3D Secure v2 Overview

The updated 3DS2 scheme relies on you providing more information up front about your customer. This extra detail is used by the Card Issuer to manage risk, and leads to two possible outcomes:

  1. Frictionless Flow
  2. Challenge Flow

Frictionless Flow

One of the key goals of the new 3D Secure v2 standard is to reduce the need to slow down transaction processing. By providing enough data up front, you can enhance the risk management of a given transaction. This may allow it to proceed to Authorisation without any interaction with the cardholder and therefore be “Frictionless”.

The diagram below shows the basic flow and the various messages all parties exchange.

Frictionless Flow

About our diagrams

While the Card Issuer and Acquirer are involved, they are represented by the Access Control Server (ACS) and Directory Server (DS) as above. For the most part, messaging between these Servers is ignored in our detailed diagrams as that messaging is not in your scope. It forms part of the approved and certified solution you are using.

Challenge Flow

There will be occasions where the data has been assessed by the issuer and a decision is made to challenge the consumer to authenticate. This decision can be taken for several reasons and does not necessarily mean that the transaction is in some way suspicious.

The diagram below shows the basic flow and the various messages all parties exchange

Challenge Flow

You will see the first part of this flow is the same as Frictionless. The AuthenticationResponse will indicate to you if your need to complete a challenge.

You are encouraged to supply as much information about a given transaction as you can, to try to reduce the need for the Challenge Flow. To enable that, a large number of Optional fields are provided in the new 3DS2 specification.

The next section shows you the detail needed behind each of these flows, but in all cases it is assumed you are using a web Browser to process the Ecommerce transaction. There are additional requirements should you wish to use a Mobile SDK to initiate payment. Please contact us if you need to discuss this approach.