EMV 3-D Secure 2.1 is a new offering by Elavon. If you have identified any errors or gaps in the content, please contact: #SEDevPortalSupport@elavon.com
On this page:
3D Secure 2.1, a new standard defined by EMVCo and major credit card schemes, is an extra security layer for CNP (card-not-present) transactions. It is as an authentication protocol to authenticate a cardholder or verify the account during an e-commerce transaction.
In 3D Secure 2.1, the issuer uses over 100 data parameters to verify a cardholder's authenticity and assess the risk level of a transaction. If the issuer determines the authentication as successful, the merchant can process the transaction without any cardholder interaction. But, if the issuer classifies the transaction as risky, it will challenge the customer to confirm his identity using SCA (strong customer authentication) mechanisms.
3D Secure 2.1 does not currently support mail order/telephone order (MOTO) transactions.
Strong Customer Authentication (SCA)
SCA is the new requirement to make online payments by European customers secure by adding extra levels of authentication. In SCA, cardholders can verify their identity by using following authentication mechanisms:
Something they know: password, passphrase, PIN, sequence, secret fact
Something they own: mobile device, wearable device, smart card, token, badge
Something they are: fingerprint, face recognition, voice, iris format, DNA signature
With SCA, Issuers can use two or more means of authentication of their choice, thus increasing the chance of a successful authentication and decreasing the cases of fraud.
To know more about PSD2 and SCA compliance, see Elavon's guide on PSD2 compliance.
Elavon also supports fallback to 3DS 1 in addition to 3DS 2.1. For steps to enable 3DS 1 fallback while integrating directly to the 3DS Server, see 3DS 1 Fallback. If you are integrating through the 3DS Web SDK, you can still use the 3DS 1 fallback feature. For Web SDK 3DS 1 fallback details, see 3DS Web SDK Overview.
In 3D Secure 2.1 authentication process, there are three authentication flows: frictionless, challenge, and 3RI. If the issuer verifies and authenticates a cardholder account details, the transaction is a frictionless flow. If the issuer needs more information from the cardholder to authenticate the transaction, the transaction needs a challenge flow. But, scenarios where a merchant already has the cardholder details and initiates the transaction needs a 3DS requestor-initiated (3RI) flow.
In a frictionless flow, the 3DS Server sends an authentication request to the issuer using the cardholder data sent by the merchant and receives a successful authentication response. Based on the data, the issuer determines that it does not need any cardholder interaction to complete the 3D Secure 2.1 authentication process.
Figure caption: Sample screens a cardholder might see for a frictionless flow
In a challenge flow, the 3DS Server sends an authentication request to the issuer using the data the merchant sent but the authentication response sent by the issuer request extra information from the cardholder. For example, the issuer would challenge the cardholder if it deems the transaction as high-risk or above a predetermined shopping value threshold.
If the 3DS Requestor (merchant) decides to process the challenge, the 3DS client (Browser or SDK) sends the challenge request to the issuer, which performs the challenge, and responds with the challenge response after extra authentication by the customer is complete.
If the challenge response is successful, the issuer authenticates the transaction and returns the authentication values to the 3DS requestor. At this point, the 3DS requestor may use the authentication values to proceed with transaction authorization.
Figure caption: Sample screens a cardholder might see for a challenge flow
3DS Requestor-initiated (3RI) flow
In a 3D requestor-initiated (3RI) or a merchant-initiated transaction, the cardholder is not present during the transaction. The merchant's server has the cardholder's information stored. Merchant can use the already stored cardholder information for confirmation of account information or cardholder authentication. For example, confirmation of account validity in case of recurring transactions such as subscriptions, insurance premium payments, etc.