The Green Sheet Online Edition
October 24, 2016 • Issue 16:10:02
3DS 2.0 adds tools, expands framework
An updated version of EMV 3-D Secure will be available in time for retail's peak season, EMVCo and the PCI Security Standards Council reported. The news was welcomed by global cybersecurity experts, many of whom are well aware of numerous details and compliance requirements related to the launch. 3-D Secure is shorthand for 3 Domain Security and is commonly abbreviated as 3DS.
EMVCo, a global body owned by American Express Co., Discover Financial Services, Mastercard, China UnionPay and Visa Inc. that manages the EMV (Europay, Mastercard and Visa) technology protocol, disclosed in January 2015 that it would launch 3DS 2.0 in 2016. The EMV 3-D Secure – Protocol and Core Functions Specification v2.0 (EMV 3DS 2.0 Specification) will improve security and global interoperability while providing a consistent consumer experience across e-commerce channels, connected devices and in-app purchases, EMVCo stated.
The PCI SSC, which manages the Payment Card Industry Data Security Standard, will work with EMVCo to provide security requirements, testing procedures, assessor training and reporting templates, making these resources available in 2017, council representatives stated.
Unified, international standard
3DS is designed to authenticate payment card transactions that originate online. The messaging protocol creates an additional layer of security to protect the three banks or "domains" of an ecommerce transaction, the issuing bank, acquiring bank and cardholder bank, through multifactor password or one-time password authentication. The technology was originally introduced as Verified by Visa to protect and enhance the online shopping experience.
The technology has subsequently been adapted by EMVCo and major payment card brands (in Mastercard's SecureCode, AmEx.'s SafeKey and JCB International Credit Co. Ltd's J/Secure) into a globally accepted security standard. EMVCo stated that Visa will own and manage its proprietary version of 3DS 1.0, while EMVCo will continue to develop the EMV 3DS 2.0 standard.
Expanded framework, toolkit
Interoperability was a consideration in designing additional tools and application programming interfaces to enable software developers to incorporate 3DS 2.0 into products and services. Jonathan Main, EMVCo Board of Managers Chair, who represents Mastercard, expects the "toolbox" to significantly enhance global interoperability across numerous ecommerce platforms while facilitating a unified international payments framework. "We recognize that this [effort] requires a number of industry stakeholders to work together to establish a secure framework, and we are delighted to be collaborating with PCI Security Standards Council to facilitate this process," he said.
Additionally, the partners noted that EMV 3DS 2.0:
- Facilitates app-based payments on mobile, connected devices
- Minimizes keystrokes to improve the consumer experience
- Uses advanced recognition and knowledge-based authentication capabilities
- Gives end-users the option of incorporating their own authentication solutions
- Enables merchants to integrate the authentication process into application- and browser-based checkout
- Improves end-to-end message processing
- Provides improved authentication
Flexible, adaptable framework
EMVCo and PCI SSC leaders expect 3DS 2.0 to continue its evolution in response to the ever-changing threat landscape, regulatory environments and payment security initiatives. The partners affirmed their commitment to creating a flexible, adaptable framework designed to support a range of online and mobile payment schemes and emerging payment technologies.
Making tool kits widely available will reinforce interoperability across multiple markets while supporting new application development and payments innovation, EMVCo stated. Troy Leach, Chief Technology Officer at the PCI SSC added, "[W]ith mobile payments projected to continue to rise, it is vitally important that the security concerns be addressed in the design of the authentication system to keep up with the evolving threats."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.