Last year, New Zealand saw the launch of 3DS2 – an improved way to authenticate online payments to prevent credit card fraud. 3DS2 is an update from the previous 3DS1 standards, and it’s a huge leap forward in the way credit card payments can be authenticated.


What does this mean for online shoppers?

You have probably noticed that more of the websites you visit are using two-factor authentication. Banks, for example, might send a code to your phone when you make a payment; Xero asks for confirmation via its app that you’re really logging in. These methods help prevent your card details being used by someone else fraudulently to make purchases or your company’s invoices being used to defraud customers, for instance.

In most cases, when you’re spending in your usual patterns, you won’t notice it’s there. With unexpected transactions, or at new stores, you might be asked to confirm your identity. That could be answering some questions, or opening your banking app to use your fingerprint or a passcode to prove you’re the owner of the card.

You’ll see 3DS2 being used online by credit card merchants under names like Visa Secure, Mastercard SecureCode or IndentityCheck, and American Express SafeKey. When you use 3DS2 to shop online, you’re getting greater protection against fraudulent transactions on your card.


Protection for merchants against credit card fraud

Unfortunately, credit card fraud is extremely common – most days of the week we hear from a merchant client who has had to deal with fraudulent transactions. This is a real headache, with chargeback disputes taking up to 10 weeks for the banks to settle.

And not all disputes will go the way of the retailer. Many large online retailers in New Zealand found 3DS1 checks too onerous for shoppers, leading to high levels of shopping cart abandonment. As a result, many credit card transactions go unchallenged, leaving the merchant potentially liable when a stolen card is used. 

Using 3DS2 means shoppers are authenticated by the bank. The bank then takes complete responsibility for the security of the transaction. This means that if there is any fraudulent activity, there are no question marks and no chargebacks. As the retailer, you are immediately refunded.


How does 3DS2 work?

3DS stands for three-domain secure. It’s a security protocol developed by EMVCo, a fintech company that specialises in transaction safety and technology. EMVCo is owned collectively by major credit card companies.

3DS1 was originally designed when online purchases were made via desktop only, not for mobile. The identity check experience for shoppers was unwieldy, leading to low uptake from merchants. 3DS2 is a major step ahead in creating smooth identity checking and security for shoppers and merchants – on any device.

To authenticate the cardholder, 3DS2 sends information from the merchant, via the Worldline gateway, to the bank. The type of information sent includes transaction and device information. The bank can decide to use security questions, a fingerprint via a banking app or a one-off passcode. You can see a video with more detail about how it works here.


Enabling 3DS2 for your online store

As a merchant, if you would like to enable 3DS2, you will need to contact your bank and tell them you would like to include 3DS2 checks on your online transactions.