3-D Secure 2.3

Further progress to benefit the cardholders

EMVCo released EMV® 3DS 2.3, the latest version of the 3-D Secure protocol, at the end of September 2021. It offers additional options for combating misuse and supports more channels and devices. Overall, the user experience for cardholders is to be further improved. Netcetera experts Dr. Thomas Fromherz, Digital Payment Strategy Expert and Fellow, Tanja Steinhoff, Senior Product Manager for the 3DS Issuer Service, and Nakjo Shishkov, Lead Portfolio Architect Secure Digital Payments, explain background and context in this article.

The advances of 3-D Secure become particularly clear if we take a look at its history. The security protocol was first introduced by Visa and Arcot in 1999 to curb card fraud in online shopping via traditional browsers. For a while, there was no consistent regulation for 3-D Secure until the issue was brought under EMVCo. This ensured a uniform approach by all major card organizations. In 2016, EMVCo published the EMV 3DS protocol to take into account the increasing use of mobile devices for online purchases. The 3DS versions 2.1 and 2.2 brought a continuous improvement of user experience.

Enhancements for more security and convenience

The new version 3DS 2.3 offers several additional capabilities to further advance both security and convenience for cardholders. One important enhancement applies to the integration of new devices, such as smart speakers ("Alexa") or smart TVs. To ensure a high level of security for online shopping, the SDK that establishes the connection between such devices, and the 3DS server and the Access Control Server (ACS), will be split into an SDK client and an SDK server (split SDK).

Another extension is the consideration of "Secure Payment Confirmation" (SPC). SPC is a Web API (Application Programming Interface) developed by the Web Payment Working Group within the World Wide Web Consortium (W3C). It is intended to simplify and accelerate the authentication of payment transactions based on FIDO. To use SPC, customers must be registered. The credit card holder can register directly after successful authentication. This process is supported by the issuer. In the future, the credit card holder can use the TouchID function of the notebook for authentication, for example. The UI is provided by the browser. SPC is currently available as a draft. The Google browser Chrome offers a first implementation as a prototype for tests.

Continuous improvement of the app channel

Since smartphones or tablets are now used for online shopping in most cases, EMVCo attaches great importance to continuously making the authentication via app channel more user-friendly. For example, the switch between the merchant app and the bank's authentication app should be automatic and as smooth as possible. 3DS 2.3 also offers further improvements in this area.

In the future, cardholders will also be able to allow the issuer to store consumers’ device data (device binding). These two functions work independently of each other. Device binding provides the issuer with additional data for risk-based authentication (RBA).

Overall, the new version EMV 3DS 2.3 will lead to a significant improvement in the user experience. Cardholders, issuers, and online merchants will all benefit from this. Netcetera wants to enter into a dialogue with its customers at an early stage to be able to support them in the best possible way during the introduction of EMV 3DS 2.3.

Webinar „EMV 3-D Secure 2.3 – What’s new for the cardholder?“

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

More stories

On this topic