The Authentication Reference

Your go-to place for authentication information

Successful Authentication with Incognia

The Authentication Reference

What is 3DS2 and How Does It Relate to PSD2?

The new 3D Secure 2.0 (3DS2) is the new and improved version of its predecessor, 3D Secure 1.0 (3DS). Both of these labels refer to payment security standards certifications that are or were in the case of 3DS, widely used for payment processing e-commerce transactions for cardholders throughout the European Union.

The new standard has been created to address shortcomings that applied for 3DS, and is also highly relevant for its attempt to improve upon the famously user-unfriendly aspects of 3DS. This is happening in part as a response to what is called PSD2. This refers to the European Union’s second payment services directive, which is being implemented in an attempt to make digital payment processing in Europe more secure for users and processors.

What is 3DS2?

3D Secure 2.0 is itself short for Three-domain Secure 2.0, but the acronym is also useful for quick reference. This specification is an update to the old 3DS 1.0 protocol that has been used to connect buyers and sellers when they are in the middle of authenticating an e-commerce transaction either through mobile devices or on their computers. Both standards have also been useful in use cases that involve verifying a person’s identity or verifying account information and ownership.

In essential terms, standard works as an additional security interface for payment processing and ID verification. It attempts to reduce the incidence of unauthorized transactions during e-commerce sessions. The standard applies to both credit and digital payment-enabled debit cards on the internet or via mobile apps.

By default, it offers strong two-factor authentication for users who want to make payments online. It’s also designed to make payments across different platforms, devices and payment systems (banks, card issuers) more frictionless and user-friendly.

A reference to this exists right inside its name: Three-domain secure refers to the acquirer’s domain (bank or seller that’s being paid), the issuer’s domain (bank or card company that issues a cardholder’s debit or credit card), and what is called the interoperability domain, which refers to the infrastructure used by the above parties for facilitating payments. This last domain could be an internet payments processor, an access control server or a Merchant Plugin system.

How is 3DS2 Different from 3DS1?

A fundamental thing worth mentioning for 3DS1 is that it’s quite old. The original standard was first introduced in 2000, when internet payments were conducted on a far smaller, far less advanced scale than is the case today. At that time, the entire mobile payments ecosystem also barely existed and concepts such as two-factor authentication via mobile or other means were barely known by anyone.

Since 2000, the world of digital payments has advanced enormously and consequently, a much newer system was needed that could offer modern payments authentication with a much more user-friendly and secure process.

This is what 3D Secure 2.0 offers. It delivers a larger range of protections while also being more secure for all parties involved. It’s especially useful for users as a fraud-prevention measure for their personal payments. Here are a few key differences between 3DS2 and 3DS:

Key Highlights of 3DS2

It provides more information about users: While the 3DS1 standard generally required only basic, static information like a name, address and email address, 3DS2 records numerous specific data points about users. These include their basic static information but also their browser type, browser version, device model, their location and their connectivity details or IP address. Banks can use this information to more “intelligently” assess the veracity of transactions. The other side of this coin is that the new standard also collects a much larger volume of user information, in a way that could be construed as a violation of basic personal privacy.

It can dynamically decide which transactions need more authentication: 3DS2 lets the issuing bank and other transaction processors in the EU dynamically decide which transactions are low-risk and which ones need further identity verification for the sake of preventing fraud.

It is more user-friendly: Despite its focus on capturing a broader range of user data and allowing banks to more thoroughly assess transactions for their specific details, the standard is indeed more user-friendly. The new standard is far more optimized for digital payments than its predecessor and includes far more functionality for payments outside the landscape of web browsers on a PC or laptop. In other words, 3DS2 is designed much more robustly for letting people handle payments in a mobile communications landscape of smartphones and major mobile apps for mobile purchases.

3DS1 created a much larger range of transaction problems for users: For the same reason of lacking a strong design for mobile payments, 3DS1 often gave users all sorts of headaches when it came to increasingly frequent mobile payments. Authentication of payments on mobile devices would often fail and users often had to go through additional steps for the sake of completing their transactions. These are just some of the common problems that 3DS1 could cause due to its age.

What is PSD2?

Payments Service Directive PSD2 is one of the reasons why 3DS2 is now being rolled out as a substitute for 3DS1. The acronym plus the number 2 is essentially the amended successor to the original Payment Service Directive that was first implemented by the governments of the European Union in 2007.

The original PSD sought to create a single fluid digital payment market for the whole of the European Union. PSD2 seeks to streamline this same thing for a wider ecosystem of digital payments while making payment processing more secure and more transparent to government oversight.

PSD2 offers a broad range of changes from its predecessor and many of these are only indirectly related to both 3DS1 and 3DS2. However, the PSD2 regulation’s new security requirements, dubbed Strong Consumer Authentication (SCA), are what directly affect the switchover from 3DS1 and 3DS2, since these new SCA standards require banks to more carefully and securely authenticate bank operations such as digital card payments and account access through mobile apps. The main objective of SCA is not only to reduce fraud but also to implement a frictionless flow to authentication and improve user experience.

How Does 3DS2 Relate to PSD2?

Specifically, because of the much more enhanced security and identity authentication procedures inherent in 3DS2 for mobile and digital payments, the new payment authentication protocol is being made mandatory. The new protocol is being applied through PSD2 rules as a standard authentication method for all online transactions inside the EU market. 3DS2 implementation will become widespread as of 2022 and will start applying to banks, card issuers, credit card companies, payment processors and merchants as well.  If any business accepts payments in the EU market, it will need to at least apply Strong Consumer Authentication (SCA for its payment processing).