EMV 3-D Secure Protocol and Core Functions Specification– General Questions
  1. What is 3-D Secure (3DS)?
  2. What role does 3DS play within the payments community?
  3. 3DS is already used by the market. Why has a new specification been created?
  4. What does the EMV 3DS 2.0 Specification offer the marketplace?
  5. What are the benefits of the EMV 3DS 2.0 Specification to each of the ecosystem stakeholders?
  6. Is the specification available to all parties without charge?
  7. Is the EMV 3DS 2.0 Specification being used now? If yes, by whom?
  8. How will the specification be adopted by payment stakeholders?
  9. Will there be a testing framework for EMV 3DS 2.0 Specification compatible solutions?
  10. What is the EMV 3DS Software Development Kit (SDK) Specification (EMV 3DS SDK Specification)?
  11. How does EMV 3DS SDK Specification differ from the EMV 3DS 2.0 Specification?
  12. When is the EMV 3DS SDK Specification available?
  13. Does the release of EMV 3DS 2.0 Specification have an impact on other areas of EMVCo activity / work?
  14. Who has provided input into the EMV 3DS 2.0 Specification and how will it be managed long-term?
  15. How can I get involved?
  16. Why was EMVCo selected to advance and manage this new industry specification?
  1. What is 3-D Secure (3DS)?

    Three-Domain Secure (3DS) is a messaging protocol to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorised CNP transactions and protects the merchant from CNP exposure to fraud.

    The three domains consist of the merchant / acquirer domain, issuer domain, and the interoperability domain (e.g. payment systems).

  2. What role does 3DS play within the payments community?

    The purpose of the 3DS protocol is to facilitate the exchange of data between stakeholders – the merchant, cardholder and card issuer. The objective is to benefit each of these parties by providing the ability to authenticate cardholders during a CNP e-commerce purchase, reducing the likelihood of fraudulent usage of payment cards.

  3. 3DS is already used by the market. Why has a new specification been created?

    To reflect current and future market requirements, the payments industry recognised the need to create a new specification that would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. This led to the development of a new industry specification – EMV® 3-D Secure – Protocol and Core Functions Specification v2.0.0 (EMV 3DS 2.0 Specification) – that takes into account these new payment channels and supports the delivery of industry leading security, performance and user experience.

  4. What does the EMV 3DS 2.0 Specification offer the marketplace?

    The new specification:

    • Supports specific app-based purchases on mobile and other consumer devices.
    • Improves the consumer experience by enabling intelligent risk-based decisioning that encourages frictionless consumer authentication.
    • Delivers industry leading security features.
    • Specifies use of multiple options for step-up authentication, including one-time passcodes, as well as biometrics via out-of-band authentication.
    • Enhances functionality that enables merchants to integrate the authentication process into their checkout experiences, for both app and browser-based implementations.
    • Offers performance improvements for end-to-end message processing.
    • Adds a non-payment message category to provide cardholder verification details to support various non-payment activities, such as adding a payment card to a digital wallet.

  5. What are the benefits of the EMV 3DS 2.0 Specification to each of the ecosystem stakeholders?

    Solutions developed on the EMV 3DS 2.0 Specification can bring many benefits to the marketplace as they will reflect the payment community’s objective to secure consumer e-commerce transactions while optimising the cardholder’s experience.

    • Merchants will be able to implement a consistent approach across multiple platforms and digital media when confirming the authenticity of a transaction. EMV 3DS 2.0-based solutions can achieve this during the purchasing process, minimising the risk of potential checkout abandonment.
    • Issuers will be able to improve frictionless authentication due to richer data exchanges. By supporting new devices / channels, solutions compatible to the EMV 3DS 2.0 Specification will encourage cardholders to make purchases using their preferred medium without compromising on security.
    • Consumers seek increased convenience and security during e-commerce payments, and solutions based on the EMV 3DS 2.0 Specification will offer these benefits, adding efficiency with minimal to no impact on the applications and payment flows that consumers are using and experiencing today.

  6. Is the specification available to all parties without charge?

    Yes. Like other EMV Specifications, the final EMV 3DS 2.0 Specification is available on a royalty-free basis for anyone to download from the EMVCo website. EMVCo has an established framework for delivering payment-related specifications through open and transparent processes in consultation with industry stakeholders.

  7. Is the EMV 3DS 2.0 Specification being used now? If yes, by whom?

    No. Since the EMV 3DS 2.0 Specification has only just been published in October 2016, it will take time for developers to create solutions based on the new specification and for the solutions to become available in the marketplace.

  8. How will the specification be adopted by payment stakeholders?

    EMVCo provides a ‘tool box’ of specifications that facilitate the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes. Adoption of EMV Specifications and associated approval and certification processes promotes a unified international payments framework that supports an advancing range of payment methods, technologies, and acceptance environments. The specifications are designed to be flexible and can be adapted regionally to meet national payment requirements and accommodate local regulations. EMVCo does not mandate the use of its specifications and industry stakeholders are free to choose from any or all of the related EMV Specifications to address their customer and market needs.

    Accordingly, EMVCo expects the EMV 3DS 2.0 Specification will be used primarily by parties who wish to develop and implement EMV 3DS 2.0 compliant products and services.

  9. Will there be a testing framework for EMV 3DS 2.0 Specification compatible solutions?

    Yes. EMVCo is working to support the functional testing of EMV 3DS 2.0 solutions to confirm that they are compliant to the EMV 3DS 2.0 Specification.

    Additionally, the PCI Security Standards Council will use the functional specification created by EMVCo, to deliver data security requirements, testing procedures, assessor training and reporting templates to address the environmental security. These related documents will be released in 2017. Learn more about this collaboration.

  10. What is the EMV 3DS Software Development Kit (SDK) Specification (EMV 3DS SDK Specification)?

    The EMV 3DS SDK Specification details all the SDK information and requirements for 3DS app-based solutions. This technical document is intended to be utilised by parties interested in gaining a deeper understanding around the EMV 3DS 2.0 Specification and its functions. In addition to the EMV 3DS SDK Specification, EMVCo has also developed a specification that focuses on device information and an SDK technical guide. Collectively, these documents provide practical insight on how to create an EMV 3DS SDK and how this can be integrated into an EMV-compliant 3DS 2.0 requestor app.

  11. How does EMV 3DS SDK Specification differ from the EMV 3DS 2.0 Specification?

    The EMV 3DS 2.0 Specification provides the requirements for all the EMV 3DS 2.0 components, such as 3DS requestor, 3DS SDK, 3DS server, directory server and access control server, detailing all the flows and data elements. In contrast, the EMV 3DS SDK Specification focuses exclusively on the SDK and provides in-depth documentation on the specific role it plays in the 3DS 2.0 flows and exact requirements.

  12. When is the EMV 3DS SDK Specification available?

    The EMV 3DS SDK Specification is scheduled for release before January 2017.

  13. Does the release of EMV 3DS 2.0 Specification have an impact on other areas of EMVCo activity / work?

    The EMVCo 3DS 2.0 Task Force works in close alignment with the technical body’s tokenisation, mobile payments and security initiatives. The collective goal is to advance the global interoperability of digital and e-commerce payments, while supporting cardholder authentication and enhancing transaction security.

  14. Who has provided input into the EMV 3DS 2.0 Specification and how will it be managed long-term?

    EMVCo engages with several industry bodies, alliances and community stakeholders to receive feedback on its specifications and ensure they evolve in line with industry requirements.

    As part of EMVCo’s work to create the EMV 3DS 2.0 Specification, the body commissioned user testing in multiple countries to better understand mechanisms users preferred. External reviews of the draft specification were also completed, including usability studies, academic analyses, and detailed review of the security design. This is in addition to extensive input and guidance from EMVCo Business & Technical Associates.

  15. How can I get involved?

    EMVCo has an established Associates Programme that is open to all industry stakeholders. EMVCo engages with its Associates to collect industry input to develop and refine its specifications. This serves to solidify EMVCo’s understanding of industry requirements to support global interoperability, security and cardholder authentication. EMVCo will be seeking input from its Associates, at both a technical and business level, on an ongoing basis to ensure current and future global requirements are addressed.

    EMVCo welcomes new participants who are interested in contributing to the EMV 3DS 2.0 Specification effort to join its Associates Programme. Learn more.

  16. Why was EMVCo selected to advance and manage this new industry specification?

    EMVCo members recognised value in advancing the new EMV 3DS 2.0 Specification to authenticate cardholders through its specification setting process. Adopting this open specification approach encourages cooperation within the payments community to establish a more universally accepted 3DS specification. EMVCo has the strategic breadth, industry knowledge and technical depth to develop a universally interoperable specification that will support card-not-present authentication.

    In addition to EMVCo’s expertise, the global technical body has a governance framework that enables collaboration within the payments community, and a well-established track record of technical specification delivery. EMVCo receives significant input from its Business and Technical Associates, which consist of industry participants including issuers, acquirers, payment networks, merchants, manufacturers, technology providers and testing laboratories from numerous countries. EMVCo is dedicated to developing universally accessible and objective specifications as the risk landscape continues to evolve. EMVCo makes its specifications available on a royalty-free basis to all industry participants and to the public.

  17. Please note: Visa maintains sole ownership and management of the 3DS 1.0 Specifications. EMVCo has created, owns and manages the EMV 3DS 2.0 Specification and related industry materials.