Introduction to 3-Domain Secure

Why Authentication Matters in Payments?

Since the advent of card payments, the landscape of payment transactions has progressed significantly.

The era of globalisation and digital penetration has revolutionised the way people shop and make payments – moving away from physical, in-store card transactions towards online payments through the Internet, performed by customers/cardholders anytime and anywhere world-wide. As online payments become common, such Card-Not-Present (CNP) transactions present key challenges: how do the Merchant and Bank verify that the initiated transaction is by a legitimate cardholder, and how is the customer assured that the information provided for their purchase will not be misused?

Due to the nature of such remote payments, verification processes made by the cardholders become mandatory by the issuing bank for these payments to be authorised confidently. As such, the process of authentication is a key process of card payments. As a result, the protocol specification known as 3-D (3-domain) Secure was developed in the early 2000s to provide fraud prevention for online card transactions.

EMV 3-D Secure :

Evolution of Payment Processes & Protocols

Through the programs introduced under the 3DS 1.0 protocol specification, Merchants, Payment Networks and Financial Institutions were connected to authenticate transactions and share data within a safe system. As payment methods evolved, online payments using the 3DS 1.0 protocol proved to have limitations in user experience and the fast-paced e-commerce environment – which were further amplified after the proliferation of smartphones. This eventually resulted cardholders’ frustration and many incidences of abandoned “shopping carts”.

The release of EMV 3DS (3DS 2.0), the new protocol specification developed and governed by EMVCo, aims to address these limitations by improving user experience, utilising given data for risk-based authentication and security purposes, and providing multiple channel and device support through multiple form factors and use cases. Its implementation is to provide a reduction in user friction and an increase in transaction approvals for cardholders, ultimately for a more e-commerce friendly and productive environment for Merchants.

What is 3-D Secure

There are 3 domains present within the 3-D Secure, namely:

Issuer domain

Issuing institution and Cardholder

Acquirer domain

Acquiring institution and Merchant

Interoperability domain

Card Network (e.g. Visa, MasterCard, etc.)

Issuer Domain

A key component in the Issuer Domain is the Access Control Server (ACS). The ACS is responsible for authenticating the cardholder when the ACS receives an Authentication Request. A transaction can be authenticated either through a challenge flow or a frictionless flow.

ACS may consult a risk-engine to assess the risk level of the transaction and channel it through a frictionless process if it is deemed low-risk. This is referred to as Risk-Based Authentication (RBA). However, if a transaction is deemed medium-to-high risk, the ACS may require the cardholder to provide more information in the form of 2-factor authentication (2FA), one-time passcode (OTP) or biometrics authentication.

For further details on the ACS, do check out our product information on IMS2.0

Acquirer Domain

The Acquirer domain is one in which the acquiring bank initiates the authentication process within the 3-D Secure network. With the release of the EMV 3DS protocol specification, the 3DS Server (3DSS) software application replaces the function of the Merchant Plug-In (MPI, a component in the 3DS 1.0 specification).

3DSS, together with the browser website that the cardholder is making the purchase, forms the 3DS Requestor Environment. Upon the completion of the 3DS authentication process, the 3DS Requestor will have to forward the relevant details of the transaction to the Payment Network for authorisation. For more details on our 3DSS Software as a Service (SaaS), do check out further information here.

Interoperability Domain

The Interoperability Domain sits between the Acquirer Domain and Issuer Domain. The main component of the Interoperability Domain under the 3DS specification is the Directory Server (DS), which is operated by the Payment Network. It controls the traffic between the other 3DS components – namely, 3DSS and ACS.

Due to the fact that most messages flow through the DS, it gives the payment networks the opportunity to enrich their functionalities, such as the inclusion of the handling of transactions initiated with EMV Payment Tokens, and the provision of transaction risk-scoring capabilities, among others. Do check out our 3DS Professional Services for further details on the deployment of 3DS Programs and consulting services here.