After four years of great anticipation, EMVCo released the new 3-D Secure specification -- EMV 3DS 2.3 at the end of September 2021. Multiple financial institutions and merchants have raised some common questions, such as, "What are the differences between the updated version and the old one, and will it bring more benefits?" The answer to this is definitively a "Yes".
Over the past few years, the credit card market has increasingly adapted to 3-D Secure authentication. Even though EMVCo introduced frictionless authentication from the previous version, EMV 3DS 2.1 released in 2016, a large number of issuers still see challenge authentication () as the only method. The high dependence on challenge authentication not only compromises customers' shopping experiences, but also indirectly increases the likelihood of failed transactions.
EMVCo and international card schemes are making efforts to increase frictionless transactions and reduce the transaction failure rate. Many updates in EMV 3DS 2.3 are designed to achieve this goal. This is a benefit not only to the issuers, but to the merchants and acquirers as well.
SPC authentication is introduced in the new version EMV 3DS 2.3 to enhance the security of transaction and improve the user experience by preventing OTP and page redirect errors. In addition, the common problems encountered in previous versions have been rectified, such as automatic OOB redirection.
SPC (Secure Payment Confirmation) is a new authentication method in EMV 3DS v2.3, and officially integrates FIDO into authentication flow, effectively replacing traditional OTP with biometric identification. Since FIDO can also be applied to other banking services (e.g., mobile banking logins), EMVCo's inclusion of FIDO allows issuers to provide a more consistent authentication method and shopping experience for their consumers.
Products with a complete SDK function are known as Default SDK, which is divided into an Split-SDK client and Split-SDK Server by functions in EMV 3DS v2.3, allowing 3-D Secure to be used on more devices (e.g., IOT devices). The EMV 3DS payment process keeps the transactions secured when cardholders shop on smart appliances.
Default SDK is divided into Split-SDK client and Split-SDK Server by functions. The Split-SDK has multiple variants depending on the Consumer Device and the 3DS Requestor environment. These variants include the Limited-SDK, Shell SDK, and Browser SDK.
Operation Message provides DS with the ability to communicate operational information to 3DS Server or to ACS. Operation Message is expected to reduce the transaction failure caused by poor product conditions by communicating more system information.
OOB (out-of-band) provides opportunities to apply a diverse range of authentication methods. By reducing their dependence on OTP, issuers can widely use Face ID, fingerprint recognition, etc. with a higher degree of safety. However, in previous versions, cardholders were asked to switch between the merchant app and authenticator app, easily resulting in transaction failures. The new version simplifies the manual operations conducted by cardholders, and introduces automatic redirection, which is expected to greatly increase the transaction success rate.