Snippet: The most important shift from 3-D Secure 1.0 to EMV 3-D Secure is the addition of the RBA engine - and here's why it is a gamechanger.

Much has been written, tweeted and blogged about 3-D Secure, so by now we should all know that it’s a protocol for securely authenticating a consumer during card-not-present (CNP) e-commerce transactions. Additionally, it better protects the consumer, issuer and merchant from CNP fraud.

The most important aspect of EMV 3-D Secure, and the most important shift from 3-D Secure 1.0, is the addition of a risk-based authentication (RBA) engine. The RBA engine authenticates the majority of transactions using more effective risk-based data modeling that doesn’t require direct consumer interaction. RBA is a game changer compared to 3-D Secure 1.0 because it dramatically improves the customer experience. However, it is also RBA that will prove to be the most complex piece of the equation.

EMV 3-D Secure allows merchants to share much more data (up to 10 times more) to help issuers improve their authentication models. The aim of the improved data model is to better evaluate the risk of CNP transactions, enabling more transactions to be authorized behind the scenes, and limiting the friction in the purchasing process for the consumer.

What’s in the data?

EMV 3-D Secure data

Source: EMVCo EMV 3-D Secure Protocol and Core Functions Specification, 3-D Secure 2.1.0, 30 Oct 2017

The protocol makes provision for four types of data to be shared: transaction and consumer data, authentication data, merchant data, and device data. The US Payments Forum gives more information on the types of data included in each group.

For issuers, the challenge with EMV 3-D Secure lies in the vast number of data points they are being sent, and the fact that some are required (or conditional) while others are optional. Additionally, merchants only have to pass on data if they are collecting it, which depends on the type of merchant they are. For example, the Starbucks app probably won’t ask its users for their address, while an online retailer will need a shipping address for its customers. So, if an issuer has developed its risk models expecting an address but only receives a ZIP code, its model is not going to be effective.

Another difficulty facing issuers is that merchants typically do not send all their e-commerce transactions through 3-D Secure – only those that they already view as suspicious or high risk – because the fees are more expensive. This means that the data issuers receive is already skewed, which in turn skews the risk model. To improve outcomes across the entire ecosystem, merchants need to better understand the value of sending all e-commerce transactions through 3-D Secure. The benefits gained by doing this will overcome the higher costs, for example, by reducing system-wide fraud, false positives, checkout times and cart abandonment.

For EMV 3-D Secure to be completely effective, it is important that issuers can tune their authentication models correctly. So, what are the options for issuers if they know they won’t be getting the same amount or type of data from different merchants? One option is to create different models for different types of vendors. Another is to create a flexible model that can adapt to the data it receives, which would involve sophisticated machine learning algorithms. Whatever decision is eventually made, issuers have an interesting puzzle ahead of them in determining how best to use the data they are sent.

Extending beyond RBA, a sub-set of transactions will still require step-up authentication before an issuer authorizes a CNP transaction. At Entersekt, our approach has always been based on a foundation of strong in-app authentication. Our technology has a proven track record in wiping out fraud for our clients, while providing their users with the control to seamlessly authenticate sensitive transactions. With us, our clients can innovate in a competitive market, allowing them to make their customers’ lives easier.

Our product is a next generation e-commerce and mobile payments enablement platform. It’s highly integrated, highly reliable and offers a superior user experience. It can help you make sense of 3-D Secure, so that you can avoid its challenges while capitalizing on its benefits.

If you enjoyed this blog, then try reading one of our related blogs in which Jennifer describes how friendly friction builds better digital banking experiences for customers.

Subscribe to our blog.

3-D Secure

Jennifer Singh


From strategy to execution, Jen makes innovative ideas become scalable businesses. Before joining Entersekt, Jen helped found the Digital Identity Solutions group at Thomson Reuters, an incubated business venture focused on the development of new identity verification and authentication services. Jen also volunteers as the City Director of House of Genius Atlanta, a community that helps entrepreneurs overcome challenges.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.