More commonly recognized by consumers as “Verified by Visa” or “MasterCard Secure Code”, 3-D Secure was a phenomenal innovation when it first hit the payments industry over two decades ago. The system provided the perfect means of securing online transactions.
Unfortunately, it has not always been smooth sailing. There were some issues with the system which made it conservatively adopted in some parts of the world. However, the development of the technology did not stop at that point. Industry leaders learnt from their mistakes in the first iteration by introducing 3D Secure 2.0.
First entering the payments market in 1999, the obvious issue is that the system was never designed with the proliferation of mobile devices in mind, which have become the prime means of online shopping for consumers. This is despite the fact that the protocol has been upgraded to combat the mobile issues with risk-based authentication and reconfigured customer pages.
Moreover, customers were not happy with the amount of friction the system caused for each time they needed to complete payment online. 3-D Secure is not optional, but automatic at the end of a transaction. Customers were required to enrol with static passwords, which some were not able to remember later, this added frustration can simply force them to abandon the process. This is especially pronounced for mobile users who are redirected to a bank page that is typically not optimized for mobile. The alternative to the static password is an SMS text message, which can be even more frustrating. Shoppers who are abroad may not be able to receive the SMS message.
The implementation of 3-D Secure had specific difficulties in certain countries. Puerto Rico, for example, argued that its citizens were unfairly discriminated against. This is because Visa and MasterCard view the US territory of Puerto Rico as foreign, meaning citizens in that region encounter greater instances of 3-D Secure verification.
The US market saw user experience issues with 3D Secure as a major flaw, not wanting to risk losing sales to transaction abandonment, US merchants turned to Address Verification Service (AVS) instead. The system was more popular in the US compared to 3D Secure, even though AVS was more of a fraud prevention measure and not an authentication system.
A proposal to make 3-D Secure mandatory in Australia was blocked by the ACCC due to demonstrated flaws in the protocol. Another reason for the block was that the mandatory costs would have been passed on to shoppers. People abroad frequently encounter difficulties with 3-D Secure 1.0.
3-D Secure 2.0 (3DS2) is designed to address the issues that come with 3-D Secure, namely providing a frictionless experience without compromising on the security of the transaction. 3DS2 is an innovation of EMVCo, an organization consisting of 6 major card networks. When the customer wants to make the transaction, data is first sent to the cardholder's bank to see if the transaction needs the additional level of verification. Over 100 data elements are sent and only risky transactions would require the extra verification. This is known as “challenge flow”. If the additional verification does not have to be filled it is termed “frictionless flow”.
Many business owners were reluctant to implement 3-D Secure 1.0 due to the potential impact on the customer experience. They also have to pay to use the service and upgrade their website. But with 3DS2 they could only choose to use 3DS2 when the added layer of authenticity is not required. Additionally, the protocol has been designed for mobiles so that users are not redirected when they have to go through the process. 3DS2 will use tokens and biometric authentication instead of static passwords.
While 3DS2 might take some time to go mainstream, it certainly has multiple advantages over the original 3-D Secure, which is cumbersome to use. Businesses in Europe will likely need to make use of 3DS2 to comply with the 2019 Strong Customer Authentication (SCA) requirements. Stepping into 2019, 3DS2 offers an improved authentication tool which is easy to use and is perfectly compatible with mobile devices, without the compromise on security.