While US merchants have made significant efforts to obtain EMV certifications in recent years, the security provided by smartcard (aka “chip”) transactions is limited to Card-Present (CP) transactions only. Merchants looking to implement strong consumer authentication measures via Card-Not-Present (CNP) platforms have historically relied on basic authentication measures. Starting last year, merchants can now implement EMV 3-D Secure (3DS) 2.0 to provide enhanced security on web-based and mobile app payments.
The Evolving Need for CNP Authentication
In 2015, the Council of the European Union passed a revised directive on Payment Services (PSD2) that introduced requirements to perform strong consumer authentication (SCA). However, the original EMV 3DS 1.0 protocol used to fulfill this SCA requirement provided a clunky experience that could not be leveraged in mobile applications or mobile-based commerce.
EMV 3DS 2.0, the new standard, allows merchants to perform enhanced consumer authentication via means such as biometric verification or one-time SMS passcodes. “Previously, all a fraudster would need to complete a Card-Not-Present transaction is a payment card and zip code,” says Victor Madera, EMV Certification Specialist at W. Capra. “With EMV 3-D Secure pushing a one-time code to a consumer’s device, the fraudster can no longer complete that transaction without also having obtained and unlocked access to the consumer’s device.”
While Visa and MasterCard are currently on version 2.1 of EMV 3DS, both brands will introduce version 2.2 this year, enabling merchants to implement exemption routing.
Does Your Organization Need EMV 3DS 2.0?
For global organizations that transact within the European Union, compliance with the 3DS protocol is required. For other organizations considering implementation, there are several factors that should be weighed in a decision to implement.
One of the primary considerations to take into account is infrastructural impact on your payment environment. New equipment may be needed, or you may need to introduce a new third party to your existing infrastructure, to implement 3DS 2.0.
With the evolution of data privacy regulations, it’s also important to consider the impact that EMV 3DS may impose on your privacy program. As 3DS requires collection of data elements such as Device ID or geolocation, merchants who do not collect this information on consumers today may want to consider whether or how to collect and store this data.
The most essential factor, however, is cost. While EMV 3DS 2.0 will certainly benefit your bottom line by reducing false declines and increasing authorizations, there will also be increased processing costs on transactions. Beginning in April 2022, it is thought that Visa and MasterCard will introduce lower interchange rates for transactions that leverage the EMV 3DS 2.0 protocol. Clint Cady, Partner at W. Capra, advises, “Every merchant considering an EMV 3DS 2.0 implementation should conduct an exercise to weigh projected savings against increased transaction costs. If you’re paying significantly more money on each transaction, the costs may outweigh inherent benefits.”
For Those Who Choose to Implement EMV 3DS 2.0
As with any payment implementation, it will be imperative to consider potential pitfalls and best practices to ensure that your 3DS solution is optimized for your payment mix and the customer experience that you wish to provide. For best results, technical knowledge of the holistic payment ecosystem should complement a comprehensive understanding of the vendor landscape. Holistically looking at your cost of acceptance, transaction routing, and fraud prevention measures can help you to achieve an optimized, security-forward payment mix.
For further discussion around EMV 3DS 2.0, contact Clint Cady at firstname.lastname@example.org or Victor Madera at email@example.com.