Exploring 3DS2 Authentication Flows & Key Players
Exploring 3DS2 Authentication Flows & Key Players
Online payment security is more important than ever. 3D Secure 2 (3DS2) is designed to reduce fraud while improving the user experience during online transactions. In this post, we’ll break down the 3DS2 authentication flow and explain the key messages and players involved in verifying shopper details, especially the shopper’s name.
What is 3DS2?
3DS2 is an authentication protocol that allows banks and merchants to verify the identity of a shopper during an online transaction. It makes the payment process secure while aiming to keep the user experience smooth. It’s a significant upgrade from the older 3D Secure protocol, offering better protection against fraud and meeting new regulations like PSD2’s Strong Customer Authentication (SCA) requirements.
How Does 3DS2 Work? The Authentication Flow
When a shopper checks out, their transaction goes through several steps before it’s completed. Here’s how the 3DS2 authentication process works:
1. Authentication Request (AReq)
The flow begins when the shopper initiates a payment.
- Merchant triggers the AReq message, which contains important details like:
- Shopper name and info
- Device data (IP address, browser type)
- Transaction details (amount, risk data)
- The 3DS Server forwards this request to the Card Network (Visa, Mastercard), which sends it to the Issuing Bank (shopper’s bank).
2. Authentication Response (ARes)
The issuing bank reviews the AReq and responds based on risk factors.
- Frictionless Flow: If the transaction is low risk, the issuing bank sends an ARes message approving the transaction. No further action is needed from the shopper.
- Challenge Flow: If the bank detects potential risk, it requires extra verification from the shopper. This takes us to the challenge step.
3. Challenge Flow (CReq/CRes)
If the issuing bank triggers a challenge, the shopper must prove their identity.
- The CReq (Challenge Request) is sent by the 3DS Server to the bank, which prompts the shopper for additional verification.
- The shopper may be asked to provide:
- A one-time password (OTP)
- Biometric data (face or fingerprint)
- After the shopper completes the verification, the bank responds with a CRes (Challenge Response) to confirm the result.
4. Result Notification (RReq/RRes)
Once the authentication is done, the final outcome is sent to all relevant parties.
- The RReq (Result Request) is generated by the issuing bank, notifying the 3DS Server of the authentication outcome.
- The RRes (Result Response) is forwarded to the merchant and acquiring bank, allowing the transaction to continue if successful.
Key Players in the 3DS2 Flow(1)
- Merchant: Initiates the transaction and authentication process.
- 3DS Server: Facilitates communication between all parties.
- Card Networks (Visa, Mastercard): Routes the authentication request to the correct issuing bank.
- Issuing Bank: Authenticates the shopper and decides whether further verification is needed.
- Acquiring Bank: Processes the payment once the authentication is complete.
- Payment Gateway: Connects the merchant’s payment system to the acquiring bank.
TL;DR
3DS2 makes online payments more secure through a flow of messages like AReq, ARes, CReq, and RReq. These messages allow the merchant, card networks, issuing bank, and acquiring bank to verify the shopper’s details and ensure a secure transaction. If the transaction is risky, the shopper might need to provide extra verification. The goal is to prevent fraud while keeping the payment process smooth for shoppers.
Sources:
1) Formal Verification of Challenge Flow in EMV 3-D Secure