3DS 2.0 is set to be a game-changer for e-commerce payments

Apr 24 - 2020

Amidst a global pandemic, e-commerce is in the spotlight as people around the world prefer the safety and convenience of online shopping. India is no different. E-commerce in India has seen a surge of 20-30% in online sales over the past few weeks. However, this isn’t just a situation-led case in point. The Indian e-commerce industry has seen a steady upswing over the last few years on the back of a large number of merchants entering the market coupled with an explosion of smartphones and payment options.

India is expected to become the second largest e-commerce market in the world by 2034, according to IBEF projections. The report further highlights the e-commerce market is expected to reach Rs 13,97,800 crore (US$ 200 billion) by 2027, from Rs 2,69,076.5 crore (US$ 38.5 billion) in 2017. Projections also suggest that Internet penetration rate in India will be over 60% by 2026. Thus, giving a further boost to the e-commerce industry.

While marketers are waking up to the opportunity of e-commerce, the segment still needs the attention of advanced and simplified payments backed by security and convenience.

The online payment ecosystem


In India, online shoppers largely use either one of these following payment modes -- cards, prepaid wallets, UPI, net banking or cash-on-delivery. Cards, which was once one of the most popular methods of online payments, is now facing stiff competition from new-age payment formats such as UPI and prepaid wallets.


Even though cards might be getting displaced by UPI and wallets for smaller ticket transactions, they still remain the most-used payment method for online shopping in India. According to JP Morgan report, cards represent 29 percent of transactions.


Surely, cards are still holding on to the popularity quotient. But, over the past few years, both merchants and consumers have become acutely aware of the need for simplified payment experiences. Merchants worry about cart abandonment rates and transaction drop-offs. It is recorded that about 20% transactions drop-off on cards leading to just 80% Payment Success Rates (PSR). In 2019, card transaction drop-offs were estimated to have caused at least a $10 billion loss of e-commerce sales in India.

What complicates matters for card issuers and payment networks is the RBI mandate on 2-Factor Authentication (2FA) introduced in 2009. While prepaid wallets have been exempted, UPI implements this through a static PIN and cards mostly use SMS OTP as the second factor.

As a result, merchants too tend to push payment methods with the least amount of friction and the highest success rates. This is why one can see an upsurge in UPI and wallet transactions.

While the mandate certainly did its job in curtailing fraud, its implementation is less than optimal. Most online card payments in India are based on the 3DS 1.0 protocol, with every cardholder being authenticated through an SMS One-Time Passcode (OTP) sent to the customers’ registered mobile number.

To bring to the fore, the 3DS 1.0 protocol was originally written in 1999, and was largely meant for the desktop generation. In a country like India, where about 70% of online transactions originate from a mobile device, this protocol tends to have an adverse impact on the PSR.

Top reasons for lower PSR on cards

  • SMS OTP is the most commonly used authentication method. Cardholders often face issues of latency or non-delivery of the SMS and that results in 7-8% transactions dropping off
  • Multiple hops between issuer, payment network and merchant systems is another big concern in the 3DS 1.0 process. Typically, this could be at least 16-17 hops. What does this mean? More hops, the more chances of failed transactions. This can impact the success rate by 2-3%.
  • Next, issuer OTP pages are not often optimised for mobile. This means that customers need to keeping zooming in and zooming out, impacting the success of payments by 2-3%.
  • System scalability is also a concern with 3DS 1.0. This can have a huge impact during the sale periods (e.g. Flipkart’s Big Billion Day Sale or Amazon’s Freedom Sale), where issuer systems frequently go down. This happens to leave a negative impact of 2-5%

So, is there a more efficient and secure alternative? The answer lies in 3DS 2.0

Visa and Mastercard under the aegis of EMVCO have released a far more robust, secure and mobile friendly specification. This is called EMV 3DS specifications or 3DS 2.0 -- as it's commonly known. This next-gen protocol supports multiple form factors and new use-cases, while moving the entire ecosystem to “risk-based authentication”.

As we move forward, e-commerce will demand a more dynamic, risk-based, multi-factor authentication. What works in favour of 3DS 2.0 is that it supports almost tenfold in data exchange between stakeholders, while enabling faster and secure authentication.

How does EMV 3DS work?

With risk-based authentication, real-time checks are automatically run on online transactions. Depending on the service provider who is supplying the risk-based authentication solution used, these may include behavioural checks (Does the cardholder typically make this type of transaction?), Device checks(Is this the usual device a cardholder uses?) and merchant checks(Is the merchant trust-worthy?).

Based on these assessments, the issuing bank will determine whether to challenge the transaction or not. This means reliable authentication, fewer SMS OTPs, faster checkouts, lower cart abandonment rates and a frictionless payment experience.


Benefits of using Risk-based authentication

  • Enhanced user experience: Offer experience with less friction for a large part of the transacting universe. Given this is a self-learning risk-engine, it might start off challenging a higher proportion of transactions, but over time evolve to a model where only the risky transactions are challenged.
  • Improved speed of transactions: Your customers will see that the average transaction time is reduced from 40 seconds to ten seconds.
  • More transaction volumes and e-commerce revenues: Record higher conversion rates with drop in abandonment rates.
  • Cost savings: Customer calls may just be a thing of the past. No more heart-burn on not receiving the OTP in time.
  • Confined fraud levels: Fare well with lower losses despite the elimination of active authentication on a significant proportion of transactions.

The winning case for 3DS 2.0

Unlike static authentication where each transaction requires cardholder verification, risk-based authentication challenges only the riskiest transactions. What 3DS 2.0 does differently is that instead of relying on 5 to 7 data points (being collected in the 3DS 1.0 flow) issuers can collect over 70 variables; thus allowing issuers to make better decisions.

The amount of merchant data that can be collected using 3DS 2.0 is massive; offering merchants the possibilities of many frictionless capabilities. 3DS 2.0 is now being widely adopted internationally with Visa and MasterCard coming out with rules around liability, usage and adoption. Issuers and merchants in markets such as in Europe, Australia, Singapore and UAE have already begun adopting 3DS2.0.

Well, hopefully, RBI is listening too. Risk-based authentication is certainly something RBI can consider doing a Proof-of-Concept -- maybe use the regulatory sandbox to test this out in a limited manner.

In conclusion, 3DS 2.0 is adapting to the times by offering a seamless e-commerce payment experience to consumers -- whether they’re transacting via desktop, mobiles or laptops.

Stay up to date on the latest in Fintech & Banking