For most of the countries within the European Economic Area (EEA), the enforcement date for PSD2 and Strong Customer Authentication is right behind the corner. There has been a lot of talking during the past two years about PSD2 enforcement, 3D Secure 2 and its impact on the payment industry.

As a solution, the new authentication protocol 3D Secure 2 has been brought up with numerous new features and authentication possibilities depending on the protocol version (2.1 and 2.2). There are  big differences between the two versions as the 2.1 does not support important features such as PSD2 acquirer exemptions but only allows issuers to apply exemptions such as Transaction Risk Analysis and Low Value Payments on their side. Mastercard has brought up to the market a version called 2.1+ allowing with a message extension merchants to request exemptions via their payment service providers.

As 3D Secure 2 adoption is slowly increasing among issuers (around 87% in August 2020 according to Visa) and is expected to be close to completion by now, EMV 3DS volumes are slowly growing and performance is improving with issuers challenging less and fewer transactions month after month ( around 80% of transactions are currently risk-based authenticated by issuers). This significantly improves the consumer check out experience as the old 3DS1 protocol is challenging every single transaction which requires an action from the cardholder to authenticate.

What is a 3DS server and why is it important for Payment Service Providers and PSD2 exemptions?

But from the other side of the flow, what is the current situation with 3DS Servers and Payment Service Providers readiness? In order to offer 3DS 2.2, 3DS servers are required to be certified by EMVco as a preliminary step in order to be ready to bring go-to-market solutions.

According to EMVco definition, 3DS Server provides the functional interface between the 3DS Requestor Environment flows and the DS. The 3DS Server is responsible for collecting necessary data elements for 3-D Secure messages, authenticating the Directory Server, validating the Directory Server, the 3DS SDK, and the 3DS Requestor, and ensuring that message contents are protected.

Basically, when merchants send authentication requests to their Payment service providers, the next step is to reach a 3DS Server which, through the Directory Server offered by card schemes such as Visa or Mastercard, will reach the Access Control Server (Issuer environment) in order to authenticate the cardholder. The Issuer through its ACS will decide on a frictionless or a challenge authentication flow. The authorization messages and settlement request will then follow up.

Merchants can also directly integrate with a 3DS Server and handle the authentication flow messages directly on his side. Many payment service providers have developed their own 3DS Servers/ MPIs ( i.e. Adyen, Stripe, Worldline, etc.) but it can be common that the authentication is handled by a solution which is not developed in-house. It is clear that this component plays a key role within the authentication flow and having a component which is able to handle 3DS 2.2 authentications has enormous importance as this will allow merchants to request acquirer exemptions ( Transaction Risk Analysis, Low Value Payments) and additional features such as 3RI or Delegated Authentication.

At Payment- Universe, we have extensive 3DS experience and we can support you with 3D Secure 2 implementations. Contact us now to schedule a call.

You can check below the table with the full list of current Approved EMV 3DS Products by EMVCo ( updated on 29th of September 2020) or you can go directly to the EMVCo page about it. Please keep in mind that being approved does not necessarily mean being live and ready for production. This would need to be checked with your payment service provider or 3DS Server directly.