Skip to main content

AUTHENTICATION

Improving EMV 3DS Authentications with 3DS Method URL

Nathan Franks profile photo

Nathan Franks

Director, Product Management, Mastercard

4 min read · September 09, 2024

 

Woman wearing yellow top using her phone

Decoding the EMV 3DS Method URL

Improving EMV 3DS Authentications through risk-based data decisioning with the 3DS Method URL

 

Although EMV 3DS was adopted several years ago, certain aspects of the new authentication process remain underutilized. Notably, the 3DS Method URL, which has been recommended by Mastercard and other payment technology companies, is still not widely supported. This is despite many businesses clearly demonstrating the huge performance boost that frictionless payments provide through lower challenge rates when both merchant, issuer and their Access Control Server (ACS) are supporting the 3DS Method URL.



So why are so many businesses leaving potential approvals and thus revenue on the table? Let’s break down the EMV 3DS Method URL and why it’s critical to getting the most out of EMV 3DS by improving cardholders' user experience and increasing authentication success rates.

A woman sitting at a desk with a laptop

What is the EMV 3DS Method URL?

 

In short, the EMV 3DS Method URL is used to gather device information from the cardholder.



Using the 3DS Method URL allows the ACS to provide merchants with a script to collect a rich set of data elements for the ACS beyond the standard transaction details. These data points act as a ‘fingerprint’ for the consumer and can help the issuer determine whether to send a challenge to the cardholder to confirm their identity or allow a frictionless transaction to proceed. Included in these rich data points are historical information on the device the transaction is coming from and details on the browser including IP address, time zones and others.



While using the 3DS Method URL will be required in the EU in March 2025, it is already strongly recommended in all other markets. As many markets upgrade to EMV 3DS 2.2 in September 2024, now is a key opportunity to improve your EMV 3DS performance using the 3DS Method URL.

 

To align with industry standards, Mastercard will no longer be supporting EMV 3DS 2.1 after September 24, 2024. Mastercard Gateway will always initiate an authentication request in the highest supported EMV 3DS version available (currently EMV 3DS 2.2) and it will be the responsibility of the issuers to ensure they support the latest EMV 3DS version available.

 

 

How the 3DS Method URL works:

The EMV 3DS Method URL process is generally broken out into the following steps:

 

Virtual account number black mc icon

Step 1

Merchant Cloud determines the ACS 3DS Method URL.

Big data black mc icon

Step 2

Response data in the Initiate Authentication API call invokes the 3DS Method URL.

Pay bill online black mc icon

Step 3

Merchant shares data with issuer via the browser which ACS receives automatically.

Arrow left right black mc icon

Step 4

ACS collects device data via cardholder browser; Merchant Cloud notifies merchant.

Check mark black mc icon

Step 5

Merchant submits Authenticate Payer API request. Consult regional guides for more.

For merchants using Merchant Cloud's Hosted Checkout integration, the EMV 3DS Method URL process is handled by our gateway and is one of the ways hosted payments can provide merchants with a streamlined, secure and convenient payment solution.

Using the 3DS Method URL to improve risk-based decision making

 

Staying diligent in an era where cyber threats are constantly evolving is essential to all businesses involved in the payment ecosystem. To secure transactions, the 3DS Method URL increases data shared and collaboration between the three parties in the payment process.

 

Embed the 3DS Method URL on the checkout page to allow the ACS to collect additional data, and ensure that the 3DS Method URL is invoked and completed before submitting the authentication request.

By working together, we can address current security challenges and lay the foundation for future innovations in payment authentication. Merchants rely on issuers to detect fraudulent transactions, while issuers trust merchants to consistently provide key data elements with every authentication request.

 

Execute the 3DS Method URL script for each authentication when the merchant invokes the 3DS Method URL.

Connect the device and browser data (gathered from the 3DS Method URL) with the specific authentication transaction data using the 3DS Server transaction ID, and utilize this information for risk assessment decisioning.

By working together, we can address current security challenges and lay the foundation for future innovations in payment authentication. Merchants rely on issuers to detect fraudulent transactions, while issuers trust merchants to consistently provide key data elements with every authentication request.

 

Verify support for the 3DS Method URL with the Access Control Server.



Ensure that all account ranges support the 3DS Method URL within the Identity Service Solution Management tool.

By working together, we can address current security challenges and lay the foundation for future innovations in payment authentication. Merchants rely on issuers to detect fraudulent transactions, while issuers trust merchants to consistently provide key data elements with every authentication request.

A woman sitting at a desk using a cell phone wearing earpod

Improving approval rates with data-rich decision making

 

The 3DS Method URL has been developed to analyze vast amounts of customer and transaction data, identifying patterns that can aid in frictionless authentication and alerting merchants and issuers to anomalies that could indicate fraudulent activity. By leveraging these insights, merchants and financial institutions can improve approval rates, enhance security measures and ensure a seamless experience for users.

 

 

What other data should be shared via the EMV 3DS authentication process?

 

In addition to the robust capabilities of the EMV 3DS Method URL, merchants and financial institutions should utilize key data fields in the EMV 3DS process to improve their approval rates.

Cardholder information

  • Name
  • Shipping address
  • Email address
  • Phone number
  • Billing address

Browser and device information

  • Browser IP address
  • Browser screen height
  • Browser screen width
  • Time zone
  • Device type

 

Ultimately, the future of payment transactions lies in the balance between innovation and security, as we evolve to create a world where the payment experience is both frictionless and secure against fraud.

 

Nathan Franks

Director, Product Management, Mastercard

 

Nathan Franks is experienced in payment security technology, bringing over two decades of expertise to the industry. Nathan is responsible for shaping the Authentication, Fraud and Risk strategies for Merchant Cloud customers, leveraging his extensive experience in Fraud and Risk Services gained from working with multiple leading payment technology firms.

Follow on LinkedIn
Nathan Franks