American ExpressAmerican ExpressAmerican ExpressAmerican ExpressAmerican Express
United StatesChange Country

Towards Stronger Payment Services Authentication with 3-D Secure 2.0 and PSD2

By Bill Camarda

Every year, online transactions become more central to business success. However, the security challenges associated with online payments services have become increasingly complex. The EMV® 3-D Secure 2.0 specification and Europe's new PSD2 rules each have important implications for many companies aiming to address security risks without inconveniencing their customers.

Authenticating E-Commerce Purchases Today


EMV® 3-D Secure is a messaging protocol that permits customers to authenticate themselves with card issuers when making card-not-present (CNP) e-commerce purchases, reducing unauthorized CNP transactions and protecting merchants from fraud.1


The first version of EMV® 3-D Secure added a security layer that customers experience when they're asked to enter a separate password in a web browser pop-up window that appears during the checkout process. Merchants and customers use EMV® 3-D Secure whenever they authenticate an online transaction through most major credit and debit card providers.2 But customers must enroll before they can use these provider-based online payment solutions for authentication, so usage has been inconsistent: it's higher in some regions (e.g., Asia and Europe) than others (e.g., the US).3


Today, customers using online payment solutions start many transactions through mobile apps or digital wallets, not web browsers. EMV® 3-D Secure 1.0 wasn't designed to support these.4 According to security software firm RSA, the percentage of ecommerce transactions originating from mobile devices has tripled from 15 to 45 percent over the past five years, and fraud in mobile channels has risen even faster.5


At the same time, merchants constantly seek ways to reduce friction that can lead to transaction abandonment. They would welcome online payments solutions that eliminate extra enrollments, pop-up windows, and SMS messages that can go astray – each of which contribute to abandoned carts and lost sales.6


Better Online Payments Solutions for Authentication


EMV® 3-D Secure 2.0 is intended to address payment services problems like these. It will support app-based purchases on smartphones, tablets, smartwatches, and other devices (including game consoles that don't use apps at all).7


It will also permit "intelligent risk-based decisioning" that makes consumer authentication frictionless and invisible for most customers. To make this possible, merchants will send far more data to issuers when they request approval of an authentication – including, for example, shipping and billing addresses, customer email addresses, and even previous cardholder behavior with this merchant.8


Where further customer authentication information is needed, EMV® 3-D Secure 2.0 supports options such as biometrics. This is viewed as valuable for reducing the high failed transaction rates that have sometimes been associated with strong multi-factor authentication.9 Finally, when a card issuer officially "turns on" support for 3-D Secure 2.0, it can automatically enroll all of its cards, rather than requiring customers to enroll individually.10


Planning for Deployment or Migration


Both versions of 3-D Secure (1.0 and 2.0) will run in tandem for the next few years, as card issuers announce their plans and timetables for support, and merchants gradually prepare to migrate. The PCI Security Standards Council is currently working with EMVCo to streamline testing and security evaluation of new 3-D Secure online payment solutions.11


As merchants begin planning for 3-D Secure 2.0, experts suggest they seek online payment solutions supporting both versions, make it easy to integrate the new data collection requirements, have experience with rules-based decisioning, and can provide strong visibility into transaction results.12 Since some customers will still need to provide step-up authentication credentials, RSA reminds merchants that they will need to smoothly integrate these requests into their checkout processes.13


Europe's PSD2 and Strong Customer Authentication


The 3-D Secure 2.0 specification is intended to be usable in all regions. However, it may prove especially valuable in Europe, where the European Banking Authority's new Revised Payment Service Directive ("PSD2") will be rolling out over the next year. PSD2's rules will apply to all payment services providers and affiliates, and wherever at least a portion of the transaction occurs within the European Union.14


PSD2 calls for much wider use of Strong Customer Authentication (SCA) in online, electronic, and remote payments. SCA is defined as authentication through at least two of the following factors: something you know, something you have, and/or something you are. As defined by PSD2, it also requires technical measures that improve resistance to some cyberattacks commonly made against payment services, including "man-in-the-middle" session hijacking.15


In response to concerns from card issuers, merchants, and other payment services, European authorities have softened their original proposed rules. For example, most payments under €30 are now exempt, as are payments at unattended payment terminals such as tollbooths and parking meters. So, too, some larger payments will be exempt, with the threshold varying based on fraud rates associated with the individual payment services provider.16,17


Even so, far more payments are likely to be subject to SCA once PSD2 rules are fully in place. 3-D Secure 2.0 won't be the only way to comply. However, it does offer a comprehensive approach that many companies are likely to pursue – especially since it supports biometric options that avoid the risks and inconveniences of old-fashioned PINs and passwords.



To combat fraud, companies are pursuing better payment services for authenticating online and remote transactions, without inconveniencing customers. 3-D Secure 2.0 may be part of the solution – especially in Europe, where PSD2 will mandate stronger authentication for many transactions.

Bill Camarda - The Author

The Author

Bill Camarda

Bill Camarda is a professional writer with more than 30 years’ experience focusing on business and technology. He is author or co-author of 19 books on information technology and has written for clients including American Express Private Bank, Ernst & Young, Financial Times Knowledge and IBM.


1. “EMV® 3-D Secure,” EMVCo;
2. Global Payment Authentication Standards, Gpayments;
3. The Good The Bad & The Ugly: An Overview of 3D Secure, Fibonatix;
4. “About 3D Secure 2.0 by EMVCo,” GPayments;
5. 3D Secure 2.0: Putting Customer Experience at the Center of Payment Authentication, RSA;
6. “3D Secure 2.0 SDK Delivers Easier, More Secure Mobile Payments,” mSignia;
7. Global Payment Authentication Standards, Gpayments;
8. EMV 3-D Secure 2.0: A new era in strong customer authentication, WorldLine;
9. “Should You Use a 3-D Secure Merchant Account?” UniBul Merchant Services;
10. “3D Secure 2.0: Why It Pays to Be Ready,” RSA;
11. “New PCI Security Standards and Program to Support Adoption of EMV 3DS,” PCI SSC;
12. What Online Merchants Need to Know about 3-D Secure 2.0, CardinalCommerce/Merchant Advisory Group;
13. EMV 3-D Secure (3DS2.0) Timeline, RSA;
14. “Fraud and Security: 2FA Considerations for PSD2,” Messente;
15. “PSD2: Throwing a Spotlight on RTS,” International Banker;
16. Understanding the Impact of the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication, ThreatMetrix;
17. “PSD2 – New Rules for Strong Customer Authentication,” FICO;

Related Articles

Existing FX International Payments customers log in here