The new 3D Secure 2 security protocol

The new 3D Secure 2 security protocol. Everything you need to know to prepare for the coming changes.

At Cardlink, we prioritize the security of all transactions and continuously strive to eliminate every risk in accordance with international standards regarding payment security.

Please find below everything you need to know about the new 3D Secure 2 security protocol and its benefits. Find answers for any questions you may have to prepare for the upcoming changes in September 2019.

The new Law 4537/2018 was introduced on May 15th 2018 (Greek Government Gazette Α’ 84) which incorporates the European Directive 2015/2366 for “payment services in the internal market” (Payment Services Directive 2 – “PSD 2”). Its purpose is to enforce security in consumer transactions by promoting a more open and competitive field for payments.
One of PSD2’s new main requirements mentions “Strong Customer Authentication – SCA” which will be mandatory starting September 2019. In the framework of “SCA”, consumers will be required to provide identification using at least two of the following three methods:

– Something they know (PIN, password, etc.)
– Something they have (PC, smartphone, etc.)
– Something that exists (voice recognition, fingerprints, etc.)

Changes in the 3D Secure security protocol.

During the last decade, most consumers who conducted online transactions have had the chance to experience 3D Secure v1, which was designed to add an additional layer of security and to shift the liability of any disputes from merchants to Banks. However, this design complicated things for consumers to the point that they often abandoned transactions.
The new PSD2 version of the protocol, 3D Secure 2, was introduced to facilitate customer authentication and to contribute to smarter protection measures for merchants.
3D Secure 2 supports the ability to send important consumer data, like billing addresses, information about the devices used (Device ID), transaction history of consumers/merchants and much more to the bank. The Bank evaluates the transaction’s threat level and if it considers it can be trusted, the transaction is immediately authorized without any further action from the customer (Frictionless flow). Otherwise, the Bank can request further authentication action from the customer i.e. the use of the SCA procedure mentioned above, in order to approve the payment (Challenge flow).

What benefits do you receive from using 3D Secure 2?

Everyone benefits from using 3D Secure 2. Customers gain better protection from fraudulent transactions and an improved user experience. Additionally, issuing Banks can authenticate their customers more precisely by crosschecking with the data being shared.
On the other hand, merchants will see less customers abandoning their carts, while enjoying the benefits of Liability Shift in transactions that are disputed because of fraud, which are now handled by the Banks. Finally, merchants can take advantage of the benefits stemming from the incorporation of the 3D Secure 2 protocol in the platforms they use (e-shops etc.) and provide enhanced security to their customers.

If you are a merchant who accepts online payments with cards, it is mandatory to take certain actions by September 14th 2019.

The actions needed differ depending on whether their interface is based on the Direct model or the Redirect model. To learn more about these actions, refer to the answers to frequent questions given below:

For merchants who connect using the Redirect model:

Please forward these technical specifications for Redirection to your IT staff, to ensure they are informed about the changes that need to be made.

For merchants who connect using the Direct model:

Changes will have to be made to the information being sent to MPI in order to successfully authenticate using 3DS (refer to the MPI manual here) as well as changes to authorization (refer to the VPOS manual here). Please make sure you contact your technical support team.

Cardlink supports you all the way

If you need any help with 3DS v2 and your migration to the new protocol, you can e-mail us at (please use the subject: 3D Secure 2).