3D Secure 2.0: What it means to Card Issuers

Sadra Boutorabi, Frictionless Fraud Prevention for the Enterprise at GPayments

05.09.2017 11:00 am

The Importance of Fraud Protection: What is 3D Secure?

eCommerce fraud negatively impacts stakeholders at all levels, from the cardholder and merchant, to card issuers and acquiring banks. As card not present transaction volumes increase, it is imperative that steps be taken to ensure online funds transfers are protected against fraud.

The Three-Domain Secure or 3D Secure payment authentication standard is a well established way of combating the issue of online fraud and reducing the number of disputed transactions. The standard offers an additional layer of protection for online credit and debit card transactions, validating that the payer is the genuine cardholder, similar to a signature or ID check at the point-of-sale. The solution enables “3 Domain” communication between the issuer, merchant and cardholder, facilitating an authentication dialog between the cardholder and the issuer.

The earliest form of 3D Secure authentication standard, was introduced more than a decade ago by Visa and later enhanced and released as version 1.0.2 (3DS 1.0.2). In this version, to enable 3D Secure authentication during the checkout process, cardholders are required to sign up with their issuing bank, assigning a static password or device to their payment card. Once the cardholder is registered, during the next online transaction, they are presented with an additional authentication step, prompting them to enter their static or one-time passcode received on their device, allowing their identity to be confirmed by their card provider. The process allows issuing banks and merchants to effectively verify that the card not present transaction is valid.

3D Secure is an additional level of security and authentication for credit and debit card transactions occurring online, it ties the financial transaction of a customer to an online authentication process in the form of a password which confirms the customer has given their consent for the transaction to take place.

The extra verification step that requires customers to create a password that they later always have to remember, increased friction and checkout time, triggering discontent amongst users.

Enhancing the Standard - 3D Secure 2.0

While the initial 3DS 1.0.2 standard, worked to successfully improve eCommerce security over the many years it has been adopted by many of the global card schemes, it has not proved to be flawless. The added authentication step causes friction in the checkout process and has resulted in increased instances of transaction abandonment where shoppers leave their online shopping cart behind when faced with the 3DS authentication step, in search for a faster shopping experience elsewhere. The negative monetary effects of card abandonment on merchants made it clear that over time a more seamless and intuitive process was necessary to create a better shopping experience for cardholders, while still providing safeguards against online fraud. The lack of universal adoption of 3D Secure by merchants created an inconsistent checkout experience for customers, as verification prompts would vary from site to site. Additionally, the rapid shift towards the use of mobile devices, digital wallets and app spaces within the eCommerce world needed to be taken into account due to the limitations created for online shoppers who wished to make payments through methods other than the traditional desktop browser.

In contrast to 3DS 1.0.2, 3D Secure 2.0 was created under the auspices of EMVCo, an organisation which exists to facilitate worldwide interoperability and acceptance of secure payment transactions. To address what 3DS 1.0.2 was lacking, the goal of EMVCo was to create a frictionless shopping experience for the cardholder, while maintaining an enhanced level of fraud protection. 3D Secure 2.0 improves upon the consumer experience by simplifying it, eliminating the initial sign-up process and removing the need for cardholders to use static passwords. While 3D Secure 1.0.2 relied on static passwords, 3D Secure 2.0 will use token-based and biometric authentication. For merchants, 3D Secure 2.0 will help minimise the risk of transaction abandonment by creating a more streamlined check-out experience. Merchants will be able to implement a consistent approach across multiple platforms and digital media when confirming the authenticity of a transaction, creating a seamless experience for their customers. Authenticity can be achieved during the purchasing process, helping minimise the risk of abandonment.

Delivering industry-leading security features, this new iteration of 3D Secure (3DS 2.0) is inclusive of non-browser-based payments made on mobile and a wide set of other consumer devices. This means that 3DS authenticated in-app, mobile and digital wallet payment methods will now be possible. 3DS 2.0 also supports a non-payment authentication category to provide verification of cardholder details, such as that required when adding a payment card to a digital wallet.

Impact on Card Issuers

3D Secure 2.0 will enable card issuers to improve frictionless authentication. With 3DS 2.0 providing richer data exchanges during a transaction, card issuers will have an enhanced ability to identify cardholder and device behaviour, and create risk-based decisions on whether to request authentication or not.

Additionally, by supporting new devices and channels, Card Issuers' customers will be able to make purchases using their preferred medium, be it mobile, through an app or online, without compromising on security.

Adopting 3D Secure 2.0 – How to Prepare

While it is likely that 3D Secure 1.0.2 and 2.0 will run in parallel for some time, card issuers must be prepared to migrate to this new solution.

As 3D Secure 2.0 is expected to mandate a risk-based authentication approach, it is recommended that issuers adopt an analytics driven approach, as the risk-based decision will be based on a standardised and extended set of data elements.

Additionally, as 3D Secure 2.0 moves away from static passwords toward one-time password methods for stronger authentication, It is recommended that issuers develop a strategy for introducing more enhanced one-time password methods for authentication. Passwords delivered through SMS is just one example of how this can be achieved.