Sooner or later every business with an online presence is plagued by shopping cart abandonment. Sometimes a consumer changes their mind, factors in the cost of shipping and decides it's not worth it, or is simply distracted long enough so the transaction is never completed. Getting a consumer to follow through is not as easy, as natural or as predictive as it otherwise would seem to be. With the advent of the EMV-chip card rollout and cyber thieves increasing their push into e-commerce sites, the stakes to secure those transactions have never been higher.
Enter 3D Secure, a 15-year-old technology that is about to leave its adolescence and enter a new generation without the benefit of full and complete industry-wide adoption. The technology, which requires consumers enter a PIN or password on a pop-up screen to complete a checkout, reflects both an opportunity and a consumer's inconvenience that many apparently feel unable or unwilling to make.
Let's consider the case of the airline and travel industry and their general lack of buy-in for 3D Secure. According to a recent study, 21% of airlines and agencies worldwide were not using 3D Secure in 2015, a figure that reflects an uptick of 16% from 2014. Furthermore, those airlines that had been using the technology all along decreased from 31% to 26%. This is somewhat encouraging, however, since the majority, or 53% said they had applied it, albeit under their own circumstances and criteria.
Significantly, when it comes to online abandonment rates, 28% of airlines reported 3D Secure actually increased cart abandonment by up to 10% in 2015 (compared with an abandonment rate of 23% in 2014). This outcome is further reflected by those reporting that a more dramatic abandonment rate (anywhere from 10%-25%) fell from 28% to 16%.
While the success of 3D Secure is seen as something positive including improvement in chargeback rates and a decrease in fraud, the technology has also been seen as "negatively impacting conversion and revenue." The take-away? Having to take an extra step to authenticate an important purchase (in this case an airline ticket) just as they're ready to buy seems to have had the unintended consequence of customers either having to briefly experience the inconvenience of entering a PIN or password to complete their transaction or abandon their cart entirely. As you can imagine, neither outcome is especially palatable for the airlines or their customers.
At a macro level, in spite of years of its general availability from card networks worldwide, less than 10% of transactions are authenticated using 3D Secure in the U.S. air-travel business with little to flat growth adoption rates between 2014 and 2015. If you telescope out to other countries, in fact, only the Netherlands, Saudi Arabia and Romania had the use of 3D Secure reached or exceeded 50% of transactions.
A Better Way: Risk-Based Authentication
Airlines (among other industries, of course) have been slow to buy into adopting 3D Secure, but based on the merchants most affected by fraud and the average value of a transaction within the industry, it is clear that airlines are being hammered. The chart below demonstrates the average value of legitimate vs. fraudulent transactions by retail category.
One of the biggest impediments to 3D Secure adoption over the years has been running the risk of shopping cart abandonment. Most merchants will risk the potential of a chargeback to avoid losing a sale. While 3D Secure has slowly gained traction in some industries, risk-based authentication is taking most, if not all of the latency out of the process. With the rapid increase in card-not-present fraud expected in the next 2 - 3 years, especially in the U.S. with the rollout of EMV cards, a risk-based approach is where the industry is heading.
With risk-based authentication, less than five percent of transactions require additional authentication. However, consumers are used to such challenges from their online banking providers already with challenge questions, out-of-band SMS, and even more recently, biometrics via fingerprint or eyeprint. It seems to be a natural progression to extend this strategy from online banking to e-commerce transactions, and one I think would be widely accepted by consumers. But the bigger question remains whether merchants are ready to embrace it yet.
Author: Heidi Bleau
Category: RSA Fundamentals, Blog Post
Keywords: 3-D Secure, Consumer Security, Cybercrime and Fraud, EMV-chip, Fraud, Risk-Based Authentication