Blog / 3DS & PSD2

Charting the journey of the 3DS protocol

3DS 2.1 or 2.2? When it comes to 3DS it can be hard to keep up. Our Global Payment Regulation & Authentication map uses the latest data to track the rapidly shifting market. Is your authentication strategy riding the waves of change or just getting swept along?

26 January 2023

Charting the journey of the 3DS protocol

3D Secure (3DS) is the industry standard when it comes to authentication. But that doesn’t mean adoption has been smooth sailing for merchants. Lack of readiness saw an expensive surge in failed transactions and higher cart abandonment rates early on.

In 2023, we’re (hopefully!) now past the days of clunky authentication. 3DS1 is officially over and done with, and 3DS2 developments promise to change the game. And our Global Payment Regulation Map has plotted the course of this journey over the last three years.

We’re now on our fifth update. And this latest version outlines the impact of 3DS for online payments and the success rates that we are seeing. So how can your business use this map to navigate the choppy seas of the payment industry?

What kind of 3DS data are we working with?

The primary data source for the map is the transactions that are sent to our servers by our clients globally. For this report we analyzed over 5 billion transactions over the course of 12 months. This was more than large enough for us to have confidence in the validity of the results.

Over the years we have evolved the data that we report on. This is to keep up with the seemingly constant state of flux in the payment industry. In previous editions of the map we included transactions from every market. But this year we have dropped this down to 11 key countries.

We have also sourced data from the newest version of our Online Merchant Perspectives Survey. The survey asks some authentication-focused questions. And we have included a snapshot of those responses in the wider report.

So how can you get the most out of the map? Let’s break down a sample of the report using the results from Germany to briefly explain our findings.

How has the sunsetting of 3DS 1.0 changed things?

The original 3DS protocol was created over 20 years ago to protect online transactions. It did this by providing an additional layer of identity verification before authorization. But that was a very different time.

For one, mobile payments weren’t really a thing. So it wasn’t designed with them in mind. It also took users to a third-party site for authentication, which was not ideal. As we all know, too much friction is a nightmare for customer experience and conversion.

Then came the 3DS2 protocols. 3DS 2.1 offers a much more user-friendly experience. The mobile checkout experience is faster and seamless. And the authentication challenge is embedded in the purchase flow. 3DS 2.2 comes with the wonderful offering of frictionless payments and exemptions to SCA on transactions that meet the criteria.

If we look at the results above from the German market, you’ll notice a missing 20%. That would be those authentications that used 3DS1. The protocol was still available in the timeframe of the data we looked at.

These figures have been intentionally left out as we'll no longer be reporting on them. 3DS1 fully deprecated as of the end of last year. So there was little value in reporting on the share of traffic between 3DS1 and 3DS2 this time around.

In 2022 we saw the mass migration from 3DS1 to 3DS 2.1. And in the latter part of the year we started to see the slow adoption of 3DS 2.2. These fluctuations and changes in the industry are reflected in the data.

A significant change in the world of 3DS is the speed at which version are becoming available. And the speed at which old versions are made obsolete. So a one and done approach to 3DS for merchants and PSPs is not an option. You need to stay up on top of changes and compliance requirements to successfully transact without declines.

The latest protocol 3DS 2.3 goes even further than its predecessors. But its adoption is still far beyond the horizon. What 3DS2 version is your business sending transactions through?

What does 3DS performance look like globally?

The most important stats for many readers will be the success rate of transactions that went to 3DS initially. Authentication success rates are often a sign that customers are getting more comfortable with the process. But they can also point to fraudsters having found a way around 3DS. So it's important that you keep an eye on this.

These are strong success results for Germany. This is especially true considering that 3DS2 is a relatively new protocol for many merchants. If we compare them to historical 3DS 1.0 results – merchants were reporting a 70% success rate.

Here we also look at frictionless authentication. This is where no challenge takes place. The results for German merchants are good, but way below anyone’s definition of friction-free ecommerce. Nonetheless, the numbers are a positive reflection on the adoption and success of 3DS.

How much traffic is being sent to 3DS?

The map tracks the amount of traffic sent to 3DS as estimated by the respondents in that country. Disparities between global payment regulations make this a particularly interesting piece of information to track.

We’d expect these numbers to vary greatly as Strong Customer Authentication (SCA) isn’t mandated globally. As is the case in Europe where SCA is required as part of PSD2. So when we look at the results from Germany, the percentage of transactions is lower than we might expect. All transactions should be sent through some sort of authentication.

But there are various other reasons not to request a challenge that are coming to light with 3DS 2.2. These include numerous out of scope transactions and the increased use of exemptions. There is also a possibility that some survey respondents simply underestimated 3DS traffic volumes, which is interesting in itself.

Merchants globally should keep an eye on the impact of SCA in Europe – there are definitely many lessons to be learned.

What is the current perception of 3DS?

Global attitudes to SCA differ significantly depending on where you are in the world and where you do business. Some regions are more comfortable with adding potential points of friction than others. Overall though, merchants seem somewhat unconvinced and worry about the impact on conversion.

So are German e-commerce professionals concerned about the impact? The answer is a qualified yes. This isn’t too surprising given the level of change and the predictions of doom at the advent of PSD2. That said the European creators of the directive would probably be very pleased to see a response like this two to three years into its implementation. So maybe things are looking up!

Get your authentication strategy in shipshape

As we’ve already touched upon, exemptions are coming! OK, many are already here. Under 40% of German merchants are taking advantage of the developments that come with the latest 3DS protocols. But we foresee exemption management becoming increasingly relevant. Especially as merchants look to strike the right balance between conversion and compliance.

At Ravelin we see the role of a fraud vendor evolving beyond just working with merchants to prevent fraud. It will also include ensuring that the right authentication and exemptions strategy is pursued. Whether that be through Transaction Risk Analysis and/or the delivery of a 3DS solution for merchants.

Our Global Payment Regulation Map is a part of this. So assess global results to benchmark your business and inform your authentication strategy now.

Related content