Farewell, 3D Secure 1.0

hero image

The only constant in life is change.


When Greek philosopher Heraclitus said the above, he wasn’t talking about the payments industry, but he might as well have been.

Over the past 70 years, continuous change has defined the credit and debit card landscape. Technological invention, reinvention and regulation are constantly introduced to protect consumers, increase the ecosystem’s security, and prepare the industry for the next wave of innovation and global adoption.

We’ve witnessed disruptive events time and time again. The 1960s’ magnetic strip has come (thanks, IBM!) and gone. PCI compliance was introduced in 2004, less than 2 decades ago, and has been materially updated 9 times since. 3D Secure 1.0 was originally built in 1999, and first launched publicly as Verified by Visa in 2001. 

Now, the next seismic shift within the payments industry is upon us—support for 3D Secure 1.0.2 is officially ending.

A brief history of 3D Secure 1.0

In the early days of Internet payments, fraud was rampant.

According to a 1998 Unterberg Towbin study, more than 50% of disputed or potentially fraudulent charges at Visa’s European division came from Internet transactions. However, we need to keep in mind that at the time, Internet transactions only accounted for 2% of payment volumes.

Online fraud prevention was relatively unsophisticated, but the problem had to be addressed, as the industry anticipated online shopping would become more popular in the coming years. As we now know, their prediction was beyond correct.  

So, in 1999, Visa enlisted the help of a vendor to develop a protocol that would act as an additional layer of security for online transactions. The solution they invented was what we now know as 3D Secure. 

Visa soon made this protocol available to the other card schemes: Mastercard SecureCode, American Express SafeKey, and the likes via licenses, and the solution was adopted globally, to varying degrees.

How 3D Secure works

As suggested in the name, Three Domain Security (3DS) is built around three domains:

  1. The merchant domain, which supports the merchant plug-in (MPI). This has been renamed to 3DS Server in Version 2 protocol

  2. The network or scheme domain, i.e. the card brand, which supports the directory server (DS)

  3. The card issuer domain, which supports the access control server (ACS)

The merchant initiates the authentication request via the 3DS Server to the DS, which then forwards the request to the ACS for authentication.

The ACS can respond in three ways:

  1. Authenticate [end of action]

  2. Decline the authentication [end of action]

  3. Request to challenge the cardholder

If the ACS has requested a challenge action:

  • The 3DS Server needs to initiate a challenge request, providing details of how to surface the challenge to the cardholder

  • The challenge is then presented to the customer as outlined in the request

  • The customer completes the challenge in a 2-factor manner

  • The ACS then decides to either:

  • Authenticate [end of action]

  • Decline the authentication [end of action]

That's the gist of it.

Leveling up from 1.0 to 2.0

On October 15, 2022, support for 3D Secure 1.0 will officially be discontinued. It’s over—some might say it’s the end of an era.

This sunsetting is happening 21 months after the different card schemes announced their plan to no longer support the original 3DS technology. In the grand scheme of technological advancement, this milestone makes sense. 

3D Secure 1.0 was built at a time when all we knew were bulky desktop devices. For our younger readers’ sake: Once upon a time, computers couldn’t fit in your backpack. Or your pocket. Or on your wrist. We’ve come a long way.

The 3DS protocol was a suboptimal user experience as consumers moved more of their shopping activities onto mobile devices. When 3D Secure 2.0 burst onto the scene in 2016, offering a slicker and less intrusive customer experience, we all knew V1’s end was near.

The new protocol, which was developed by EMVCo, supports all device options and covers a much wider range of use cases. 3DS 2.0: 

This is why moving forward, the card industry has defined 3DS 2.0 as the only supported customer authentication protocol.

Be ready for the next big change

When it comes to payments, change is implicit. While usually necessary, it’s also disruptive and costly to businesses worldwide, wreaking havoc with company roadmaps and requiring a deep understanding to implement effectively.

By adopting an underlying payment infrastructure like Primer, you can dodge significant costs and precious engineering resources needed to adapt to these changes or meet new regulations. 

For now, let’s pour one out for 3D Secure 1.0.

Want to learn more about Primer? Get in touch with us.

© Primer 2023