EMV 3-D Secure Protocol and Core Functions Specification– General Questions
  1. What is EMV 3-D Secure?
  2. What role does 3-D Secure play within the payments community?
  3. 3-D Secure is already used by the market. Why has a new specification been created?
  4. What does EMV 3-D Secure offer the marketplace?
  5. What are the benefits of EMV 3-D Secure to each of the ecosystem stakeholders?
  6. Is the specification available to all parties without charge?
  7. Is the EMV 3-D Secure specification being used now? If yes, by whom?
  8. How will EMV 3-D Secure be adopted by payment stakeholders?
  9. Will there be a testing framework for EMV 3-D Secure compatible solutions?
  10. What is the purpose of the EMV 3-D Secure Software Development Kit (SDK) Specification?
  11. How does EMV 3-D Secure SDK Specification differ from the EMV 3-D Secure Specification?
  12. Does the release of EMV 3DS specification have an impact on other areas of EMVCo activity / work?
  13. Who has provided input into the EMV 3DS specification and how will it be managed long-term?
  14. What are the differences between the EMV 3-D Secure v2.0.0 and v2.0.1 specifications?
  15. Can I implement EMV 3-D Secure 2.0.0 right now or do I have to wait until version 2.0.1 becomes public?
  16. Does the EMV® 3-D Secure specification support multi-card brand processing?
  17. How can I get involved?
  18. Can I submit questions through EMVCo directly to the Payment Systems?
  19. Why was EMVCo selected to advance and manage this new industry specification?
  20. What documentation has EMVCo published in support of EMV 3DS?
  21. What ACS Reference Number should be used if the Directory Server (DS) performs Attempts Processing?
  22. How will the Directory Server public keys be shared with the 3-D Secure Vendors?
  1. What is EMV 3-D Secure?

    EMV Three-Domain Secure (3DS) is a messaging protocol to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorised CNP transactions and protects the merchant from CNP exposure to fraud.

    The three domains consist of the merchant / acquirer domain, issuer domain, and the interoperability domain (e.g. Payment Systems).

  2. What role does 3-D Secure play within the payments community?

    The purpose of the 3DS protocol is to facilitate the exchange of data between stakeholders – the merchant, cardholder and card issuer. The objective is to benefit each of these parties by providing the ability to authenticate cardholders during a CNP e-commerce purchase, reducing the likelihood of fraudulent usage of payment cards.

  3. 3-D Secure is already used by the market. Why has a new specification been created?

    To reflect current and future market requirements, the payments industry recognised the need to create a new specification that would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. This led to the development of a new industry specification: EMV® 3-D Secure – Protocol and Core Functions Specification v2.0.0 (EMV 3DS Specification) – that takes into account these new payment channels and supports the delivery of industry leading security, performance and user experience.

  4. What does EMV 3-D Secure offer the marketplace?

    The new specification:

    • Supports specific app-based purchases on mobile and other consumer devices.
    • Improves the consumer experience by enabling intelligent risk-based decisioning that encourages frictionless consumer authentication.
    • Delivers industry leading security features.
    • Specifies use of multiple options for step-up authentication, including one-time passcodes, as well as biometrics via out-of-band authentication.
    • Enhances functionality that enables merchants to integrate the authentication process into their checkout experiences, for both app and browser-based implementations.
    • Offers performance improvements for end-to-end message processing.
    • Adds a non-payment message category to provide cardholder verification details to support various non-payment activities, such as adding a payment card to a digital wallet.

  5. What are the benefits of EMV 3-D Secure to each of the ecosystem stakeholders?
  6. Solutions developed on the EMV 3DS specification can bring many benefits to the marketplace as they will reflect the payment community’s objective to secure consumer e-commerce transactions while optimising the user experience.

    • Merchants will be able to implement a consistent approach across multiple platforms and digital media when confirming the authenticity of a transaction. EMV 3DS based solutions can achieve this during the purchasing process, minimising the risk of potential checkout abandonment.
    • Issuers will be able to improve frictionless authentication due to richer data exchanges. By supporting new devices / channels, solutions compatible to the EMV 3DS Specification will encourage cardholders to make purchases using their preferred medium without compromising on security.
    • Consumers seek increased convenience and security during e-commerce payments, and solutions based on the EMV 3DS Specification will offer these benefits, adding efficiency with minimal to no impact on the applications and payment flows that consumers are using and experiencing today.

  7. Is the specification available to all parties without charge?

    Yes. Like other EMV Specifications, the final EMV 3-D Secure Protocol and Core Specification is available on a royalty-free basis for anyone to download from the EMVCo website. EMVCo has an established framework for delivering payment-related specifications through open and transparent processes in consultation with industry stakeholders.

  8. Is the EMV 3-D Secure specification being used now? If yes, by whom?

    No. Since the EMV 3DS Specification has only just been published in October 2016, it will take time for developers to create solutions based on the new specification and for the solutions to become available in the marketplace.

  9. How will EMV 3-D Secure be adopted by payment stakeholders?

    EMVCo provides a ‘tool box’ of specifications that facilitate the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes. Adoption of EMV Specifications and associated approval and certification processes promotes a unified international payments framework that supports an advancing range of payment methods, technologies, and acceptance environments. The specifications are designed to be flexible and can be adapted regionally to meet national payment requirements and accommodate local regulations. EMVCo does not mandate the use of its specifications and industry stakeholders are free to choose from any or all of the related EMV Specifications to address their customer and market needs.

    Accordingly, EMVCo expects the EMV 3DS specification will be used primarily by parties to develop and implement EMV 3DS-compliant products and services.

  10. Will there be a testing framework for EMV 3-D Secure compatible solutions?

    Yes. EMVCo is working to support the functional testing of EMV 3DS solutions to confirm that they are compliant to the EMV 3DS Protocol and Core Specification.

    Additionally, the PCI Security Standards Council will use the functional specification created by EMVCo, to deliver data security requirements, testing procedures, assessor training and reporting templates to address the environmental security. These related documents will be released in 2017. Learn more about this collaboration.

  11. What is the purpose of the EMV 3-D Secure Software Development Kit (SDK) Specification?

    The EMV 3-D Secure SDK Specification details the SDK information and requirements for 3-D Secure app-based solutions. This technical document is intended to be utilised by parties interested in gaining a deeper understanding around the EMV 3-D Secure protocol and Core Specification and its functions. In addition to the EMV 3DS SDK specification, EMVCo has developed a specification that focuses on device information and an SDK technical guide (EMV 3-D Secure SDK—Device Information and EMV 3-D Secure SDK Technical Guide). Collectively, these documents provide practical insight on how to create an EMV 3DS SDK and how this can be integrated into an EMV-compliant 3DS Requestor app.

  12. How does EMV 3-D Secure SDK Specification differ from the EMV 3-D Secure Specification?

    The EMV 3-D Secure -Protocol and Core Specification provides the requirements for all EMV 3DS components, such as 3DS Requestor, 3DS SDK, 3DS Server, Directory Server and Access Control Server, and details all of the flows and data elements. In contrast, the EMV 3-D Secure SDK Specification focuses exclusively on the SDK and the specific role it plays in the 3DS flows and requirements.

  13. Does the release of EMV 3DS specification have an impact on other areas of EMVCo activity / work?

    The EMVCo 3DS Working Group works in close alignment with the technical body’s tokenisation, mobile payments and security initiatives. The collective goal is to advance the global interoperability of digital and e-commerce payments, while supporting cardholder authentication and enhancing transaction security.

  14. Who has provided input into the EMV 3DS specification and how will it be managed long-term?

    EMVCo engages with several industry bodies, alliances and community stakeholders to receive feedback on its specifications and to ensure that they evolve in line with industry requirements.

    As part of EMVCo’s work to create the EMV 3DS specification, the body commissioned user-testing in multiple countries to understand which mechanisms users preferred. External reviews of the draft specification were also completed, including usability studies, academic analyses, and detailed review of the security design. This is in addition to extensive input and guidance from EMVCo Business & Technical Associates.

  15. What are the differences between the EMV 3-D Secure v2.0.0 and v2.0.1 specifications?

    There are three key differences between version v2.0.0 and version v2.0.1:

    1. Simplified requirement re-numbering and error codes.
    2. Introduction of 3DS Integrator Requests (3RI) to help facilitate recurring payments.
    3. Corrections and clarifications throughout the specification per our Test Lab feedback. Changes include updates to the PReq/PRes messages, security requirements, JSON formats, timeout requirements, and error messages. 

    Note that these updates are communicated in detail in EMV Specification Bulletins.

    Version 2.0.1 will be made available to the public after final feedback is received from of our internal testing.

  16. Can I implement EMV 3-D Secure 2.0.0 right now or do I have to wait until version 2.0.1 becomes public?

    Although EMVCo may make both version 2.0.0 and 2.0.1 available on its website, we recommend implementing version 2.0.1 as it provides additional functionalities and fixes from previous versions. Also note that EMV 3DS 2.0.1 testing and approval availability is dependent on when the Test Lab opens and becomes available for testing.

  17. Does the EMV® 3-D Secure specification support multi-card brand processing?

    Yes, the specification does support multi-card brand processing. Although the actual multi-card brand processing logic resides outside of the specification, the specification will support the routing of that transaction to the appropriate Directory Server as indicated by the 3DS Server.

  18. How can I get involved?

    EMVCo has an established Associates Programme that is open to all industry stakeholders. EMVCo engages with its Associates to collect industry input to develop and refine its specifications. This serves to solidify EMVCo’s understanding of industry requirements to support global interoperability, security and cardholder authentication. EMVCo will be seeking input from its Associates, at both a technical and business level, on an ongoing basis to ensure current and future global requirements are addressed.

    EMVCo welcomes new participants who are interested in contributing to the EMV 3-D Secure Protocol and Core Specification effort to join its Associates Programme.

  19. Can I submit questions through EMVCo directly to the Payment Systems?

    No, these questions must be submitted directly to the Payment System(s). Please note any question regarding Payment System(s) will be returned.

  20. Why was EMVCo selected to advance and manage this new industry specification?

    EMVCo members recognised value in advancing the new EMV 3DS specification to authenticate cardholders through its specification setting process. Adopting this open specification approach encourages cooperation within the payments community to establish a more universally accepted 3DS specification. EMVCo has the strategic breadth, industry knowledge and technical depth to develop a universally interoperable specification that will support card-not-present authentication.

    In addition to EMVCo’s expertise, the global technical body has a governance framework that enables collaboration within the payments community, and a well-established track record of technical specification delivery. EMVCo receives significant input from its Business and Technical Associates, which consist of industry participants including issuers, acquirers, payment networks, merchants, manufacturers, technology providers and testing laboratories from numerous countries. EMVCo is dedicated to developing universally accessible and objective specifications as the risk landscape continues to evolve. EMVCo makes its specifications available on a royalty-free basis to all industry participants and to the public.

  21. What documentation has EMVCo published in support of EMV 3DS?

    EMVCo has published the following final specifications to the industry in support of EMV 3DS:

    • EMV® 3-D Secure—Protocol and Core Functions Specification 2.0.0
    • EMV® 3-D Secure—SDK Device Information 2.0.0
    • EMV® 3-D Secure—SDK Specification 2.0.0
    • EMV® 3-D Secure—SDK Technical Guide

  22. What ACS Reference Number should be used if the Directory Server (DS) performs Attempts Processing?

    If the DS submits a Transaction Status = A, indicating Attempts Processing Performed; Not authenticated, and a proof of attempted authentication is provided, then the ACS Reference Number provided in the ARes message will be the DS Reference Number.

  23. How will the Directory Server public keys be shared with the 3-D Secure Vendors?

    There are no processes defined within the EMV 3-D Secure—Protocol and Core Functions Specification around sharing public keys.  Each 3-D Secure vendor will need to work with their appropriate Directory Servers and determine how those public keys will be shared prior to implementation.

Please note: Visa maintains sole ownership and management of the 3DS 1.0 Specifications. EMVCo has created, owns and manages the EMV 3DS 2.0 Specification and related industry materials.