Doubling Down on EMV 3DS

2020 will be the year that EMV 3DS reaches mass adoption.

This is not the first time that I have said that but it is the first time that I am comfortable saying it on the record being more confident than ever in this prediction. There is such a degree of momentum building in the industry for this to happen with PSD2 driving adoption in the EU and the card associations mandates elsewhere in the world.

Timelines for Adoption

In the UK, the Financial Conduct Authority (FCA) recently announced an 18 month window for the ecosystem to become fully compliant with the PSD2 requirements. However, this was predicated on a paper by UKFinance suggesting that 30% of Merchants will have adopted EMV 3DS by March 2020 and this rising to 90% by September 2020. Non-compliant transactions will start to be declined in early 2021, and so given few organisations enjoy deploying changes to their payments platform during the holiday shopping season, it is very likely that most EU transactions will be 3DS by the end of 2020.

Around the rest of the world, while the card scheme compliance dates vary regionally, the ‘liability shift’ has already passed in much of the world and none of the remaining regions are later than August 2020. Given that a fee will be levied for non-compliant transactions, it is in everyone’s interest to ensure adoption as quickly as possible. One card scheme has stated that it will cease supporting 3-D Secure 1.0.2 after December 2020.

From combining our view of historic 3DS growth rates, expectations for impact of upcoming regulations and forecasts shared by our customers & the card schemes, the consensus is that transaction volumes will grow at fairly typical rates until February 2020, after which point, the year-over-year volume increases will accelerate quickly over the following six months, starting from 34% year-over-year growth in March and reaching over 170% year over year growth by October 2020.

Advice to our Customers

While 3-D Secure 1.0.2 and EMV 3DS share a name and a purpose, at a technical level, there are few similarities which, given the short-comings of v1.0.2, is a huge step forward. EMV 3DS supports the plethora of internet connected devices and has the potential to share much more information about the transaction for improved fraud detection. When 3-D Secure 1.0.2 was launched, almost 20 years ago, there were few standards relating to how programmes should be implemented, which is markedly different from current approach, where:

  • the core EMV 3DS protocol specifies some aspects of the UI,
  • the card scheme guidelines control others, and
  • for those in the EU, the PSD-2 tightly controls the authentication options available for cardholders.

It is now more important than ever to have a standardised journey across both protocol versions. In mid-2020 it is very likely that EMV 3DS will become the dominant version of the protocol and so, rather than designing the EMV 3DS flow with an eye to the past and making it match your 1.0.2 journey, why not take a ‘clean sheet’ approach with EMV 3DS to build the best possible experience using the tools at your disposal? Once the optimal EMV 3DS journey has been built, it would be recommended to review existing 1.0.2 flows to remove any elements that are not supported on EMV 3DS. As cardholders will not be aware of which version of 3-D Secure is in use by a particular merchant, it could be highly confusing for them to have a different journey when they shop at different merchants.

Building for the Future

During the past decade, 3-D Secure has evolved from a useful fraud mitigation tool to a means to ensure regulatory compliance and so the level of scrutiny of the service has never been higher. Card schemes now expect KPIs to be reported about 3DS and regulators require even modest periods of service degradation to be rapidly reported. It is critical that our service is delivered from a robust platform that can scale to accommodate a huge rise in the volume of 3DS transactions and do so in a robustly to ensure that every transaction can be authenticated.

Over the next six months, a huge investment is being made into Broadcom’s EMV 3DS platform to increase its robustness & scalability, as well as removing legacy services, to deliver a solid foundation for the next decade of service. A modernised system architecture will allow the service to elastically scale with demand with self-healing when issues are detected and these will allow a higher SLA to be offered.

In summary, we recognise that 3DS now has the same level of criticality as the core authorisation platform and a huge investment is underway to improve resilience, availability, scalability to maximise the quality of our service for 2020 and beyond. If you would like to learn more, please get in touch.

About the author

Matt leads the Customer Success team at Broadcom’s Payment Security Division, comprised of subject-matter experts on topics that range from general eCommerce, fraud mitigation, regulatory compliance and payments strategy. The team ensures that our customers’ business goals are achieved through the optimal configuration of our Payment Security solutions.