Payment Authentication: 3-D Secure Demystified
What the 3DS is going on? While the 3-D Secure protocol is de rigueur for fighting card-not-present fraud in the EU and elsewhere, penetration in North America has been stuck somewhere south of 2% for years. But today, that’s changing as more credit card companies and merchants recognize the sizable benefits the protocol brings to reducing both fraud and friction. For many, that starts with making sense of what has become a veritable Alphabet Soup of 3DS variants, including 1.0, 2.0, 2.1 and 2.2.
To understand the need for 3DS, just consider the past year of unprecedented everything. In 2020, global ecommerce was supposed to grow a sumptuous 15% year-on-year. In the face of the pandemic, it rose 25% instead. And with so many consumers buying so much online, many for the first time, the focus has been on making the checkout process as hiccup-free as possible.
But it came with a price. In the US alone, losses from purchases made using stolen credit card information may have topped $6.4 billion in 2020, up from $5.5 billion in 2018. That's an average growth rate of more than $40 million in losses per month for 24 months straight. And that may be low-balling it.
3-D Secure (3DS) was designed to change all that.
So What Exactly is 3-D Secure?
The 3DS payment authentication protocol was first introduced back in 1999, back in the days of the dial-up Internet. Its purpose: to prevent unauthorized use of a cardholder's credit card in online purchases. To accomplish that, 3DS involves three parties, or "domains" (thus, the "3D" in 3DS)—the acquirer bank, the issuer bank, and the infrastructure supporting the protocol, whether it's the Internet or software providers.
3DS1 was first deployed by Visa in the early 2000s, and while it was a step in the right direction, it came with notable issues. Among other things, it required credit card users to enroll in the system using static passwords that many would promptly forget. When making a purchase, 3DS assessed 15 rudimentary data elements to verify identity. And because 3DS shifted liability for fraudulent purchases to the card issuers, they often took a "better safe than sorry" approach that meant friction was all but guaranteed.
What's more, a lot changed over the next 15 years—including the adoption of mobile as the go-to channel for Web browsing and making purchases. With 3DS 1.0, mobile users who couldn't remember their passwords were redirected to a bank page that, more times than not, wasn't optimized for mobile. SMS was used as an alternative, which presented problems of its own—especially if the customer was traveling abroad. Conversion rates dropped precipitously. It's no wonder the US market has been less than enthusiastic about the protocol.
The Rise of 3DS2
3DS2 was introduced in 2016 to address the shortcomings of 3DS1 and is designed from the ground up to help secure payments while offering an improved user experience during the checkout process. 3DS2 is a major step forward because it:
- Supports mobile phones and other consumer-connected devices
- When making a purchase, data is sent first to the issuing bank to see if it needs additional verification
- Only risky transactions require challenges; otherwise, a "frictionless flow" process is initiated
This represents a significant paradigm shift, since it enables merchants to integrate the authentication process into their checkout experiences. Issuing banks can authorize payments using risk-based authentication, with no additional steps required by consumers.
Enter: 3DS-2.1 and -2.2
First introduced in 2019, 3DS 2.1 increases the number of data elements merchants send to issuers at the point of transaction to 100, with 20 required and the rest optional but recommended by EMVCo, the consortium behind the standards. With a richer dataset (including IP addresses, shipping address, device information, email, merchant risk factors, and more), issuers can make better-informed decisions, faster—enabling far more transactions to be handled with a frictionless flow process.
3DS 2.2 covers the same authentication and merchant fraud liability protection bases as 2.1, but adds the ability through their acquirer, as well. It also enables authentication through delegates, such as an acquirer or a. digital wallet provider.
Because of its use of two-factor authentication (including biometrics and token-based models, instead of relying on static passwords) 3DS2 has become a cornerstone of the secure customer authentication (SCA) rules in the EU's second Payment Services Directive (PSD2), which went into effect on December 31, 2020. As part of that version, merchants hitting certain low fraud thresholds can request exemption from SCA requirements from the issuer, providing for even faster transactions.
Catching on in North America
There are a number of reasons 3DS2 is gaining currency in the US and Canada.
- In a global economy, merchants and issuers doing business in the EU's $300 billion ecommerce market are exempt from PSD2's SCA requirements—but that could change
- The EU's regulatory fervor is spreading; Mexico, Australia and others have started to adopt SCA regimes
- It may be just a matter of time before state or even federal regulations requiring such standards are enacted (looking at you, California)
It's also just smart business. According to Visa Research, up to 72% of online shoppers have abandoned a shopping card over security concerns. They're more than happy to jump to competitors that can deliver a fast, secure transaction. 3DS2 has been shown to reduce checkout ties by 85% and cart abandonment by 70%.
The good news: North American issuers, merchants and others don't have to relive the past or present struggles faced by their EU counterparts. That's because solutions like RSA Adaptive Authentication for Ecommerce are fully-hosted, requiring no additional IT staffing or overhead.
Through the use of modern machine learning and the world's largest global network of shared fraud intelligence, less than 5% of all transactions require intervention with our solution. Which means the vast majority of customers will enjoy the secure, friction-free experience they demand.
I don't know about you, but considering the risks and rewards, 3-D Secure 2.x is sounding pretty darn good to me.
To learn more about CNP fraud trends and 3-D Secure 2.x, read the RSA Fraud Report for March 2021 or download our ebook, "RSA Risk Engine: More Fraud Detection, Less Intervention"