The 3D Secure protocol has been giving customers peace of mind for 16 years by providing an extra layer of security in card-not-present online transactions.
It’s also protected merchants from fraudulent chargebacks by verifying the identity of the cardholder at the point of payment through the issuing bank.
Despite the benefits of protecting both merchants and customers, the process has resulted in a bit of a love/hate relationship between the 3DS protocol and users. It’s almost like taking medicine: you know it’s for your own good and will protect you against the threat of disease but it’s a pain to remember to take it and can leave a bad taste in your mouth.
It’s almost like taking medicine: you know it’s for your own good and will protect you against the threat of disease but it’s a pain to remember to take it and can leave a bad taste in your mouth.
Although the threat of crime and fraud through online payments are widely acknowledged, the truth is that most online shoppers have not had to deal with it directly.
When they are therefore confronted with the authentication steps at the checkout stage, they either feel it’s unnecessary and see it as nothing more than an irritation, or the opposite; they could be unfamiliar with the process and actually see it as a security threat when they are asked to provide additional information.
Both circumstances have a detrimental effect on the customer experience and can cause the customer to abandon the transaction. This has a direct impact on conversion rates and as a result, merchants might not be so keen to adopt the protocol in the first place.
The problem is that online fraud is not going anywhere. In fact, it’s getting worse, as fraudsters are looking at more sophisticated ways of hijacking our online payments.
Therefore, the security that 3D Secure brings becomes more and more relevant as time goes by.
EMVCo is addressing these concerns head-on with the 3D Secure 2.0 specification.
This includes complete mobile integration with the development of SDK’s, allowing merchants to easily integrate the 3D Secure authentication process into their mobile applications.
This has vastly improved the 3DS experience on mobile devices and has allowed merchants to protect their customers against fraud on a wider variety of platforms.
3DS 2.0 also enables non-payment authentication, for example, when users enter their card details into a mobile wallet.
A strong focus on SCA like Two Factor Authentication (e.g. One Time Passwords and biometric authentication) also means that the protocol is in line with regulations like PSD2, making it easy for financial institutions that adopt 3DS 2.0 to comply.
Therefore, the security that 3D Secure brings becomes more and more relevant as time goes by.
Risk-based authentication is simply the process of determining the risk attached to a particular transaction and, based on the risk level, whether or not the user should be challenged with the additional authentication steps.
By supporting richer data exchanges and additional data sharing during online transactions, 3D Secure 2.0 enhances the risk-based authentication capabilities of merchants and issuers.
The additional data elements at the time of the transaction can be used by both the issuer and the merchant to make a more informed decision as for whether or not to go ahead with 3D Secure authentication steps.Transactions are screened for elements that would put it in different risk categories.
These risk-based elements include:
The value of the transaction
New or existing customer
Transactional history
Behavioural history
Device information
So if the merchant detects that a new card is used on the system by a user with no transactional history, the risk will likely be deemed high at the authentication process will be required.
However, if the merchant already has the card on the system and the user has previously made payments through the platform, the risk will be low and the 3D Secure authentication can be bypassed to complete the transaction.
Similarly, if the customer has a purchase history with the platform, but is maybe using it on a new device they haven’t previously used, the merchant might decide to require authentication through 3DS as there’s now an unknown variable.
Thanks to risk-based authentication performed in the ACS, frictionless flow allows issuers to approve a transaction without the need to interact with the cardholder.
When the customer makes an online purchase they would add an item to their shopping cart, fill out the normal purchase information and then proceed to confirm the purchase.
Details of the purchase including device data, item purchased and value are submitted to the ACS server to determine the authenticity of the cardholder.
The ACS will then screen it with the risk-based elements. If the risk is deemed to be low, the ACS can authenticate the customer passively and not bother them with the extra confirmation.
This is a frictionless process for the customer as it happens behind the scenes. They are directed straight to the purchase confirmation screen, without even knowing that their transaction was screened.
The merchant’s platform will only require additional authentication if the risk is high. Through the use of risk-based authentication, the plan with 3D Secure 2.0 is for this to happen in only a small percentage of the transactions.
For customers, the benefit is knowing that their payments are protected and still being able to enjoy a simple, uninterrupted shopping experience.
The advantage to merchants is that they still get the benefits of implementing the 3D Secure protocol on their platform, like protection against fraudulent chargebacks, but at the same time they are ensuring their customers are protected against unauthorised transactions.
The customer has a more frictionless experience through the merchant’s platform by not being challenged. That means the drop-off rate due to the 3DS protocol will be drastically reduced and the customer will happily come back to the merchant’s platform.
Not only will transactions be more secure through the implementation of increased protection methods such as Two Factor Authentication, but the user experience will also be greatly improved by frictionless flows through risk-based authentication.
It allows merchants to provide protection across multiple platforms with easy integration into their systems, including mobile applications, while still being able to exploit the benefits that the protocol provides. It is also estimated that cart abandonment rates will dramatically fall.
Issuers can share and receive more data with merchants, giving them a greater insight into transactional patterns which will allow them to determine the risk with higher accuracy and therefore improve the authentication process. 3DS 2.0 will also offer banks the opportunity to effortlessly comply with the requirements of PSD2.
For customers, the updates are perhaps the most beneficial. They can now enjoy protection from fraudulent transactions across most platforms.
Not only will transactions be more secure through the implementation of increased protection methods such as Two Factor Authentication, but the user experience will also be greatly improved by frictionless flows through risk-based authentication.
Mike Lemberger, Senior Vice President at Visa, summed up the improvements perfectly;
“By helping to lead the development of 3DS 2.0, we are able to offer an enhanced authentication service that makes these payments both faster and more secure. For European retailers, this helps address the ongoing challenge of reducing cart abandonment in an e-commerce market. This update also provides all the necessary tools to ensure PSD2 compliance for card payments – a major benefit which should not be underestimated.”