Merchant and cardholder use of Consumer Authentication programs like Verified by Visa and MasterCard SecureCode increased following the rollout of EMV in multiple countries and regions, but whether or not this happens in the U.S. may be contingent on the evolution of these programs and the impending 3DS 2.0 Specification. The enhanced specification, expected to be released sometime this year, seeks to reduce friction and eliminate the early adoption issues that affected 3DS 1.0 by making use of richer data and a risk-based approach to reduce the need for authentication prompts, while utilizing more streamlined and dynamic forms of authentication when it is required.
In November 2014 MasterCard announced they would join Visa, who led the development of and owns the original 3D Secure implementation (1.0), in creating a new authentication standard, 3DS 2.0. By early January 2015 EMVCo announced they would further develop and manage the next generation of 3D Secure Consumer Authentication as, according to EMVCo Board of Managers Chair Sean Conroy, “it was acknowledged by all payment systems that the draft framework developed by MasterCard and Visa should be progressed by EMVCo.”
EMVCo, the joint venture overseen by the six major card associations American Express, Discover, JCB, MasterCard, UnionPay and Visa, immediately began working with industry stakeholders and collecting industry feedback to develop the new protocol with plans to have the EMV 3DS 2.0 Specification ready for deployment in 2016. The new specification operated by EMVCo will function separately and in parallel with version 1.0, which Visa will maintain sole ownership of but begin to phase out as 3DS 2.0 matures.
Already one notable difference between the original and new versions of 3D Secure Consumer Authentication is that from the beginning, input in developing the new 3D Secure standards includes all of the major global card brands. There is a focus on interoperability with the new standard overall, not just across various card association services but across both eCommerce and mCommerce. Tac Watanabe, EMVCo Executive Committee Chair, elaborated that the EMV 3DS 2.0 Specification needs to address the needs of today’s market “by enabling the merchant to offer a better, more streamlined authentication experience across different devices and channels.”
Since EMVCo’s press release announcing their role in leading the development of management of 3DS 2.0, there hasn’t been a whole lot of new details released. A full market launch is still expected in 2016 although an official release date for the new 3DS 2.0 Specification has not been announced. Here is what we know so far about what will differentiate the new specification from its predecessor:
3DS 2.0 will take a risk-based approach for requiring authentication. The original press release from MasterCard announcing their combined efforts with Visa on developing 3DS 2.0 said these upgrades “will benefit consumers, banks and merchants alike, with invisible authentication and far fewer prompts for passwords.” Even as EMVCo took over development, this is something all six card associations could get behind. Their announcement said the enhanced EMVCo 3DS 2.0 Specification will “enable more intelligent risk-based decisioning,” and “reduces reliance on the cardholder to authenticate themselves via a password prompt.” Many merchants utilizing Consumer Authentication do not present it or require authentication on every transaction, and many take a risk-based approach using their own rules or risk models for making this determination. Many issuers support risk-based approaches to 3D Secure today as well, such as with VCAS, but it seems like the 3DS 2.0 Specifications are making this a focal point.
To support this risk-based approach, 3DS 2.0 will utilize more cardholder and transaction data. EMVCo also states their 3DS 2.0 Specification will support additional data to be made available during the transaction that will enable risk-based decisioning. In the initial MasterCard announcement the company said their “approach is to utilize richer cardholder data, which will result in fewer password interruptions.” The press release elaborated how MasterCard would evolve their SecureCode program to support the new standard and bring a smoother and simpler experience to cardholders.
When authentication is required, it will be dynamic or rely on biometrics. From the first announcement of 3DS 2.0 in November 2014, MasterCard said cardholders will have more options to authenticate themselves without relying on static passwords. MasterCard President of Enterprise Security Solutions Ajay Bhalla said they “want to identify people for who they are, not what they remember.” In practice this will include biometrics such as fingerprint readers on mobile devices and the use of one-time passwords (OTPs). MasterCard’s new Identity Check app will facilitate biometric authentication via mobile devices, tablets and PCs upon launch this summer in the U.S., Canada and Europe. Identity Check will be able to leverage fingerprint scans and facial recognition across many devices, while this ‘selfie’ authentication feature has garnered much media attention.
The evolution of Consumer Authentication will also be dynamic in terms of presenting options or forms of authentication based on the device a consumer is coming