What is 3-D Secure 2 and how does it work?
Resting on your laurels by taking cyber safety for granted can be a fatal mistake in today’s increasingly digital payments landscape. As soon as internet security professionals create the next generation of robust firewalls, antivirus solutions, and authentication software, hackers find ways around their innovations. Efforts such as 3-D Secure 2 represent the industry’s current gold standard in protecting merchants and their customers from dangerous identity thieves and fraudsters.
What is 3-D Secure?
Before we arrive at a definition of 3-DSecure 2, it is important to understand its predecessor, 3-D Secure 1, or simply 3DS, which was created in 1999 and implemented two years later. This designation refers to a three-domain protocol that is used in the card-not-present arena for transactions such as online purchases. To protect the cardholder’s identity during the payment process, 3DS involves three separate domains: the acquiring or merchant’s bank, the cardholder’s or issuing bank, and the infrastructure supporting the protocol that includes entities such as the internet, software, and plugins.
The protocol has become familiar to buyers and sellers alike. It works like this: A consumer adds an item to their online shopping cart and then enters their credit card details. The issuing bank receives the information and uses up to 15 data points to determine the level of risk the transaction represents. If the transaction seems suspicious, the consumer will be required to enter a password to verify their identity. If a customer has pre-enrolled in 3DS1, they will already have set up a static password that they can enter. If they have not set this up, they will be redirected to the issuing bank’s page to establish their credentials.
The benefit for merchants of 3DS1 came primarily in the form of reduced chargebacks. This was because liability for fraud shifted away from the seller onto the shoulders of the card issuer.
As a consequence (and because they only had access to a paltry 15 data points for each customer) card issuers responded by ratcheting up the number of declines they imposed. In the ensuing years, merchants lost billions of dollars annually due to these false declines. They also had no access to post-checkout shopper analytics since these details went straight into the cardholder’s browser. Additionally, merchants who agreed to utilize 3DS were then required to use 3-D Secure payments for all transactions, with no flexibility allowed at all.
As time went by, other weaknesses of 3DS became obvious. The protocol had come into being during the peak of the desktop computer and was not equipped at all to deal with eCommerce taking place on mobile devices. Furthermore, the requirement that customers set up a static password led to shopping cart abandonment and countless hours and resources spent helping buyers reset their passwords.
By the spring of 2019, a change was imminent.
The dawn of 3-D Secure 2.
Almost two decades after 3DS1 came out and a full twelve years after the first iPhone was introduced, an organization called EMVCo that was comprised of representatives from six of the major card networks launched a new version called 3-D Secure 2. It is also known as EMV 3-D Secure, 3-D Secure 2.0, 3-D Secure 2.0, and 3DS2.
In general, 3DS2 aids in the safety of online payment processing by providing a more streamlined user experience and greater protection against fraud.
What changes will your customers notice when you transition over to 3DS2? For one thing, the static password is gone, having been replaced with a one-time passcode that can be sent to a user’s mobile number. Alternatively, the customer can provide unique biometric authentication through fingerprint, voice, or facial recognition. Instead of only 15 data points, 3DS2 allows for a data connection among the domains that provide up to 150 elements for analysis. With this sweeping upgrade, 3DS2 is now capable of accepting all types of payments including browser-based and mobile.
Should you adopt 3-D Secure 2 in your business?
After learning about how 3DS2 has successfully evolved to reflect ubiquitous technological innovations such as the smartphone, you may be wondering if you should update it right away at your business. If you operate in the European Union or have exposure to that market, you are now required to comply with the Payment Services Directive (PSD2). This law mandates that all companies put two-factor authentication or Strong Customer Authentication (SCA) in place for EU-to-EU electronic payments.
Even if you do not engage in commerce in the EU, you may decide that the enhanced user experience, greater security, and reduction in false declines make switching over worthwhile. If you decide to make the change, consider the following factors when choosing the best payment processing and fraud management system.
- It needs to reflect recent changes in the credit card industry and security landscape. Be sure that it is equipped to pivot and incorporate innovations as soon as they are launched to meet and address ever-evolving security threats.
- Recognize that 3DS2 involves adding an extra authentication step to the checkout process. Be sure that the provider you choose makes this clear to customers, but also be ready to answer buyers’ questions and concerns from your end.
- Understand the distinctions between each credit card provider when it comes to chargeback liability.
- Before choosing a provider, check to see that you have access to the post-checkout transaction data that can be so valuable in driving your future marketing campaigns and can also provide insights into fraud and other behaviors.
- Make certain that the provider has experience and expertise in processing more than fifteen data points and that you are given maximum transparency when it comes to their operations.
3-D Secure 2 could potentially mark a sea change in the power and scope of online payment transaction security. The more it is adopted by issuers and merchants, the stronger it is destined to become. Adopting 3DS2 just might be one of the most proactive steps you can take to protect your business and the valued customers you serve.