EMVCo has updated the EMV® 3-D Secure (EMV 3DS) Specifications to support more secure and convenient e-commerce authentication. In this post, EMVCo EMV 3DS Working Group Chair Elint Chu answers key questions about EMV 3DS v2.3.
What was included in the publication of EMV 3DS v2.3?
EMVCo has updated the EMV 3-D Secure (EMV 3DS) Specifications from version 2.2 to version 2.3. The specifications include the Protocol and Core Functions Specification v2.3.0, SDK Specification v2.3.0, and Split-SDK Specification with Browser SDK Annex.
EMVCo has also published a number of documents to support implementation of the EMV 3DS Specifications, including EMV 3DS Secure Browser Best Practices. The EMV 3DS Testing Programme is also being updated to align with EMV 3DS v2.3 and are expected to be available in the second half of 2022.
All EMV 3DS Specifications and supporting documents are publicly available on the EMVCo website.
See related post: What is EMV 3-D Secure?
What was the process for updating the EMV 3DS Specifications?
EMVCo reviews and evaluates EMV Specifications on a regular cycle to determine updates required to enhance and evolve specifications in line with advancements in payments technology and industry needs.
Payments industry stakeholders actively participate in this process through the EMVCo Associates Programme. EMVCo Associates reviewed and provided input on the proposed changes to EMV 3DS v2.3 via business and technical Special Interest Meetings (SIMs) and a Request for Comments. The final draft specification was then approved to be published by EMVCo’s Board of Advisors.
What are the key updates introduced in EMV 3DS v2.3?
EMV 3DS v2.3 introduces enhancements to increase flexibility for optimising EMV 3DS implementation across multiple channels and devices, help issuers identify fraudulent transactions more quickly and accurately, and streamline the authentication process for consumers to improve the overall payment experience.
Does EMV 3DS v2.3 address friction in the authentication process?
Yes. EMV 3DS v2.3 further enhances the exchange of data between merchants and issuers, so that issuers can better evaluate the transaction associated risks and the consumer performing it. The information can be used to determine the level of authentication required, without adding unnecessary friction to the payment process.
This should translate into higher transaction approval rates without a step-up challenge and means that for most transactions, the consumer clicks or taps online, and the payment is approved.
For those transactions that issuers determine higher risk, such as those made from a new device, transactions made for an unusually large amount, or unexpected transaction types, EMV 3DS v2.3 also includes enhancements that simplify the challenge process for consumers to confirm the transaction, minimising friction for all parties involved.
What are some of the specific updates in EMV 3DS v2.3 that support a better payment experience for consumers?
EMV 3DS v2.3 introduces a number of updates that can help to optimise the checkout experience for consumers. These include enhancements to the user interface (UI) to provide issuers and merchants with additional options for streamlining how information is presented and communicated to consumers to guide them through the authentication process easily and efficiently.
The addition of automated out-of-band (OOB) transitions provides a simpler, easier-to-use way for consumers to confirm a transaction when an authentication method through a separate channel is required. While this is typically a manual process for consumers involving multiple steps– for example, a push notification is sent to their mobile banking app, they leave a merchant app to then log in separately to the banking app to review and confirm the transaction as legitimate – this new enhancement automates the transition between the merchant app and the banking app when OOB authentication is needed, simplifying and speeding checkout for consumers.
EMV 3DS v2.3 also adds support for device binding. Similar to the trusted listing enhancement, where consumers can designate their ‘trusted’ digital merchants and skip additional authentication during subsequent visits for a more frictionless payment experience, with device binding consumers can specify that they would like to be remembered on their devices, meaning quicker authentication for future purchases.
What additional data elements does EMV 3DS v2.3 provide to improve decision-making for issuers?
More data about transactions, payment methods and devices – including recurring transactions and EMV Payment Token data – is included in version v2.3, meaning issuers have more information to better identify transactions, which can result in quicker, easier authentication for consumers.
How does recurring transaction data specifically improve the authentication process?
Recurring transactions refer to scenarios where a consumer is asked to approve a recurring payment such as a monthly subscription or fee for ongoing services. Support for recurring transaction data in EMV 3DS enables issuers, merchants, and consumers to have better visibility into the payment details so that it can be more accurately identified and approved and simplifies consumer authentication for recurring charges.
Previous versions of EMV 3DS include support for recurring transaction data. Based on industry feedback, version 2.3 expands on this with additional data elements that enable issuers to clearly and simply display more information to consumers for a broader range of payment scenarios. These include a fixed amount from the first recurring payment, as well as scenarios where a there is a free-trial for the first month and a fixed amount subscription fee for the rest of recurring payment, and where a variable amount and/or variable frequency based on usage is charged.
What are some of the key ways that EMV 3DS v2.3 increases flexibility for organisations to optimise EMV 3DS implementation across channels and devices?
EMV 3DS v2.3 provides more implementation flexibility for a broader range of use cases. In addition to the previously mentioned expanded support for recurring payment authentication, version 2.3 also provides added support for OS/platform providers and a new Split-SDK Specification with multiple variants that makes it easier to implement EMV 3DS across both traditional and non-traditional e-commerce payment channels and devices, such as smart speakers and other IoT devices. These enhancements are testament to extensive engagement EMVCo has received from the merchant, travel and video gaming industries.
Additional industry-specific use cases are supported with the EMV 3DS Travel Industry Message Extension that provides supplemental guidance on how travel specific data elements can be used to improve e-commerce payment authentication for travel purchases. It was developed with key travel industry players and is specifically designed to meet the needs of the travel industry to help reduce transaction fraud. It is independent of the protocol version and can be used with EMV 3DS v2.1, v2.2 and v2.3.
How does EMV 3DS v2.3 enhance security and fraud prevention?
EMV 3DS v2.3 builds on earlier versions of the specification to better help issuers prevent unauthorised use of credit and debit cards online, which can reduce the risk of CNP fraud and protect merchants from exposure to fraud-related chargebacks. Ultimately, this can provide a better, safer checkout experience for consumers.
EMV 3DS is designed to support many authentication methods to provide flexibility to issuers to accommodate their authentication preferences, and using risk and regulatory factors, to decide how the customer will be authenticated. As with previous versions, it is worth noting that EMV v2.3 can be leveraged to comply with the European Union’s Second Payment Services Directive (PSD2) Strong Customer Authentication (SCA) regulation by enabling the use of two-factor authentication. Additionally for version 2.3, EMVCo has collaborated with the World Wide Web Consortium (W3C) and the FIDO Alliance to include support for WebAuthn (Web Authentication) and SPC (Secure Payment Confirmation) that issuers and merchants can use within the EMV 3DS flow to better determine the legitimacy of a transaction in order to reduce the risk of fraud.
EMVCo has also published new browser best practices to help merchants and issuers better leverage the security features of EMV 3DS so that all parties are protected during the transaction process, and consumers can expect a consistent and smooth checkout. Specifically, the EMV 3DS Secure Browser Best Practices support the iframe security requirements in EMV 3DS v2.3 and address how content is embedded or framed on the webpage when a consumer is completing authentication. The best practices were developed based on the results of a security analysis conducted with web security experts, multiple usability studies and feedback from EMVCo Associates.
How will EMV 3DS v2.3 benefit the payments industry overall?
EMV 3DS v2.3 improves fraud fighting capabilities for issuers, acquirers and merchants across e-commerce channels and devices, while optimising the user experience for consumers. This will support the delivery of smoother, safer checkout experiences for existing and new digital payment scenarios.
by Oliver Manahan
by Arman Aygen