top of page

MasterCard and Visa to Upgrade 3D Secure Consumer Authentication, Stop Using Static Passwords

MasterCard and Visa are collectively working on a new authentication standard, currently being referred to as 3DS 2.0, which will make further use of cardholder data to reduce the need for authentication challenges. When a challenge is presented under the new protocol, it will rely on one-time-use passwords or biometrics rather than a static password.

3D Secure consumer authentication programs have yet to catch on in the United States to the extent they have in Europe and other regions, but the evolution to 3DS 2.0 may change that. Few details have been released to date on the plans, but already point to some meaningful implications with the 3DS 2.0 protocol co-created by MasterCard and Visa.

First, one of the key initiatives is for 3DS 2.0 to “utilize richer cardholder data,” according to a MasterCard press release, “which will result in far fewer password interruptions.” This could be similar to how VCAS (Visa Consumer Authentication Service) works today, by allowing the card issuer to determine if the transaction is risky enough to warrant presenting consumer authentication to the cardholder. The fact that this is a focal point of 3DS 2.0 should be welcomed by merchants as it could mean that more transactions will enjoy the liability shift coverage without requiring the consumer to take an additional step to pass authentication.

The card associations and card issuers have access to great data resources including aggregate card purchase activity and historical transaction activity associated with a particular card or cardholder. Under 3DS 2.0 merchants may be able to benefit from the massive amounts of data these organizations utilize with advanced modeling and analytic techniques. Should high risk signals be identified, the user will then be required to authenticate, providing another signal of risk to the merchant and potentially fraud liability coverage as well.

Another change with 3DS 2.0 is that Visa and MasterCard plan to remove the use of static passwords for instances when the user is asked to complete authentication. While many cardholders have static passwords created with their issuing banks, the next version of 3D Secure consumer authentication will rely on one-time passwords (OTP) such as those delivered via text message, and forms of biometrics. MasterCard is currently running commercial pilot tests for facial and voice recognition apps to authenticate cardholders as well as trials with wristbands that measure unique cardiac rhythms.

The industry will learn more about the plans for 3DS 2.0 in the coming year as MasterCard and Visa aim to release the new protocol in 2015 and gradually replace the current 3D Secure protocol (1.0). While 3DS 2.0 will be jointly owned by both Visa and MasterCard, Visa will retain full ownership of the original 3DS protocol, including management of the specifications and all intellectual property.

For more information:


bottom of page