Who keeps our credit cards secure, and what is 3D secure?

In 1620, the scientific manifesto "New Organon" was published. Its author, Francis Bacon, was immortalized thanks to the phrase that sounded in the treatise "Knowledge is power".

After 4 centuries, a lot has changed, and the phrase remains relevant to this day. However, Bacon certainly did not make online purchases and did not worry about the safety of funds in a bank account, otherwise, he could have added the phrase: Knowledge is power, and knowing that your transactions are secure means having healthy nerves and good sleep!

Purchase history has come a long way from the in-kind exchange to electronic money.

Is it more convenient? For most, yes. I believe that there are still people who prefer cash, however, these are becoming less and less. And if my grandfather in his 80s pays by card, then you can.

But has it become calmer? Doubtful.

The triumvirate of international payment systems (MasterCard, American Express, and Visa) dominates the electronic payments market. Giants have not only enormous power (they set many rules) but also responsibility.

The latter obliges to introduce security protocols.

Why do we receive an SMS with a code when confirming payment by card?

All is for the sake of transaction security improvement.

The above procedure refers to as two-factor user authentication. But it was not always so.

Consider how security protocols have evolved.

Before the 3D-secure era:

Previously, the payment was made in 3 steps:

1. The client enters the card details on the merchant's website.
2. The seller sends a request to the acquiring bank to debit funds to his merchant account.
3. The acquiring bank verifies the payment details and initiates the debiting of funds from the cardholder's account to the merchant's account.

The card issuer is not involved in the process. When the card is stolen, and its owner does not block it, fraudsters can use the card without the knowledge of the rightful owner.

Era of 3D-secure (version 3D Secure 1.0)

More than a decade ago, Visa, Mastercard, and American Express introduced a card data protection protocol. This protocol is used to authenticate a bank card holder when paying via the Internet. The world knows this protocol is called "3-D Secure".

What has changed?

The issuer became involved in the transaction process, the number of steps that must be taken for a successful transaction increased. Let us consider in more detail:

1. The cardholder enters the data on the merchant's website.
2. The seller requests 3D card authorization from the acquiring bank.
3. The acquiring bank via API (MasterCard, American Express, and Visa) determines whether 3D Secure payment is possible. If possible, the acquiring bank will send the merchant a link to the 3D authorization center of the card issuer.
4. The seller sends the cardholder via the link.
5. As soon as the cardholder follows the link, the issuing bank (most often) sends an SMS with a digital code.
6. The cardholder enters the code on the site of the autorotation center.
7. After checking the code, the authorization center sends an authorization code to the seller.
8. The seller carries out debiting from the card and signs the transaction with an authorization code.
9. The acquiring bank debits funds from the cardholder's account to the merchant's account.

But time does not stand still, and 3D-secure has a new version - 3DS 2.0.

3D Secure 2 (3DS2) is a new authentication protocol for online card payments. 3DS2 is designed to enhance 3D Secure 1 (3DS1) by providing a smoother and more integrated user experience.

What exactly has changed?

• 3DS 2.0 allows merchants (merchants) to get more data when interacting with issuing banks and payment gateways than previously.
• The protocol offers many benefits, especially in terms of mobile payments, and improves the usability of mobile devices.
• Dynamic passwords and biometrics began to be used for authentication.
• 3-D Secure 2.0 processes the data of cardholders during transactions, transferring them to the issuing bank.
• The issuing bank assesses the risk of a transaction based on an analysis of more than 150 parameters.

What happens “on the other side of the screen”?

1. The cardholder enters the data on the merchant's website.
2. The seller requests 3D card authorization from the acquiring bank. The acquiring bank via API (MasterCard, American Express, and Visa) determines whether 3D Secure 2 payment is possible. If not possible, it operates according to the 3DS 1.0 scenario.
3. If possible, the acquiring bank transfers the data to the issuing bank, which determines the riskiness of the operation.
4. Further 3 scenarios are possible:

• payments rated as low risk will not require additional verification;
• if the payment is classified as highly risky during the assessment, additional verification will be required;
• a payment assessed as potential fraud will be canceled;

5. Depending on item 4, the merchant either goes to item 6 or is similar to 3DS 1.0. the transaction is verified

     6. The authorization center sends an authorization code to the seller.

     7. The seller conducts debiting from the card and signs the transaction with an authorization code.

     8. The acquiring bank debits funds from the cardholder's account to the merchant's account.

Changes in user behavior, which, among other things, were affected by the pandemic, dictate new rules. Against the background of the global transition to payment from mobile devices and the increase in the number of payments in the world, simplification of the purchase process without losses in the context of security make 3-D Secure 2.0 a must.

In the future, we can expect new protocols that will adapt to new realities (focus on convenience and security at the same time), but for now, we are happy with innovations that help to feel calm.