Issuers and merchants rely on the 3-D Secure (3DS) protocol in the fight against “card-not-present”
(CNP) fraud. You may recognize brands such as Mastercard SecureCode®, Verified by Visa, American
Express SafeKey® and Discover ProtectBuy—all of which are 3DS implementations.
CA Technologies, A Broadcom Company (then Arcot) co-invented 3DS in partnership with Visa in the
early 2000s. With continuing development and enhancements, the protocol is known today as EMV®
3-D Secure (EMV® 3DS).
EMV 3DS was defined by EMVCo, a consortium of merchants, banks and payment organizations.
Expanding the functionality of the original implementation, EMV 3DS is designed to both reduce
fraud and streamline the customer experience, regardless of device.
As a Technical Associate, Broadcom continues to play a key role in the consortium—contributing
significant technical and marketplace expertise.

Discover the benefits of EMV 3-D Secure.
EMV 3-D Secure specifies a secure, real-time data pipeline between merchants, payment networks
and financial institutions. This pipeline enables organizations to share and analyze transaction data
across more than 150 transaction attributes such as cardholder device, email, billing information and
purchase history.

A rich data set enables multi-factor, risk-based authentication. Instead of evaluating each transaction
on its own merits, merchants and issuers share full visibility into the context around these

EMV 3DS puts issuers in the driver’s seat. Now they can return well-informed decisions—allow, deny
or challenge—at the time of purchase. Merchants can rely on the issuer’s decision—thus shifting
liability to the issuer—or they can maintain control by using EMV 3DS in non-challenge mode, relying
on their own risk models to make authentication decisions.

Merchants can also reduce costs, because in many cases card issuers provide reduced interchange
rates for transactions protected by EMV 3DS. And when liability shifts to the issuer, merchants
experience lower chargebacks for all EMV 3DS transactions.

Changing the game with authentication.
Fundamental to EMV 3-D Secure is the ability to leverage risk-based authentication, which
determines when a purchase should be challenged during checkout. By minimizing the number of
challenged transactions, EMV 3DS enables a frictionless experience for the vast majority of

But that leaves the question of how to handle suspicious transactions. With data exchange between
merchant and issuer, EMV 3DS eliminates the need for customers to remember static passwords. It
enables authentication through the use of one-time passwords, tokens and biometric methods. This
approach is more secure and easier to use—a win-win for merchants and cardholders alike.

Simply said, risk-based and strong authentication reduce fraud, false declines and abandoned
shopping carts—for more legitimate sales.

And just as important, EMV 3DS simplifies compliance with regulations like the European Banking
Authority (EBA) revised Payment Services Directive (PSD2).

EMV 3-D Secure means more ways to win.
Issuers, merchants and consumers all benefit from EMV 3-D Secure in ways that go well beyond
fraud protection.

For issuers, you simply can’t argue with the financial benefits achievable with EMV 3DS. With fewer
occurrences of fraudulent transactions, a reduction in challenges and more true sales, issuers can
reduce the operational costs of CNP fraud. More legitimate sales for merchants and better shopping
experiences for consumers result in further confidence and acceptance of issuer products.

By using a variety of tools to extract EMV 3DS-generated data, merchants can analyze the shopping
and buying behaviors of customers to design products, improve their business model or create a
more seamless and unified commerce experience.

Shoppers also win, because the framework for digital authentication supports virtually all devices.
Payments can be made via browser, in-app or with digital wallets—all with the same look and
feel—resulting in a superior customer experience.

Best of all, consumers get these benefits immediately. Enrollment is automatic, so once an issuer
adopts EMV 3DS, all of their cardholders are protected.

Broadcom boosts the benefits of EMV 3DS for issuers, merchants and consumers.

  1. Better Fraud Decisions
    Broadcom fraud protection solutions see and maintain far richer transactional and device
    data—across schemes, cards and geographies—improving accuracy in identifying and stopping CNP
    fraud in real time.
    This gives us the ability to leverage and incorporate data that flows through the transactions of
    multiple issuers, not just one. And our solution goes beyond the 150 data elements collected by EMV
    3DS tracking factors.
    Analysis of this uniquely rich data, in combination with our patented neural networks, supports
    issuers and merchants with real-time analytics. Because these models learn over time, the data set
    becomes even better and decision-making gets smarter with every transaction. Issuer and merchant
    systems make more confident risk-based assessments in real time—resulting in a dramatic reduction
    in false declines.
  2. More Control
    Broadcom gives issuers and merchants the ultimate say over transaction authentication decisions.
    You can configure and manage authentication based on your particular risk policies. For example,
    you can set rules so that your VIP customers will never face an authentication challenge. Plus, you
    can create and set rules instantly—without vendor dependency.
  3. Less Customer Friction
    With Broadcom, EMV 3-D Secure enables issuers and merchants to more confidently approve or
    decline transactions. The vast majority can go through unchallenged and those that are flagged as
    suspicious present easy-to-use step-up authentication. The result is less cart abandonment and more
    genuine sales.
  4. Choice of Authentication Challenges
    Based on risk assessment and preference, a variety of additional authentication methods, such as
    OTPs or push notifications, can be deployed. Broadcom also supports biometrics, providing
    merchants with a range of authentication methods such as voice recognition or facial scans.


Updated May 2019
The first edition: 3D Secure 1.0
If you’ve shopped online in the last decade then chances are you’ve experienced 3DS 1.0. It’s that
moment you get sent to an often clunky page from your bank to confirm who you are. In completing
this step, issuing banks, not the business you’re buying from, become liable to fraudulent
chargebacks. It’s a consistent security step, but not great for our customers.
It’s this point of friction, combined with confusing web redirect experiences which made 3DS 1.0 fail
customers and businesses. Not only did 3DS 1.0 lack native in-app and web flows, but it also
introduced confusing and difficult-to-remember authentication prompts. This resulted in legitimate
customers dropping out of the payment flow.
International businesses also faced many challenges with 3DS 1.0. This is mainly due to the way
payments are processed in different markets. Every region has different security requirements and
legislation, and adoption of the 3DS 1.0 protocol in general was inconsistent from bank to bank and
country to country.
To handle these problems, we released tools like Dynamic 3D Secure to use 3D Secure where it made
sense and avoid when it didn’t. This helped businesses use 3DS 1.0 where it could be trusted. But it
didn’t address the underlying issues of the protocol itself.
That’s enough about the problems though, let’s explore the opportunity now that the next
generation of 3D Secure is here – version 2.0.
The second edition: 3D Secure 2.0
3DS 2.0 is a new standard introduced by EMVCo and the major credit card schemes. It brings a new
approach to authentication through a wider range of data, biometric authentication and an improved
online experience. This new protocol addresses many of 1.0’s issues, while bringing benefits across a
wider set of use cases for businesses all over the world.

Increasing authorization rates with data sharing
3DS 2.0 is much more than a redirect. The combination of certified SDKs in the checkout flow, paired
with data sharing APIs, means that 3DS 2.0 can be used as a tool to share rich data between
businesses and banks. Over 100 potential data points are shared with issuing banks, meaning that
the information you and card issuers know about your mutual customers can be used to make better
risk decisions. The more information you have to support authentication cases, the higher the
chances of authorizations.
With 3DS 2.0 it is possible to share data between banks and merchants silently in the background.
Authorization rates can be increased with no perceivable change to the checkout flow by customers.

This is interesting for businesses that don’t need to use 3DS 2.0 for fraud prevention. A business
which has low fraud rates, but wants to achieve the authorization uplift benefits of 3DS 2.0 can
implement data sharing. This is without changing the seamless checkout flow their customers
currently enjoy.
Superior authentication experiences for customers
In many cases device information is enough to authenticate without an extra step for the customer.
However, some transactions that have higher risk or regulations such as PSD2 require active
approval. Our 3D Secure SDKs help you build these flows and there are three primary types to
Passive – The SDK and servers exchange all necessary information in the background. The customer
sees nothing.
3DS 2.0 passive authentication
Two-Factor – The user is asked to provide a two-factor authentication code sent via email or SMS.
3DS 2.0 two-factor authentication
Biometric – An app-switch to an issuing-bank app is facilitated by the SDK. The user can use their
fingerprint or face in the issuing bank app.
3DS 2.0 biometric authentication
By offering more authentication flows, customers will be able to choose their authentication method
of choice. And this means increasing security while reducing drop-off rates seen in older solutions
that were based on static passwords. What’s more, our 3DS 2.0 SDK will help you easily build these
authentication flows natively into our apps and websites.
The different authentication flows with 3DS 2.0 offer more flexibility so banks can continue to
innovate in the future, continuing to make authentication simple and more secure.

Managed compliance with Dynamic 3D Secure
3D Secure 2.0 is the main way that businesses can prepare for PSD2. Most regions that already have
authentication mandates are expected to adopt the protocol quickly.
Prepare for Strong Customer Authentication with 3DS 2.0
The biggest driver for business and issuing banks to implement 3DS 2.0 is the upcoming enforcement
of Strong customer authentication (SCA) requirements under PSD2. This law goes live in Europe on
September 14, 2019.