3-D Secure 2.0 has bridged the gap between secure payments and customer experience. Learn more about how this updated protocol facilitates frictionless payments with increased speed and security for digital transactions that happen in browsers, mobile apps, and connected devices.
Digital commerce is accelerating at a seemingly impossible pace. As the Internet of Things (IoT) continues to grow, payment options expand exponentially as well. There were 8.4 billion connected devices in 2017, a number projected to grow to 20.4 billion by 2020, according to analyst firm Gartner.
Consumers are making more card-not-present (CNP) payments than ever, making it increasingly challenging to verify the identity of the consumer and the validity of the transaction. This is especially true in the post-EMV era, where mass elimination of point-of-sale (POS) fraud has pushed fraudsters to the CNP channel. CNP fraud is slated to more than double the volume from 2015, jumping from $3.1 billion in 2015 to $6.4 billion this year(2). Add to that the problem of false positives, where more than half of declined transactions are actually legitimate(3), and merchants stand to lose a lot.
It stands to show that new ways to prevent fraud are more critical than ever. The key is in finding effective fraud prevention mechanisms that do not add friction to the customer experience. Online payments should be fast, convenient, and secure for consumers. This is where 3-D Secure 2.0 comes in.
The first 3-D Secure (Three Domain Secure) authentication has been around for years as an additional security layer for card-not-present (CNP) transactions. At its most basic definition, it serves as a messaging mechanism between the three domains involved in these transactions: financial institutions, online merchants, and the payment processing technology/networks. Originally meant to boost consumer confidence in online transactions, the first version caused unnecessary friction and false positives, leading to increased purchase abandonments.
The holy grail for every merchant is to facilitate as many legitimate transactions as possible without letting fraud through. The shortcomings of the original version have been addressed in the release of the newer version of the protocol, which facilitates secure, real-time information-sharing mechanism. The 2.0 version enables merchants to share a high number of transaction attributes with issuers to help authenticate customers more efficiently and effectively.
Version 1 is still available as an option for merchants. That said, merchants are behooved to adopt the newer version, which enables token-based and biometric authentication over static passwords. This newer version — sometimes referred to as EMV® 3DS or 3DS2 — supports the transmission of rich data in transactions, allowing for risk-based decisions on whether or not to authenticate a transaction. 3-D Secure 2.0 will use token-based and biometric authentication, eliminating the need for initial enrollment and no longer requiring customers to remember static passwords.
By supporting additional data during transactions, risk-based decisions will be possible on whether to authenticate or not. The end result should be an enhanced and simplified customer experience resulting in fewer abandoned transactions and a more frictionless experience for consumers.
The new version also supports a “frictionless flow”, faciltated by the replacement of the Merchant Server Plug-in (MPI) by the 3DS Server, which is included in the “3DS Requestor Environment” (aka the collective components in the merchant’s domain). Essentially, the issuer has the ability to approve a transaction via risk-based authentication on the Access Control Server (ACS) rather than through cardholder interaction.
This risk-based authentication also gives the merchant more control, presiding over the final fate of the transaction. The 2.0 protocol allows merchants to share a high volume of rich information (device ID historical payments, location, regisered users, etc.) with the issuer, which also has a lot of data and can vouch for its cardholders. The marriage of these two data epicenters and the ability for merchants to share information with issuers gives merchants more sway than previously afforded in the previous 3DS version.
Finally, 3-D Secure 2.0 shifts the liability from the merchant to the issuer in the case of disputes and chargebacks. So long as a transaction is authenticated (or attempted authentication occurs), the merchant is not liable for disputes or chargebacks.
The protocol has evolved to adapt to consumer preferences and merchant needs, providing increased security and an enhanced customer experience. Below are some of the ways the new version improves experience across the board:
With the newer version of 3DS, authentication is done through more secure methods than a static password, such as biometric authentication via face or voice recognition. There are several benefits here. First, it removes the burden on the customer to remember a static password. It also takes easy-to-guess passwords out of the mix altogether, eliminating the potential theft by fraudsters. Perhaps most importantly, it removes a degree of friction from the customer experience, decreasing purchase abandonments by frustrated consumers who have been asked to jump through one too many hoops.
Enhanced Customer Experience
In addition to removing the need for customers to remember static passwords, the new protocol also eliminates the initial enrollment process during shopping. Less interruptions means less reasons for a customer to jump ship and abandon the purchase. What’s more, merchants have greater ability to provide a cohesive look and feel to the user interface across devices, removing the annoying pop-up box of the past. The newer version is certainly more customer-centric.
Various Devices Support
The new version also facilitates a framework for authentication across digital devices. That means the 3-D Secure protocol can run via both browsers and applications as well as on mobile and other connected devices.
This also expands the types of authentication enabled by the protocol beyond just card-based payments. That means mobile payments, digital wallet payments, and in-app payments can all be supported by 3-D Secure 2.0.
The bottom line is that the new 3-D Secure 2.0 protocol empowers merchants and issuers with rich data-backed authentication, so they can use their knowledge of customer behavior to make intelligent authentication decisions. This is beneficial for all parties – the legitimate cardholder is able to make frictionless purchases, and the merchant and issuer can prevent fraud without inhibiting legitimate sales. This results in higher revenue, lower operational costs, and decreases fraud-related losses. In short, merchants and issuers put a stop to fraud without putting a stop to legitimate transactions.
It’s also worth noting that the inherent multi-factor authentication (MFA) of 3-D Secure 2.0 makes it a compelling tool for the European market, which operates under the revised Payments Service Directive (PSD2), by which MFA is mandated for all transactions. Merchants that don’t enable or facilitate multi-factor authentication are liable in cases of fraud, making 3D-Secure 2.0 an ideal solution to help merchants reduce liability.
Early adoption of this technology has already started and Visa rules for merchant-attempted 3-D Secure transactions will be pushed to 3-D Secure 2.0 as of April 2019. This gives merchants time to test and refine their implementations. The overall impact should be decreased fraud and abandonments for merchants and a better, more frictionless experience for consumers.