EMV 3DS is an e-commerce fraud prevention protocol that enables consumer authentication for CNP purchases, without adding unnecessary friction to the checkout process.

EMV 3DS helps payment card issuers identify unauthorised e-commerce transactions quickly and accurately to prevent CNP fraud. It enables the exchange of data between the merchant and the payment card issuer to verify that the individual making a purchase with a payment card is the legitimate user of the card.

For e-commerce purchases where EMV 3DS solutions are used, the process works as follows:

• A consumer uses a payment card to make an online purchase on a mobile phone, tablet, laptop or other device.
• To confirm that the consumer making the purchase is the actual cardholder, the merchant uses EMV 3DS for authentication. The authentication process involves the merchant sending data or messages to the card issuer, which include details about the transaction, payment method and device information.
• The issuer uses this data to authenticate the consumer and approve the transaction. For many transactions, this means consumers simply click “Buy” and the payment is approved. For higher-risk transactions, issuers may choose to require further authentication as an added layer of security. In these cases, consumers must authenticate themselves using a challenge, such as a one-time passcode, knowledge-based questions, biometrics, or other methods.

The EMV 3DS Specifications provide a common set of requirements that product providers can use to integrate EMV 3DS technology into their solutions to support seamless and secure e-commerce payments.

The EMV 3DS Specifications:

• Support app-based purchases on mobile and other consumer devices
• Enable merchants to integrate authentication into their checkout process for both app- and browser-based implementations
• Specify use of multiple options for step-up authentication
• Specify a non-payment message category
• Enable merchant-initiated account verification
• Are flexible to accommodate global and local needs
• Are available royalty-free from the EMVCo website

An EMV 3DS transaction utilises consumer data for the purpose of evaluating risk to prevent fraud. Merchants and issuers using this data for this purpose are responsible for complying with applicable privacy laws.

The Opinion of the European Banking Authority (EBA) published on 21 June 2019 recognised that protocols such as EMV 3DS provide a means for merchants and issuers to support the use of SCA.

Specifically, EMV 3DS supports SCA by enabling the use of two-factor authentication.

Its flexibility allows issuers to accommodate their authentication preferences. Moreover, issuers can consider risk and regulatory factors in deciding how the customer will be authenticated – for example, using a one-time passcode, knowledge-based questions or biometrics.

The EBA notes that versions 2.0 and newer support a variety of SCA methods, while trying to ensure customer convenience, limiting fraud through data sharing and transaction risk analysis, and enable the use of exemptions set out in the Regulatory Technical Standards (RTS).

While EMV 3DS 2.1 supports SCA, EMVCo recommends that v2.2 (or higher) should be considered to access the optimum functionality.