
A world with invisible security


What are the merchant’s options if they want the least friction possible?
If a merchant wants to avoid as much friction as possible with the new protocol but still benefit from the faster service and added intelligence they can send transactions through the Data Only option, outside of the 3DS authentication path. The transactions sent this way don’t benefit from the liability shift. Companies who choose this option implement a strong pre-transaction solution to accurately decide what transactions they trust, and accept the liability on transactions they are confident about.
Pre-transaction authentication tools connected to 3DS that use passive biometrics, such as NuData’s Smart Interface, are key for this process.
By seamlessly verifying the user’s identity before the transaction is sent, merchants can make accurate decisions on what transactions they process outside of the 3DS authentication flow and which ones should be authenticated by the 3DS process, benefiting from the liability shift.
Webinar
Reduce False Declines & Stop CNP Fraud with EMV 3DS and Behavioral Biometric Authentication.
Can merchants have access to the consumer experience website? If yes, how?
Merchants have control over the page the users see to authenticate themselves. This page is within the merchant’s environment and can be branded like the other merchant pages. This page will also display the logo of the issuer, so the user knows what entity is doing the transaction evaluation.
By customizing this page, merchants can ensure a consistent experience to their consumers.
How do merchants know if issuers are asking for authentication and what type?
When merchants send a transaction to the issuer they receive the resolution. With NuData’s EMV 3DS connection (Smart Interface), merchants can see what step up issuers are requesting and build rules around those.
Using the NuData client library merchants see if it’s going to be a seamless, frictionless or challenged flow and what type of step up it will have.
What happens when the issuers decide to challenge a transaction?
The new protocol gives merchants options to improve the user experience, including what type of interdictions they want to allow their consumers to receive.
Merchants can do this with certain EMV 3DS providers, by indicating the type of interdictions they don’t want their consumers to face. For example, a merchant may want to decline all authentication requests that ask for a one-time password. In that scenario, when the issuer requests the one-time password, the merchant can choose to send the transaction down the Data Only route, avoiding the 3DS authentication step altogether.
A major U.S. eCommerce company is currently implementing Smart Interface with rules that avoid any step up on their users as a way to increase their conversions.
Aite Report
Dig deeper with Aite’s report – 3DS 2.0: Key Considerations for Merchants.
Is EMV 3DS faster than 3DS 1.0?
Yes, it is. With 3DS 1.0 there are two authentication cycles every time – because the cardholder is always challenged. This leads to an average transaction time that exceeds several seconds. With EMV 3DS (3DS 2.0) most users won’t need an authentication step, thus requiring one authentication cycle only.
Today, the EMV 3DS transactions we are testing are processing much faster than the old protocol. It’s important to note that the velocity of the transactions also depends on the way the merchant deploys EMV 3DS (3DS 2.0). Merchants can actually hide a significant amount of the latency if they trigger it earlier during the checkout experience.
Overall, there are improvements in the new protocol that make it function faster.
How does EMV 3DS work with recurring transactions (monthly purchases)?
Recurring transactions only need to be authenticated once, at the beginning of the interaction, although this has some exceptions: in regulated markets such as the E.U., the 3DS authentication happens once and is valid for a certain number of transactions, for example, 12. Once it expires, the authentication just needs to take place again and it resets.
With PSD2 and GDPR, why send more data if the issuers are going to challenge the consumer anyway?
In the European Union, the PSD2 mandates that all transactions, except those exempted, require a strong customer authentication (SCA) that includes at least two of the three factors (knowledge, possession, and inherence).
To follow the mandate, those transactions will require customers to authenticate themselves. However, even if the customer passes the authentication steps, issuers are still free to decline a transaction if they suspect there is a risk of fraud – or not enough intelligence. To avoid this scenario, sharing more transaction data with the issuer can help dissipate doubts.
How does EMV 3DS help SCA-exempt transactions within PSD2?
In PSD2 many transactions will be exempt from strong customer authentication (SCA); for example, transactions under €30. However, the issuer can choose to request SCA if there is still not enough information to make an assessment.
When SCA is exempted, merchants can help the issuer’s decision by sharing additional 3DS data with them, as risk is easier to evaluate when all EMV 3DS data is populated. This will help them confirm the validity of a transaction without requiring additional authentication steps.
What happens if the issuer is not EMV 3DS-compliant?
If the issuer doesn’t support EMV 3DS transactions, Mastercard will stand in on the issuer’s behalf for all Mastercard transactions. By doing this, merchants can still benefit from the liability shift with no extra cost to the merchant nor additional disruptions to the user experience.
Do other networks also step in on behalf of non-participating issuers?
Mastercard is currently the only card brand providing the stand-in service for merchants, ensuring all payments made with Mastercard cards can benefit from the enhanced EMV 3DS experience and liability shift.
What is the difference between an out-of-band authentication and a regular authentication?
The difference is on the user’s interface to authenticate herself. In a regular authentication scenario, the user is in the merchant’s environment, whether they need to do an authentication or not.
In an out-of-band scenario, the authentication happens outside of the merchant environment (for example, this happens when a consumer purchasing through a merchant app needs to complete an authentication through their banking app.
I heard 3DS prevents chargebacks, how?
Mastercard card transactions always provide the option of shifting the liability to the issuer whether the issuer is 3DS compliant or not, reducing all chargebacks that could stem from those card transactions.
For non-Mastercard transactions where the liability shift wasn’t an option or for purchases where the merchant decided to process a transaction outside of the 3DS rails, Mastercard has a dispute platform. In this platform, merchants discuss a chargeback, and use the additional transactional intelligence gathered by 3DS to build a better case.