Secure payment for online credit card and debit card transactions must move with the times. As mobile devices have become highly popular around the world, cyber criminals are becoming more knowledgeable and therefore more dangerous. New methods of card and user authentication have become mandatory in order to stay protected. The development of version 2.0 of the 3-D Secure protocol for online payment authentication has been catalysed by these changes, as well as the need to improve the user experience associated with 3-D Secure.

What is 3D Secure 2?

3-D Secure 2 will support the transmission of rich data during transactions, making risk-based decisions possible on whether to authenticate or not. The consumer experience will also be simplified and enhanced, through the elimination of the initial enrolment process and removing the need for cardholders to remember static passwords. Non-payment authentication and native mobile support are also included in this version of the protocol.

Three Domains

The Three Domains of Online Payment

The first version of 3-D Secure was designed to increase consumer confidence towards online payments, thus fostering the growth of e-commerce. This standard for payment authentication is marketed as Mastercard SecureCode, Verified by Visa, and American Express SafeKey, among others. 3-D refers to the three domains or entities involved in a secure payment: the issuer domain (the bank issuing the card); the acquirer domain (the bank of the merchant to which payment is to be made); and the interoperability domain provided by the credit card organisation supporting the 3-D Secure protocol.

Interoperability for Handling Transactions

By definition, the interoperability domain includes the internet and interfaces to the ACS (Access Control Server), MPI (Merchant Plug-in), or any other software provider. The MPI is a software module that connects the card scheme’s servers such as Visa, Mastercard, and the merchant’s servers. The ACS is controlled by the card issuer and verifies whether a 3-D Secure authentication is available for a particular card number, as well as managing authentication of the cardholder for a specific transaction. These backend elements will be used for 3-D Secure 2.0 implementations as well.

Handling Transactions

3-D Secure Version 1

Pros and Cons of 3-D Secure Version 1

3-D Secure version 1 lets cardholders authenticate themselves to the bank that issued them their card. With this approach, fraud responsibility also shifts away from the merchant and towards the card issuer, reducing chargebacks to the merchant. Cardholders must first sign up with their bank and activate the 3-D Secure service. At the time of use, the system makes a pop-up window or inline frame appear, requiring the user to enter a password in order for the user’s bank to authenticate the user. However, the credentials of the entity generating the pop-up window cannot be authenticated. The inability to handle frames or pop-ups in mobile browsers has also been problematic for 3-D Secure version 1.

Differences in 3-D Secure Version 2.0

While version 1 will continue to be available and viable, 3-D Secure 2.0 will use token-based and biometric authentication, instead of static passwords. By supporting additional data during transactions, risk-based decisions will be possible on whether to authenticate or not. The consumer experience will also be simplified and enhanced, through the elimination of the initial sign-up process and removing the need for cardholders to use static passwords. Merchants will also see fewer transaction abandonments by customers as a result. EMVCo, jointly owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa, is responsible for the EMV 3DS 2.0 specification and the certification program that accompanies it.


Meeting New Payment Method Requirements

The support of non-browser-based “card not present” payments in 3-D Secure 2.0 will mean that in-app, mobile, and digital wallet payment methods will now be possible. 3-D Secure version 1 was not able to support these, as it was only designed for cardholder authentication in online sales transactions driven by standard web browsers. Additionally, 3-D Secure 2.0 will offer the following enhancements compared to the original 3-D Secure:

  • Improved messaging with supplementary information for better decisions on authentication
  • Non-payment user authentication
  • Non-standard extensions to meet specific regulations and requirements, including proprietary out-of-band authentication solutions, used by card issuers
  • Better performance for end-to-end message processing
  • Improved datasets for risk-based authentication
  • Prevention of unauthenticated payment, even if a cardholder’s card number is stolen or cloned

Risk-Based Authentication and 3D Secure 2

Frictionless Flow and Risk-Based Authentication Explained Download Whitepaper


Overall, 3-D Secure 2.0 takes into account additional payment channels that are rapidly increasing in popularity. Compared to 3-D Secure version 1, 3-D Secure 2.0 improves authentication possibilities that allow merchants to move closer to frictionless checkout experiences for their customers, with new intelligent risk-based possibilities, as well as enhanced security, performance, and flexibility for both application and browser driven payments.

GPayments Support for 3DS 2.0

We have been working on our 3DS2 application suite (ActiveAccess ACS, ActiveServer 3DS Server and ActiveSDK Mobile SDK), since the introduction of the protocol by EMVCo last year, and closely following the evolution and revisions of the EMV® 3-D Secure – Protocol and Core Functions Specification, EMV® 3-D Secure – SDK Specification, and other 3DS2 related specifications.

Release dates for GPayments' 3DS2 application suite components are subject to factors such as the date of finalisation of the core specification document and the availability of EMVCo's 3DS2 testing and certification facilities.