EMV® 3-D Secure 2.1 and 2.2 – Cardstream

EMV 3-D Secure 2.2 brings enhanced functionality as the Strong Customer Authentication (SCA) protocol matures and consolidates its experience with over two years of deployment.

3-D Secure version 2.1 improved over the original 3-D Secure version and addressed the customer friction often experienced during the transaction process by enabling more data sharing between Merchants and Issuers. This allowed for a more accurate risk-based decision-making process, which led to smoother transactions with less interruption. Version 2.1 also introduced "frictionless flow," allowing low-risk transactions to be approved without additional authentication, improving the customer experience.

Version 2.2 adds new features to accommodate specific market requirements and regulations better. This was done partly to meet the Strong Customer Authentication (SCA) requirements of the European Union's Revised Directive on Payment Services (PSD2).

While both 3-D Secure 2.1 and 2.2 provide improved security for online transactions compared to the original protocol, 2.2 introduces greater flexibility and better support for evolving market needs, regulatory requirements, and mobile transactions. This highlights the ongoing evolution of security protocols in response to the changing landscape of online transactions and cybersecurity threats.

Functionality Updates

Version	Features
EMV 3DS 2.1	Support with real-time two-factor authentication Mobile device compatibility Reduction in fraud-related transactions Enhanced data sharing Biometric authentication Merchant Initiated Transactions (varied implementation by schemes)
EMV 3DS 2.2	All features of 2.1 plus: Additional device compatibility Further fraud reduction capabilities Enhanced user experience Enables smooth integration to mobile banking authentication and biometrics

Technical Updates

Merchants are not required to change their integration to support version 2.2. The changes that apply to the code are:

The requestorChallengeIndicator field supports new values:

05 - No challenge requested (transactional risk analysis already performed) [Sent as 02 in v2.1.0].

06 - No challenge requested (data share only) [Sent as 02 in v2.1.0].

07 - No challenge requested (strong consumer authentication already performed) [Sent as 02 in v2.1.0].

08 - No challenge requested (utilise whitelist exemption if no challenge required) [Sent as 02 in v2.1.0].

09 - Challenge requested: (whitelist prompt requested if challenge required) [Sent as 01 in v2.1.0].

The Mastercard Merchant Data extension scaExemptions field is no longer sent as its data is now in the requestorChallengeIndicator values 05, 06 and 07.
The browserScreenWidth, browserScreenHeight and browserScreenColorDepth can be omitted if the browser doesn’t support Java and JavaScript [Sent with defaults in v2.1.0 if omitted].
The threeRiIndicator sent as 08 for MOTO transactions [Not sent for v2.1.0].

Last updated 01/08/2023