In this blog post, we discuss 3D Secure authentication, the latest version of the protocol, and why it’s a powerful fraud prevention tool for online businesses. eCommerce fraud continues to rise globally, with losses expected to surpass $20 billion this year, a growth of over 14% compared to $17.5 billion recorded in 2020. To mitigate rising Card Not Present (CNP) fraud, merchants have sought various tools and technologies to protect their business and customers, whilst a growing number of countries have enforced multi-factor authentication for CNP transactions. An unwelcome by-product of many fraud systems is false declines (when legitimate customers are declined because of false positives in the merchant or issuer’s fraud screens). Costing up to 75 times more than the fraud itself, false declines present a massive problem for merchants, who risk losing $386 billion annually by 2023 if current trends persist. But there is good news! Solutions like 3D Secure 2 offer the potential to solve the challenges of false declines and rising eCommerce fraud whilst maintaining user-friendly payment experiences for cardholders. So how does it work, what other benefits are there and why should you consider a move to the updated protocol? Let’s find out!
What is 3D SecureNamed after the three domain servers that interact during a 3D Secure transaction (The issuer domain, acquirer domain, and interoperability domain), 3D Secure (3DS) is a security protocol that was developed and introduced by Visa in 1999 as an extra layer of protection for online credit and debit card transactions. Subsequently, Mastercard, Discover, JCB International, and American Express adopted the protocol as well, each establishing their own separately branded program. The original 3DS protocol provided cardholder authentication from desktop devices only and required cardholders (from some issuing banks) to enrol into the service by associating a static password with their card which was used to authenticate their identity at checkout. Despite offering merchants a full liability shift towards the issuing bank for fraudulent chargebacks, certain drawbacks of the technology hampered its early adoption rates. Static passwords caused unwanted friction for cardholders and increased operational costs for issuers, whilst a lack of support for in-app and mobile purchases contributed to cart abandonment and added to cardholder frustrations. Over the years, various updates have been made to the protocol and the current version 3DS 1.0.2 is vastly improved.
So… Why 3D Secure 2?Released in 2016, 3D Secure 2 (3DS 2) or EMV 3D Secure (EMV 3DS) is developed and managed by EMVCo, a global technical body owned by major card schemes (Visa, Mastercard, American Express, UnionPay, Discover, and JCB). The transfer of the 3DS technology ownership from Visa to EMVCo facilitates the evolution of the protocol at an industry level, with the outlook to cater to new payment channels, deliver more sophisticated authentication and improve the user experience. Unlike earlier versions, 3DS 2 supports non-browser-based payment methods, including digital wallets and mobile-based authentication apps. Adding to the improved user experience, static passwords seen in earlier versions of the protocol have been replaced with dynamic authentication methods such as biometric and One-Time-Passwords (OTP), and challenge screens are now viewable from within the merchant’s app, meaning no more redirects and simpler, faster checkouts for cardholders. Perhaps the most notable improvement is the introduction of Frictionless Flow, which is achieved through Risk-Based Authentication (RBA). With 10x more data points collected than the earlier versions of 3DS, issuers can determine fraud risk more accurately and authenticate cardholders without having to prompt them for further verification on the majority of transactions. For transactions where fraud risk is considered high, a Challenge Flow applies. For these transactions, the cardholder is prompted to provide additional information, typically via two-factor (an SMS code and password) or biometric authentication, where fingerprint or facial recognition is used for proof of cardholder identity (both methods which were previously unsupported in 3DS 1).
How does a 3DS 2 payment work?
Why you should make the transition to 3DS 2The new standard, 3DS 2 addresses several pain points of earlier versions with greater contextual data sharing, simpler authentication methods, and a new mobile-friendly experience. As a result, users benefit from higher approval rates, faster checkouts, and more secure online payments. Higher authorisation rates, reduced false declines By empowering issuers with access to hundreds of key data points, they are better equipped to make more accurate transaction decisions, as a result, 95% of transactions are approved straight away, false declines are reduced and cardholders spend 85% less time checkouts. Aside from better risk-analysis, issuers also benefit from reduced customer service costs, as calls from customers requesting password resets become a thing of the past thanks to new Frictionless Flow and easier authentication methods. Lower cart abandonment Risk Based Authentication in 3DS 2 avoids the need for every cardholder to authenticate their identity with a password, instead only transactions considered high-risk require additional cardholder verification (less than 5% of transactions). Frictionless Flow for the majority of transactions, support for authentication in mobile apps and more user-friendly authentication processes have improved cardholder experiences significantly, reducing drop-off rates from older versions of the technology by 70%. Fraud Liability Shift To encourage faster migration to 3D Secure 2, Visa and Mastercard plan to deprecate the older version of the protocol by shifting liability for any transaction processed using 3D Secure 1.0.2 from October 2021. Visa announced these changes back in February. Essentially, if an issuer still supports the older protocol and responds positively to the merchant’s authentication request, liability for fraud will still shift from the merchant to the issuer. However, if the merchant sends an authentication request using 3D Secure 1 to an issuer using a later version of the technology, the liability for fraud will shift back to the merchant. By transitioning to the latest version of the technology, merchants can ensure their businesses remain protected against liability for fraud in certain circumstances. Managing SCA PSD2 Compliance Currently, 3D Secure is the most common method of authentication for online card payments. The new SCA directive and PSD2 legislation require the application of 3D Secure 2 as the standard authentication method for online card payments. As compliance for businesses operating in impacted regions continues to be enforced over the remainder of 2021 and into 2022, those that don’t prepare could see their conversion rates drop significantly.
PayShield’s 3DS 2.0 SolutionEnabling fast, frictionless, and EEA SCA-compliant payments with PayShield’s 3DS 2 solution is easy. With PayShield you get:
- Simple Integration. Our framework is completely serverless – Merchants do not need to download the protocol onto their server. All updates happen automatically and do not require any action (for example, updating from 1.0 to 2.1).
- Merchants benefit from full control over 3DS responses.
- A fully customisable SDK.
- & more!