Strong customer authentication (SCA), which is as an obligation since January 1, 2021, implies that any Cardholder Initiated Transaction (CIT) must be confirmed by the card owner.
In the physical purchase at the point of sale, the transaction confirmation is done by entering the PIN, while with the online purchase, the confirmation of the transaction is done through the so-called 3DS authentication.
3DS (3 domain security) is the standard of authentication and set of business rules for e-commerce card transactions presented way back in 2001 (Verified by Visa, MasterCard as SecureCode) and is widely applied to authenticate e-commerce transactions but also online transactions in which funds are taken off accounts (such as, for example, gambling online through casinos here offering the latest payment methods).
In the process of the online transaction (approving the expense by the bank that issued the card), the customer, as an additional step, is diverted to the 3DS page of the bank that issued his card - the customer is entering multiple or disposable code/password known only to him, so if authentication is successful, the buyer is redirected back to the transaction flow at the point of sale and transactions are approved.
3DS v2.2 is a new version of the existing 3DS purchase authentication for e-commerce transactions, which is currently used and introduced, as we said, in 2001 (verified by Visa and Mastercard Secure, American Express Safekey, ProtectBuy, etc.), and implementation of this protocol is going on exactly now by banks and the processors across the EU.
The most important benefit for sales points at online transactions and remote transactions with 3DS authentication is that for the transactions performed with the 3DS authentication, the sales point is not responsible for the cost of financial damage.
For all 3DS verified transactions, responsibility is transferred to the card owner or card issuer.
Does the 3DS Check Window Have to Appear With All Transactions?
The new EMV 3DS generation of protocols has the goal to eliminate well-known shortcomings of the current version of 3DS authentication, and enable as many transactions as possible instead of requesting the user to authenticate (token, one-time password, and similar), ie. to become an exception from the obligation to authenticate according to PSD2 regulations and pass through the so-called frictionless, fast flow of authentication. This is achieved by a number of new data that the point of sale, through the EMV 3DS protocol, can send to a bank that issued a card to as easily as possible confirm the authenticity of the user and maybe let such transaction ’go through’ without the need for the user to additionally enters necessary authentication data.
This data, which in addition to the name and last name of the user - that can now be sent to control/authenticate for the first time - also includes information such as cell phone number, e-mail, browser IP address of the user or of his mobile app, the information whether the user had already bought at that point of sale or this is his first registered purchase, and a number of other info. Compared to the current data that the bank that issued the card received for authentication (and these are only the card number, the expiration date, and CVV code), this is a huge step forward.
On the other hand, card networks imposed on all banks that issue cards in the EU the obligation to provide all their card users to implement EMV 3DS authentication - when it is requested by the webshop or other distant point of sale - via mobile applications/mBanking by simply putting a fingerprint on their smartphones (or e.g. by face recognition or voice recognition).