What is changing for you with 3D Secure 2.0

14 January 2021

Business Insight

As part of PSD2 and standardising European payment operations, the 3D Secure 2.0 system will become mandatory for all by April 2021. This will make authentication — which was previously optional or controlled by sellers, PSPs, or banks — obligatory and controlled at an EU level. While 3DS has improved online payment security, its roll-out and impact have worried sellers. What will change with 3D Secure 2.0? How should banks and payment institutions prepare? What changes will marketplace operators face? Find all the answers here.


What is 3DS2?

3D Secure 2.0 is a secure online payment protocol that aims to limit fraud risk and protect banking information by forcing online buyers to go through Strong Customer Authentication (SCA) to complete a transaction.

In September 2019, the European Banking Authority‘s Regulatory Technical Standards (RTS) decided that Strong Customer Authentication must have at least two authentication factors. These factors can be:

  • Knowledge: password, secret question, secret code, etc.
  • Possession: mobile phone number, smart device, smart card, etc.
  • Inherence: digital fingerprint, facial recognition, voice recognition

All new validation and authentication tools are developed by banks rather than by payment service providers. By October 2021, text messages will be replaced as an authentication factor by Digital Key.

The RTS affect all online card payments initiated by the purchaser. However, they do not apply to:

  • Transactions initiated by the seller, including rebills
  • Transactions involving a buyer or seller outside the European Union
  • Distance selling or Mail Order/Telephone Order (MOTO) transactions

Strong Customer Authentication becomes mandatory under the RTS for:

  • All transactions over €2000 from October 2020
  • All transactions over €1000 from 5 January 2021
  • All transactions over €500 from 15 February 2021
  • All transactions from 1 April 2021


A “smarter” protocol makes exemptions possible

With 3D Secure 2.0 designed to make Strong Customer Authentication mandatory for all online payments (except the transactions mentioned above not affected by the RTS), it is “smarter” than the first version as it has rules for authentication exemptions. Exemption requests are possible if:

  • A payment operation is for under €30 (up to 5 transactions or a total of €100)
  • The operation is subject to real-time risk analysis, and the acquiring/issuing bank’s fraud rate is below PSD2 thresholds. An exemption can be requested:
    • If the transaction is under €100 with a fraud rate of below 0.13%
    • If the transaction is under €250 with a fraud rate of below 0.06%
    • If the transaction is under €500 with a fraud rate of below 0.01%

Where a transaction happens on a marketplace, the exemption request, and therefore a 3DS-free purchase, come from Lemonway.

Following an exemption request, the Issuing Bank has the final say and decides if the transaction can go ahead without SCA. This is done using an algorithm it has developed to identify a transaction’s risk level. These are known as frictionless payments.

The Issuing Bank will decide a transaction’s risk level based on a score generated by schemes (CB, Mastercard, Visa, etc.) shared with it, plus a score it calculates itself.

To improve the score generated by schemes, the seller, and therefore Lemonway too, must provide as much information as possible when the transaction happens: payer name, ID, delivery address, info about the equipment used, etc.

Payment stream - 3DSV2

N.B. The full list of information required by schemes and PSPs has not been released. When Lemonway can access these details, our APIs will be updated to ensure better scoring and maximum exemptions.


How will this affect Lemonway and its partners?

Many people have concerns about 3DS2’s gradual roll-out with regard to the user buying journey. Stricter authentication would seem to go hand in hand with an increased risk of users abandoning purchases before validation, and therefore with lower conversion rates on seller sites.

That said, this move to 3D Secure 2.0 is inevitable as it comes from a European directive. It’s important to remember that strong authentication’s main purpose is to make payments more secure. The “smarter” 3DS2 will also provide more exemption options for avoiding SCA.

Lemonway already uses Strong Customer Authentication on all transactions to prevent refusals from Issuing Banks. As soon as PSPs and banks are ready for 3DS-v2 implementation, Lemonway will automatically improve transaction success rates with its intelligent exemption management system.

To increase your rate of frictionless, non-authenticated transactions, we recommend that you provide the optional information we will ask for when updating the API for 3DS-v2 implementation.

As a payment service provider, Lemonway takes a positive view of these new rules as they are helping to improve payment security and the payment experience. Lemonway is aware of the challenges around the 3DS2 roll-out and is already working to support its partners through this transition.

3D-Secure v2 - what are the impacts for your marketplace?