3DSecure 2.0: eftpos Enters the Fray

With the introduction of 3DSecure, eftpos has continued its journey to ensure its cardholders have the highest standards in transactional security without adding unnecessary friction to the cardholder experience.

3DSecure – Securing Payments

3DSecure (3Ds) is a security protocol that provides an additional layer of protection for cardholders and merchants alike for card-not-present (CNP) eCommerce transactions. It is used to authenticate the cardholder whilst undertaking a payment, ensuring that the person conducting the transaction is indeed the cardholder. The purpose of the 3DS protocol is to facilitate the exchange of data between stakeholders – the merchant, cardholder and card issuer. The objective is to benefit each of these parties by providing the ability to authenticate cardholders during a CNP eCommerce purchase, reducing the likelihood of fraudulent usage of payment cards. Issuers of Visa and MasterCard card products have already been exposed to 3DSecure 1.0 and its recent version 2.0 successor in the form of ‘Visa Secure’ and ‘MasterCard SecureCode’, respectively. Indue is finaliaing a program of work with all of its Visa card issuing clients to upgrade Visa Secure version 1.0 to version 2.0. Version 2.0 introduces the requirement to have dynamic cardholder verification (i.e. one-time password via SMS) instead of static cardholder verification (i.e. cardholder identity questions).

eftpos enabling 3DSecure 2.0

Based on industry feedback and continual working groups, eftpos has undertaken the same initiative as the other card schemes and has commenced the process of establishing its own 3DSecure requirement. The scheme is currently working on finalising its solution design and technical specifications. Indue has advocated to eftpos that its 3DSecure solution be compatible with the other card schemes’ solutions – namely Indue wants to ensure that eftpos’ final solution design allows the reuse of what its card issuing clients have already built to support the other schemes’ solutions. This would ensure that eftpos cardholders benefit from the same security protections as other scheme cardholders whilst leveraging the effort already expended to build a 3DSecure solution.

Implementation Timeline

The eftpos 3DSecure 2.0 solution is currently in planning phase. eftpos is presently working with existing Access Control Servers (ACS), who provide the authentication solution software for issuers and merchants for 3DSecure, to finalise their own set of requirements. eftpos have yet to confirm a set date for their finalised 3D Secure solution, but have advised that by October 2020, there will be a liability shift favouring those parties who have opted to enroll and implement the new security solution. The same strategy was previously employed by other card schemes in order to promote adoption and ensure that both parties within a transaction (merchant and card issuer) are protected against card fraud. Once Indue has received eftpos’ detailed requirements for 3DSecure functionality, we will undertake further analysis to understand the changes and engage all of our affected eftpos Card Issuers to initiate a project for implementing the solution.