3D Secure 2.0 and Magento: All You Need to Know to Keep Selling to EU Customers

3D Secure 2.0 and Magento: All You Need to Know to Keep Selling to EU Customers

3D Secure 2.0 and Magento: All You Need to Know to Keep Selling to EU Customers

18 years ago appeared the first version of 3D Secure. Visa introduced their new payment security feature in order to protect customers with an additional layer of authentication.

3DS version 1.0 was a decent improvement for the early era of Internet payments but even for its time it was a far cry from an ideal user experience. 3DS 1.0 opened up in a separate popup window, it was hard to use for mobile users, had bad UI and was slow to load.

For a time this awkward solution helped somewhat mitigate the countless risks of online shopping, both for the shoppers and Magento store owners.

A few years ago, 3DS version 2.0 entered active development. In 2019 the community decided it was time for an update. This is how 3D Secure 2.0 came to life.

The final push that moved the initiative from talks to action was the introduction of the Payment Services Directive 2015/2366 version 2.0, an upgrade of the EU Commission-inspired 2007 law that mandates stricter online payment security for the European Union customers, basically raising the security bar for all e-commerce players around the world.

PSD2 introduced a new security standard for online retail, SCA (Secure Customer Authentication). The deadline to integrate SCA pushes payment processors to build in 3DS2 support faster.

3D Secure 1 Needs to Go the Way of the Dodo

During these 18 years of use, 3DS 1.0 earned the reputation of a bulky, unreliable, hard to use slogfest. The kind you want to stay away from, not trust your CC details to. The stats support this as well. According to Visa surveys:

  • 70% of US shoppers worry about the security of their mobile purchases,
  • half of the security experts think their concern is 100% valid, mobile payments are poorly secured,
  • in a year, mobile payments will outperform traditional desktop purchases.

With the rise of mobile payments and a wide implementation of smart authentication methods in other areas, e-commerce seems severely lagging behind. The pain of entering a static password on a mobile device sharply cuts into mobile Checkout conversions. Users are already used to a higher level of user experience. The old-fashioned 3DS 1.0 just doesn’t cut it anymore.

Version 1.0 annoyances:

  • in addition to standard Checkout fields, shoppers always have to enter a 3DS password which leads to Checkout abandonment,
  • some users view an additional popup password check as a scam and think that hackers want to steal their CC details,
  • not all devices display 3DS popups correctly which means losing a guaranteed sale,
  • 3DS is slow to load, especially on weak mobile networks = again, lost sales.

3DS2: Main Highlights

3DS version 2.0 is smarter and more complex than version 1.0. The developers have significantly changed the way 3DS is implemented in payment operations. Read in detail about the technical implementation here. The good news is that the effort is well worth it: there are far more awesome features than technical complexity.

For the standard user, 3DS will work seamlessly, moving all vital security processes to the background. This means users will not see or interact with the new version of 3D Secure unless it’s absolutely necessary. The system knows how to assess the risk of every transaction based on all available data it has: user location, behavior patterns, place of purchase, device info, payment history, screen size, timezone, etc.

3DS 2.0 will ask for a password/auth info in extreme cases where the risk of losing a new sale is nothing compared to allowing unauthorized use of the customer’s credit card.


  • new 3DS 2.0 will give merchants better payment security,
  • customers don’t have to remember passwords or fill in new fields,
  • mobile users get 100% usable payments support, native mobile support is a thing now,
  • users always recognize 3DS security prompts and trust them more,
  • 3DS-caused cart abandonment will be a thing of the past,
  • 85% faster transactions and 70% lower Checkout abandonment,
  • no more $1 charges to verify card validity, yay!
  • CC validations are now also separate from payments,
  • native integration with digital wallets and various mobile apps.


  • Magento developers have to implement 3DS 2.0 in their stores,
  • 3DS specification will require time investment to study and use,
  • sometimes you still need to enter additional authentication details,
  • in some cases security is lower since behavior analysis is imperfect.

Deadline and Technical Details

The launch date of the new standard is September 14, 2019. This is the date when the 1.0 format will be replaced with the version 2.0.

The final deadline is October 11. This is the day when the mandate comes into effect and banks will reject some payments that don’t comply with the new security standard.

To get started, software development companies will have to study the specification, v2.0 protocol specifics and core functions, and understand the new 3DS process flow.

For example, this is how 3DS 1 works:

how 3D Secure 1.0 works

Now compare it to version 2.0:

how 3D Secure 2.0 works

As you can see, the main difference is that the system doesn’t need customer input. After they enter their CC details, they are pretty much unneeded. Only in rare cases when the system wants to make extra sure that the card holder’s ID is true, it will require an additional one-time password or another piece of authentication data.

How to Upgrade to 3D Secure 2.0?

April 2019 marked the first step toward adopting 3DS 2.0. Banks are encouraged to prepare for 3DS 2.0 as the main standard for all 3DS-protected transactions. September 14 is the launch day when Strong Customer Authentication (SCA) goes live for all EU-based e-commerce transactions.

The next milestone is October 11. This is the final deadline when all entities need to use 3DS 2.0 in all payments throughout the European Union. The year 2020 marks the global launch date for 3DS 2.0 which will become the worldwide standard for e-commerce CC transactions.

This is how different payment gateways will move to the new version of 3D Secure:

  • PayPal Magento users will go from 3DS v1 to 3DS v2 seamlessly. No need to do anything. PayPal handles the transition on their end.
  • Braintree users with Magento 2.3.3 or later (2.3.3 release coming soon!) have nothing to worry about. All they need to do is regularly update to the latest Magento version. Visit the page of the official Braintree extension to learn more.
  • Authorize.net provides 3DS version 2 support through cardholderAuthentication request field using any capable third-party extension. Starting from Magento 2.3.3 release, Authorize.net AcceptJs integration will support 3DS 2.0 via CardinalCommerce.
  • CyberSource requires the latest CyberSource Global Payment Management to support the latest version of 3D Secure.
  • eWAY offers support for 3D Secure 2 through their eWAY Payments Magento 2 extension.
  • Stripe supports 3DS2 validation through their PowerSync extension if the bank requires such advanced security checks.
  • Worldpay asks users to install the latest version of any suitable extension to comply with PSD2 and support 3DS2 payments.
  • Amazon Payments require an update to support the new standard.

The biggest challenge to update will be on those Merchants who opted to create their own custom integration extensions instead of implementing ready-to-use official ones.

They’ll need to invest significantly more effort into staying up to date with the current demands of online retail market.

If you need help making sure you payment gateway and custom integrations are updated and compliant – use the expertise of our development team.

Remember that failure to comply with regulations may result in huge fines, so get in touch with us today and let us fine-tune the security of your store.

Summing Up: What Happens if You Miss the Deadline?

The European Union introduced PSD2 in an effort to mitigate the growing problem of mobile payment vulnerability. This is why PSD2 created the initial guideline on how new authentication needs to work. It’s based on the 3 classic security principles. To successfully confirm their identity, the user needs to qualify for at least 2 of these 3 aspects:

  1. Something they are (a fingerprint, a face),
  2. Something they have (usually a phone),
  3. Something they know (a password or a PIN).

After October 11, 2019, you risk losing sales from those EU customers whose banks deny releasing the money if the seller cannot support a 3DS2-secured transaction.

After 2020, the list of customers who might have problems buying from non-compliant Magento Merchants will expand to the whole world.

In addition, Magento development has announced the intention to gradually move from built in payment integrations towards a purely extension-based payment support. So after a while your payment security will depend completely on using the right payment integration extensions from Magento Marketplace.

Need a professional audit of your payments’ integration and store security? Contact us and use the expertise of our team to grow your business!

Magento tips from real projects
Magento tips from real projects
CALL US 24/7:
& asia
+61 (02) 8005-7494