It’s a push-and-pull as old as time (well, as old as ecommerce, anyway): merchants need more assurance that a customer is who they say they are—and the customer desires a frictionless transaction process without too many verification speedbumps. Despite the common security measures merchants take, credit- and debit-card transactions are still at risk of fraud. So some sort of further authentication is often needed—and the trick is doing it without chasing the customer away.
To help address this issue, card networks implemented the first version of 3D Secure (3DS) back in 2001. Through 3DS, the user would enter card details to confirm a payment and would then be redirected to another page where their bank prompts the user for a code or password to approve the purchase.
Requesting this additional information added an extra layer of fraud protection and helped ensure that payments are only accepted from legitimate customers. As an added incentive for merchants, authenticating a payment with 3DS shifted the liability for fraud-coded chargebacks to the customer’s bank.
However, the initial version of 3DS did have some drawbacks: these additional steps and redirects add friction to the checkout and could lead to abandonment—obviously not the outcome the merchant was looking for.
Fortunately, today, a newer and even better version of 3DS is available—3D Secure 2.0 (3DS 2.0). It aims to address many of the shortcomings of the original 3DS with less disruptive authentication and a better user experience.
Through a near-frictionless form of user authentication, 3DS 2.0 allows businesses and their payment provider to send more data elements on each transaction to the cardholder’s bank. This includes payment-specific data like the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history.
The cardholder’s bank can use this information to assess the risk level of the transaction and select an appropriate response:
- If trust levels are high enough, the transaction goes through the “frictionless” flow and the authentication is completed without any additional input from the cardholder.
- If further proof is needed, the transaction is sent through the “challenge” flow and the customer is asked to provide additional input to authenticate the payment.
3DS 2.0 is designed to embed the challenge flow within the normal checkout flow—which helps avoid full page-redirects. If a customer authenticates on your site or webpage, the 3DS 2.0 prompt now, by default, appears in a pop-out on the checkout page.
In addition, unlike the first version of 3DS, 3DS 2.0 was designed with the ubiquitous use of mobile devices in mind, which makes it easier for banks to offer a more seamless authentication experiences through their mobile banking applications. Instead of entering a password or just receiving a text message, the cardholder can authenticate a payment through the banking app by just using physical biometrics. [BL1] [JW2]
The enforcement of Strong Customer Authentication (SCA) (which is slated to be rolled out through 2020 and into 2021) is a very important requirement of 3DS 2.0—and all the more important if you are doing business in Europe. The new regulation will require merchants to apply additional levels of authentication to European payments. Luckily, the improved user experience of 3D Secure 2 can help reduce the negative impact on conversion for those payments.
In our 2020 edition of the Paladin Vendor Report, we featured the 3DS solution offered by CardinalCommerce (A Visa Company):
For over two decades CardinalCommerce has been bringing merchants, issuers, and shoppers together.In February 2017, Cardinal became a Visa solution. They put authentication first and believe digital commerce should be as safe, trusted, and engaging as possible.
Navigating the ever-changing payments landscape can be complex – local regulations, different network mandates, and frequent EMV® 3-D Secure updates. Which is why their dedicated success teams work closely with clients from integration through ongoing optimization to make the process as frictionless as possible for both clients and their customers.
Their primary focus is about creating an engaging experience for both clients and their customers. They work continuously to help optimize authentication strategy to increase approvals while decreasing fraud – all to improve the customer journey.
More key facts about Cardinal:
- Offers merchant and issuer authentication solutions
- Certified by EMVCo for four EMV 3DS components – ACS, 3DS Server, SDK (iOS and Android), and were the first to have certified for all four (Source: https://www.emvco.com/approved-registered/approved-products/)
- Focused on authentication, supported by a team of more than 200 people
- Can help merchants and issuers prepare for the next round of Visa activation dates for EMV 3DS – April 2020 in AP and CEMEA, August in NA
Intelligent Security, using the Visa family of risk solutions, can help your digital commerce business reduce false declines and fraud rates and increase authorization rates, with a streamlined consumer experience:
- CardinalCommerce – for 3-D Secure/authentication
- CyberSource – for fraud management
- Verifi – for chargeback dispute resolution
- And more
With this suite of solutions, Visa can help merchants, acquirers and issuers manage PSD2’s Strong Customer Authentication requirement, as well as exemptions to SCA and deliver seamless secure transactions.
The 2020 Paladin Vendor Report not only covers 3DS and Consumer Authentication technologies—it spans the full spectrum of current technology and solutions in the fraud prevention landscape today. Download the full Paladin Vendor Report here: http://paladinfraud.com/mrc-trends-2020/ And stay tuned for upcoming posts highlighting even more fraud-fighting technologies that organizations are turning to today.
[BL1]Link to Behavioral Biometrics blog post, our last piece
Unlike the behavioral biometrics post, this actually is physical biometrics. As such, I don’t hink the link is needed. [JW2]