What You Need To Know About 3D Secure 2.0
September 17, 2019

Technology drives commerce forward and government regulations typically follow en suite. This certainly is the case with e-commerce — which has grown rapidly in the last decade thanks to advancements in mobile, tablet, and digital technologies — and the Payments Service Directive 2 (PSD2). 

Effective September 14, 2019, the European Union (EU) mandates new safety requirements around the collection of online payments from customers as detailed in PSD2. 3D Secure 2.0 (3DS 2.0) is the leading solution for compliance with PSD2 and your key to unlocking credit/debit card payments, which form about 40%¹ of transactions within Europe. 

And as you may already know, the European market is incredible value: it will bring in an estimated $25.7 billion or 16.9% of global gaming revenue in 2019, with a 12.3% year-over-year growth rate². So, whether you’re an indie developer, mid-tier publisher, or enterprise powerhouse, complying with PSD2 is of the utmost importance.

In this post, we’ll provide you with additional information on 3DS 2.0, illustrate its core and additional benefits, and detail how Xsolla helps its partners seamlessly comply with the latest global payment security measures. 

What is 3DS 2.0? 

According to EMVCo — the company that develops, manages, and owns 3DS 2.0, along with its six-member organization that includes American Express, Discover, JCB, Mastercard, UnionPay, and Visa — it’s a “messaging protocol that promotes frictionless consumer authentication and enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce transactions³.” In order words, it’s a protocol that makes digital purchases with credit/debit cards easy and secure for your customers. 

Up until now, CNP transactions worldwide were usually subject to 3DS 1.0, the original version of the messaging protocol that uses static passwords and codes sent via SMS for customer authentication. 3DS 1.0 proves valuable for companies since it makes customer payments more secure and allows businesses to shift fraud liability to issuing banks. In addition to these core benefits, 3DS 2.0 also lets gaming companies comply in the European Economic Area (EEA), an economic extension of the EU, by meeting specific technical requirements outlined in PSD2, namely Strong Customer Authentication (SCA).

SCA is a set of technical standards that replaces the use of static passwords and codes sent via SMS with a different authentication system. SCA requires a customer to provide at least two of the following three independent factors to authenticate a payment.

  • Something the customer knows (e.g., password or PIN)
  • Something the customer owns (e.g., phone or hardware token)
  • Something the customer is (e.g., fingerprint or face recognition) 

SCA takes into account recent trends in spending behavior, such as a preference for mobile, and other technological advancements, such as biometrics, to make CNP transactions seamless for customers. For instance, customers can now provide a fingerprint or a face scan to complete a CNP transaction, which is simple to do but hard to replicate, making it more difficult for cybercriminals to commit fraud. 

To make 3DS 2.0 more tangible, let’s explore how it meets the SCA requirements of PSD2, what additional benefits it brings to gaming companies, and what exemptions exist to 3DS 2.0. But before moving on, it’s important to remember that both 3DS 1.0 and 3DS 2.0 provide gaming companies with similar core benefits.

How does 3DS 2.0 meet SCA?

SCA requires companies use 3DS 2.0 whenever a customer in the EEA uses a credit/debit card to complete an online purchase (see a full list of exemptions later in this section). 3DS 2.0 sends over 80 data points to the customer’s issuing bank — including points like device fingerprint, previous transaction history, and shipping address — to create an accurate risk profile of the customer. With this risk profile, the issuing bank then determines how to send the customer down one of two paths: a “frictionless flow” and a “challenge flow.”

If the issuing bank identifies a low-risk profile, then the customer is sent down the “frictionless flow” in which their purchase experience is completely uninterrupted.

On the other hand, if the issuing bank identifies a high-risk profile, then the customer is sent down the “challenge flow” which will prompt the customer to authenticate themselves along with two of the three independent factors mentioned earlier in this post.

In short, 3DS 2.0 works with SCA to better authenticate legitimate purchases and better deny fraudulent purchases, benefitting your gaming company as well as your community of paying gamers. 

Exemptions 

SCA applies to all “customer-initiated” CNP transactions when both the customer and issuing bank are located in the EEA. However, there are some exemptions to SCA which we’ll highlight below. 

Subscriptions 

SCA applies to the initial transaction of a subscription or recurring-payment service because it is “customer-initiated.” Every transaction after the first is defined as “merchant-initiated,” which means those transactions are exempt from 3DS 2.0. SCA will apply to the subscription once again only if the subscription amount changes. 

Low-value transactions

Transactions less than €30 will be exempt unless one of the following thresholds is reached.

Low-risk transactions

Low-risk transactions will also be exempt based on the average fraud levels of the card issuer and acquirer processing the transaction in question.

How Xsolla helps your gaming company comply with PSD2

Gaming companies that partner with Xsolla comply with the SCA technical requirements of PSD2 on September 14, 2019, without any additional work. All the resource-intensive changes for 3DS 2.0 integration have already been made by our team to ensure your business continues to operate smoothly and predictably in this part of the world. 

And while 3DS 2.0 certainly helps to improve payments security, it’s worth remembering that Xsolla partners also receive fraud protection with the most trusted anti-fraud system in the video game industry. 

If you’re a video game developer or publisher who wants to learn more about how Xsolla can help you comply with payment regulations worldwide while lowering fraud, go ahead and schedule a time to talk with one of our experts or email business@xsolla.com.

Sources:

  1. Estimate compiled from proprietary Xsolla data.
  2. 2019 Global Game Market Report.” Newzoo.
  3. EMVⓇ 3-D Secure Specification.” EMVCo.
  4.  “Countries in the EU and EEA.” UK government.
next article
I am a