For more than 15 years, the 3D Secure security protocol has worked to protect online transactions, reduce card fraud and chargebacks, but increased drop-offs. The latest update uses a wider range of data and biometric authentication to make online payments seamless and safer than ever.
Consumers expect online card payments to be fairly frictionless, but the anonymity of transactions via the internet has made them an easy target for fraudsters. Research by The Nilson Report found that in 2016, more than half of fraud losses in the US were tied to card-not-present (CNP) fraud, overtaking counterfeiting as the largest category. In Europe there’s below 0.01% of fraud in-store, rising to around 0.20% for CNP. It’s a costly problem for merchants and issuers alike, with card fraud losses projected to reach $43.78 billion globally by 2025.
Visa developed the 3D Secure security protocol in 2001 as a means of protecting the merchant, issuer and card transaction. It asked merchants to introduce another layer of payment authentication such as codes sent via SMS, and in doing so, shifted the burden of fraud responsibility onto the card issuer. Competitor card schemes – Mastercard, Amex, etc. – quickly saw the benefit, as well as the interoperability advantages of standardization, and so clubbed together to form EMVCo, a global technical body designed to facilitate universal acceptance of secure payments and to continue evolving the security protocols.
It wasn’t without teething problems. Consumers were suspicious of the additional pop-up window and frustrated at being asked to generate new passwords, while merchants complained that conversion rates suffered.
As of 2008, and the advent of mobile payments, consumers experienced another problem with non-responsive web pages impossible to use on smartphones.
Enter version 2.1, published by EMVCo in October 2016 and designed to smooth out some of those pain points. It uses more behind-the-scenes data to eliminate authentication steps, improve the customer experience, and reduce drop-off.
We spoke to Sasha Pons, Product Director at Ingenico, who reveals the challenges facing the online payment ecosystem, and how the latest protocol will tackle them.
What were the challenges of 3DS v1.0?
Eight years ago, EMVCo introduced a risk-based approach (RBA), requiring issuers to introduce this component as a second layer of authentication only when a high risk was perceived. However, the decision relied on a limited data set, which made its adoption restrictive and fairly meaningless.
In turn, customers were all too frequently experiencing problems with their two-factor authentication: SMS passwords did not arrive, the customer was not redirected back to the merchant web shop, pop-up blockers prevented the safety script running, or non-responsive issuers web pages were unusable on a smartphone. These problems degraded the user experience and led to drop-offs.
Version 2.1, the latest incarnation due to be mandated in Europe by 13 April 2019, uses more complex modern algorithms and sophisticated biometric authentication to combat those problems. The biggest change is that merchants are asked to share more data: issuers are hungry for data points to improve the accuracy of their decision ultimately leading to a frictionless scenario, but merchants are the ones on the front line capturing the data. The 3DS v2 approach to risk evaluation is more effective, but requires the entire ecosystem to change, allowing merchants to push the data through to the issuer.
Because it affects the whole ecosystem – card schemes, acquirers, merchants, issuers and PSPs all need to initiate changes – the pace of protocol upgrades is now increasing to allow for iterative upgrades (now v2.1, v2.2 coming soon, v2.3 etc.).
Who is impacted most by 3DS v2.1?
This is a paradigm shift for merchants. They will now have to collect and share high-quality, meaningful data (email address or device information for example) in order to process transactions where previously a card number, expiry date and CVC code were enough. Though PSPs can help manage the burden – and this is part of our merchant-centric approach at Ingenico – the onus is on merchants.
However, it’s important to see this as the foundation of using behavioural analysis to fight payment fraud. It’s part of a general sea change: for instance, the European Banking Authority (EBA) shared its opinion in June that CVV numbers cannot be a second authentication factor in the “knowledge” category (visible on the card), eventually passing to the “possession” category. Guidance from the EBA and EU central banks is needed on what SCA methods are RTS-compliant. Eventually we may see the payment page changing drastically.
How has this change been received by stakeholders and what are the benefits?
Generally, it has been well received so far. Issuers benefit from being back in control of their costs with 3DS v2. Authentication typically costs 25 cents per transaction and is paid for by the card issuer, impacting their bottom line. With 3DS v1, the decision to authenticate was taken by the merchant, who would decide if they wanted to shift liability to the issuer. With the new protocol release, the final say is with the issuer, a big improvement for them, a small step back for merchants.
PSPs clearly benefit, because more transactions equal more revenue. And for consumers it’s simple: a larger data set empowers the issuer to increase the accuracy of its risk-based analysis leading eventually in 90% of cases to a frictionless decision where they will accept the liability without sending an authentication request. That means a frictionless user experience in the vast majority of cases.
For merchants, the response has varied country by country, but the more data they share, the better their authorization rate will be (up to 10% according to the card network). What’s more, if merchants do share data, and issuer authorization rates are still low, then card schemes will have the power to impose fines, which puts pressure on issuers to step up. They have an obligation to get results.
Truth is in the numbers: looking forward to measuring the benefits in 2019.
Sasha Pons joined Ingenico ePayments in September 2016 as Director of Fraud. Sasha has spent more than 10 years working in cyber security, fraud prevention, infrastructure, privacy and compliance within international eCommerce. His expertise spans across the travel, retail, pharmaceutical and technology industries. Sasha strongly believes that trust is the cornerstone of FinTech and being able to articulate a pragmatic and efficient cyber security and fraud prevention strategy is a key competitive differentiator. Because of this, his focus is on building the most data and performance driven product, with the best possible UX for both Ingenico ePayments’ merchants and their consumers. Prior to joining Ingenico ePayments, Sasha worked for Booking.com. He is a French native and has lived in the Netherlands for the last five years.