Securing the Digital World

3D Secure 2.0 - The New Sheriff in Town

Nov 03, 2016 | by Elizabeth O'Brien |

EMVCo, the global standards body tasked with developing the technical standards for payments technologies, last week announced the availability of 3D Secure 2.0. Collectively, we at RSA congratulate EMVCo on this eagerly anticipated release. As an EMVCo Technical Associate, we were privileged to contribute to the development of the specifications and truly believe that the new risk-based protocol will increase both fraud prevention and merchant participation rates.

So, why are we so bullish on the new standard?

3D Secure 2.0 significantly improves the cardholder experience. Jonathan Main, Chair of the EMVCo Board of Managers, stated as much when he said in the press release announcing the general availability of the protocol, "Besides security, the consumer experience is central to EMVCo's work."

A much improved cardholder experience is likely to be the foundation of increased merchant and issuer adoption. This is true, particularly in the United States, where there is little consumer tolerance for any sort of friction in the checkout process... However, merchants are starting to feel the impact of the advent of chip and signature/PIN cards for card present transactions, which is driving more fraud to card not present transactions, just as it did in Europe and Canada.

The move from a 100 percent challenge rate to a risk-based approach designed to leverage a range of step up authentication methods, including one time passwords and biometrics, will make adoption of 3D Secure much more palatable for merchants and issuers alike.

The integration of the 2.0 protocol into the merchant checkout flow should further drive merchant adoption. The ability of a merchant to better control the cardholder experience is sure to appeal to online merchants who were hesitant to risk cart abandonment despite the liability shift away from merchants for 3D Secure transactions. Although the card schemes haven't yet conveyed whether there will be a change in the policies surrounding the liability shift, if the shift remains in place the combination of a frictionless cardholder experience and the liability shift will be a powerful inducement.

3D Secure 2.0 also expands from supporting only browser-based retail sites to all types of consumer devices with a focus on mobile including in-app purchases. Supporting in-app purchases in particular is a major step forward and a validation of what we see across the online landscape - where payments go, fraud follows. With account takeover increasingly prevalent in the eCommerce environment, risk-based authentication for in-app transactions should improve overall fraud prevention rates.

In addition, 3D Secure 2.0 also supports new transaction attributes for enhanced decisioning. Providing more contextual information about individual transactions to the risk engine should help improve fraud detection. With industry-leading fraud prevention rates of approximately 94 percent, and extremely low false positives, our teams at RSA are looking forward to leveraging the new attributes to drive our fraud prevention rates even higher and false positives even lower.

Of course there are other things to love about 3D Secure 2.0 - including support for non-payment use cases such as identity verification (e.g., for e-wallet registration), enhanced security and performance improvements.

We are thrilled about the release of 3D Secure 2.0 and feel that the revised protocol has the potential to significantly reshape the fraud landscape in the card not present space.

Interested in learning more about 3D Secure? Read Aite's whitepaper 3D Secure The Force for CNP Fraud Awakens.

Learn more about RSA's risk-based 3D Secure solution for issuers.

Please follow us on Twitter @RSAFraud and join us on RSA Link, RSA's online community.