User enjoying a 3ds2 purchase experience

EMV 3DS (or 3DS2): The Old, The New and The Better

What the new protocol EMV 3D Secure (aka 3DS 2.0) brings to the industry and the merchant nightmares it’s getting rid of.

False declines, frustrated users unable to locate their four-digit code, and other growing pains that shall not be named – it’s only Monday, after all – were stemming from the old payment protocol, 3DS. Since, both merchants and issuers have been eager for a new solution that they can rely on.

We are excited to announce that the new protocol, EMV® 3-D Secure, commonly known as 3DS 2.0, has already hit the streets – or is at least in implementation stages – developed to solve most of the checkout pains for merchants and consumers.

If you want to learn more about how to leverage the new 3DS protocol with NuData watch our webinar, featuring industry experts from Mastercard and NuData.

The Difference Between 3D-Secure and 3DS2

There is none. EMV 3DS (or EMV® 3-D Secure) is the official name of the protocol, developed by EMVCo. 3DS 2.0 or 3DS2 is how people commonly refer to it. And, in case you are wondering, the previous protocol was called 3-D Secure (3DS).

The first 3-D Secure came into our lives to protect the payment space. However, the new shiny toy launched back in 2001 lost its glare as new, smarter, technologies made their way into the user’s hands.

3DS has made online card transactions available for endless merchants but has also contributed to other numbers that are hurting the CNP industry: in 2017, $118 billion were lost to false declines across all online transactions (Javelin Strategy), 66% of mobile transactions were abandoned at checkout (Jumio), and, as the cherry on top, 32% of users plan to stop shopping at the retailer where they were declined (Javelin Strategy).

The Old

EMVCo is well aware of how the old protocol generated false declines and other problems. Here is a recap of what parts of 3-D Secure needed some love:

The unsexy authentication process

With the old protocol, all the transactions had to be authenticated. For this, 3DS took the user to a different window and asked them to type the four-digit code they just received on their phone or that they had on a card-like piece of plastic provided by the bank. If the user didn’t have access to this code – put your hand up if this also happened to you – they dropped the purchase or used another card. This problem has an impact on the company who loses the sale, but also on the card issuer, who loses that transaction. Additionally, that card will eventually be relegated to the bottom of the wallet, giving way to a competitor’s card.

The false declines

Issuers are keen on accepting transactions to ensure users keep choosing their card. With the old protocol, however, issuers were not able to see the same information merchants did to make a decision. Issuers only saw ten data points related to the transaction, which are not enough to have a clear picture of who that user really is. Thus, when in doubt, many issuers would decline the transaction to avoid potential fraud. Better safe than sorry.

The lack of 3DS opt-out option

Once a merchant had the 3DS protocol, they had to use it for all the transactions where 3DS was supported. This lack of flexibility has made some merchants drop the 3DS protocol altogether.

The New

The new protocol comes with substantial improvements that are set to reshape the checkout experience for users and merchants. What’s new with ‘3DS2’:

No authentication steps

With EMV 3DS, EMVCo has gotten rid of the cumbersome authentication requests that turned so many users down. When a transaction is trusted, users just hit Buy and wait for the payment confirmation message. When a transaction is suspicious, or the issuer doesn’t think it is legitimate, the user will have to authenticate herself with something she is familiar with such as a fingerprint scan, making the authentication step that much more seamless. However, in some scenarios (e.g., regulated markets) EMV 3DS will require the issuer to also authenticate trusted consumers.


The smartphone, that piece of tech we can’t be without, was not around when the old version came out. The new EMVCo specification is mobile friendly and integrates with mobile apps as well as with browser-based environments.

More transaction data

The new protocol gathers up to 150 data points to evaluate a transaction (compared to the 15 data points 3DS had access to). Some of these data points are required and others are optional. However, the more information merchants decide to share with issuers, the higher the issuer’s decision accuracy will be.

Merchant 3DS opt-out

EMVCo offers a compromise for those who want to have access to the protocol but also decide when and how to use it. With the EMV 3DS’ Data Only option, merchants can choose which transactions they send through the protocol and which ones they don’t. By opting out, they can still send the additional sets of transaction data to issuers to influence their decision.

The Better

EMV 3DS (3DS 2.0) is clearly adapting to the times by offering better online payment experiences to users, whether it is via desktop computers, mobiles or tablets. With the way the new 3DS works, merchants can benefit just as much as consumers, if not more. Here are some of the benefits:

Less false declines

By providing ten times as much transaction information to the issuers, they are better equipped to make a decision and reduce false declines. This enriched communication channel between merchants and issuers can create more trust between the two.

Less cart abandonment

Transaction decisioning can be done without authentication step-ups for trusted users and also faster (before, it could take over eight seconds). This improvement aims at today’s consumers who want a seamless experience through their phones or tablets and with a user-friendly authentication step when required. The use of a mobile device to make an online purchase has increased to 40% in 2018 from just 12% in 2014, according to the Canadian Internet Registration Authority (CIRA).

More flexibility

Merchants who want to turn on 3DS in non-challenge mode can do so, allowing them to feed those results into their own risk models to help their own approve or decline decisions.

The Transition

And what about compatibility? EMVCo’s EMV 3DS will be required for all issuers and merchants by a certain date. In Europe, for instance, the deadline is April 2019. In some markets, issuers will also be required to enable physical biometrics authentication on mobile devices that support the technology.

This is exciting news for merchants and issuers who should start planning their transition to make the most of this new protocol. According to Aite’s 2018 report 3-D Secure 2.0: Key Considerations for Card Issuers, a large issuer is doing a proof of concept with a large merchant to show the impact that additional transaction data will have on authentication and authorization rates. This will help both merchants and issuers learn how to make the switch and take full advantage of the new protocol.

Educate consumers

At the same time, it’s important to educate consumers on what they should expect. The change from a four-digit PIN request to a physical biometric one (e.g., fingerprint scan) can surprise some users. It’s important that they understand this change to improve their acceptance and overall experience. As Julie Conroy, Research Director at Aite explains in the report, “effective customer training will not only reduce the potential for abandonment but will also help consumers differentiate between the genuine 3DS authentication prompt and social engineering attacks by fraudsters.”

The protocol is ready to go and some of our major eCommerce clients are already testing it with the NuData integrated SDK that also provides transparent authentication before the transaction.

To find out more about the new protocol developed by EMVCo, watch our webinar with Mastercard 3DS experts.

To learn more about our Smart Interface EMV 3DS2 solution, click here.