EMV 3-D Secure 2.3 – 3 highlights for cardholders

The release of the EMV 3-D Secure 2.3 protocol has set the payment world abuzz. But what does this mean for issuers, merchants, and payment providers who want to implement it? With the introduced enhancement, EMVCo aims to further improve the 3DS experience for cardholders independent of channels and device when making a CNP transaction. 

1) SPC – Secure Payment Confirmation allows for FIDO authentication method

FIDO (Fast Identity Online) is a convenient and fast authentication method across websites and apps. It was born from the FIDO Alliance and has become a globally accepted authentication method.

The major benefit for cardholders is the option to authenticate with security keys, facial recognition, their voice or fingerprint rather than using static or dynamic passwords. With EMV 3-D Secure 2.3, FIDO authentication is enabled within the 3DS browser flow, which means that cardholders can authenticate much faster and with less friction, while profiting from a very high security standard.

The integration of the FIDO authentication method into the 3DS flow makes it easier for merchants to offer it to the users, therefore more cardholders can profit from the improvement.

FIDO can be applied after successfully registering the cardholder and the device at a merchant page. This process can easily be embedded during checkout or account registration. Within the 3DS authentication flow, either the merchant or issuer can invoke the FIDO authentication method. The issuer provides the pre-established FIDO credentials.

2) Several concrete UI improvements

While entering the challenge data (e.g. a one time password), the cardholder can now effortlessly select between masked password entry or the password to be shown when typing it in the field. A toggle in the Challenge Data Entry box allows the convenient switch.

Challenge Data Entry auto-fill provides the option to copy the received or saved code or password in the Challenge Data Entry so that the cardholder doesn't need to enter it. 

A second text entry field can be shown to the cardholder if a subsequent challenge is needed. With the secondary field, the cardholder can directly enter both challenges and would not need to perform them separately.

A further app channel improvement was introduced by including a redirect to the authentication app. The EMVCo protocol supports traditional browser-based ecommerce transactions, but also app-based authentication and integration with digital wallets. Previous protocol versions already enabled an improved UI of the challenge screens specifically for app channel requirements. Additionally, with EMV 3-D Secure 2.2, the automated redirect from the authentication app to the merchant app was established to facilitate the navigation for cardholders between the merchant app and authentication app. EMV 3-D Secure 2.3 made the navigation from merchant app to authentication app even easier: on the challenge screen a button can be displayed to the cardholders, which would bring them to their authentication app. If supported by all parties, cardholders simply click a button to be redirected to their authentication app and then are automatically directed back to the merchant app, as seen in the diagram. 

Extract from EMV 3-D Secure 2.3 protocol, page 102

3) Cardholders can be remembered on their device via Device Binding

EMV 3-D Secure 2.3 enables cardholders during the authentication process to link their device to the cardholder account and/or cardholder. On the challenge screen, cardholders can be asked to be remembered on the device used for the transaction. Future transactions could then be exempted from authentication when initiated from that device and account. Within the 3DS flow, cardholders were already able to add merchants to their list of trusted merchants; future transactions from that merchant can thereby be processed frictionlessly. With the introduction of device binding, cardholders are being provided with the second use case where they can steer the frictionless flow. 

There are many advantages packed into the new protocol, and here we have only explored three. Overall, the future looks promising and full of new options for 3DS authentication enabled through EMV 3-D Secure 2.3. 

EMV is a registered trademark in the US and other countries, and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

About Tanja Steinhoff

As a subject matter expert in the areas of EMV 3-D Secure, PSD2 Exemption Handling, and Access Control Server Operations at Netcetera, Tanja is responsible for the design, implementation, and rollout of the PSD2 functionality of Netcetera’s ACS based on the current and future 3-D Secure protocol versions.

About Francesca Pala

After several years of working in ecommerce, Francesca is managing secure digital payment products for Netcetera and is working on the development of their 3D-Secure server. She is particularly interested in the impact that payment innovations have on online commerce and how to confront new challenges in required payment flexibility.

About Netcetera

Netcetera is a global software company with cutting-edge IT products and individual digital solutions in the areas of secure digital payment, financial technologies, media, transport, healthcare, and insurance. More than 2,000 banks and issuers, and 150,000 merchants rely on their digital payment solutions and globally certified 3-D Secure products. Founded in 1996, Netcetera is a holding company and is headquartered in Zurich, Switzerland. Further information: netcetera.com