorized transaction" chargebacks. One disadvantage for merchants is that they have to purchase a merchant plug-in.  

 Cardholders: In most current implementations of 3-D Secure, the card issuer or its ACS provider prompts the buyer for a password that is known only to the card issuer or ACS provider and the buyer. Since the merchant does not know this password and is not responsible for capturing it, it can be used by the card issuer as evidence that the purchaser is indeed their cardholder.  

1. Cardholder requests to pay for a purchase online 
2. Merchant (MPI) sends a Verification request (VEReq) to Access Control Server (ACS) at Issuer via scheme Domain Server (DS) for card PAN, expiry dates, transaction amount, currency, transactions date. 
3. Issuer’s response is returned to the merchant. Hence, the merchant can make decision based on the enrolment status of the card and its own risk policy.  
4. MPI sends a Payment authentication request message to the ACS via the cardholder’s browser. At the same time, the cardholder is redirected to the issuer’s redirect url for authentication. 
5. Cardholder interacts with issuer’s authentication server to authenticate himself. Once the cardholder successfully authenticated himself, the issuer’s ACS responds with a Payment Authentication Response message to MPI.

1. Merchant proceeds the transaction with 3DS, depending on the risk policy of each individual merchant. 
2. An authorization message is sent to the acquirer, which routes the transaction to issuer via the relevant scheme. 
3. Issuer validates the data with its ACS server in such a way that the requested transaction amount, currency matches with the data when 3DS was requested. Issuer respond to the acquirer (hence the merchant) the decision on the transaction authorization.