What is 3D Secure and why is it important for merchants?


Post Image

With an increase in eCommerce, credit card fraud has steadily increased over the years. In 2019, the EU saw €1.55B in credit card fraud, with France pulling in a staggering €440.9M in losses, only behind the UK. 

And although eCommerce has been on the rise for years, the pandemic accelerated online shopping significantly, with some countries seeing a 7% rise in online retail sales, according to a UN study

The EU, the US, Japan and many other countries have been creating ways to tackle online fraud since eCommerce became popular in the late 90s/early 2000s. Because if one thing is true, it’s that more online sales = eCommerce fraud. 

The history of 3D Secure

In 2001, after a sharp rise in eCommerce, Visa created what they called “Verified by Visa” (now called Visa Secure) to combat the rise of fraud in online transactions. It was a way to digitally verify identity during checkout, which was important for both merchants and card issuers, as they were both losing revenue due to fraud. 

This technology was eventually adopted by other major credit card companies and helped to standardize the first version of what would be named 3D Secure. Mastercard and American Express both created their own versions of this, called Identity Check and SafeKey, respectively.

What is 3D Secure? 

3D Secure (3DS) is a standard protocol for digital identity verification that card issuers adhere to. It adds an extra layer of security to consumers who pay online with their bank or credit card. 

The aim of 3D Secure is to ensure that any online payment by card is made by the actual account holder. It also protects merchants from fraudulent transactions and subsequent lost revenue. Nearly 9 out of 10 merchants reported losing revenue to fraud in 2020. 

3D stands for the three domains that interact with the protocol:

  • Card issuer, for example Visa or Mastercard
  • Merchant who receives the payment in exchange for their goods or services
  • 3DS infrastructure platform that acts as a secure platform between the consumer and the retailer

Two versions of 3D Secure

There are currently two versions of 3D Secure that coexist and meet the Strong Customer Authentication (SCA) requirements in Europe.

3DS1 – early 2000s

The first version of 3DS authenticated with a one-time password, which was sent via SMS or email. But for mobile users who wanted to verify on their phones, the authentication page was often not mobile friendly and required zooming in and finding where to enter the code.

Not only was this difficult for consumers to navigate, but it added a lot of friction. Online shoppers generally have very little patience, and this extra friction caused many to abandon their purchase, which affected merchants’ profitability. Merchants were also slow to adopt this technology, as they knew it could increase their cart abandonment rate. 

Although the first version of 3DS helped reduce card fraud, it was not optimized for mobile. No one could have guessed that in less than 20 years, we would all be walking around with mini computers in our pockets that allowed us to purchase online!

3DS1 is the original method from the early 2000s, and it still functions as an authentication method. It currently acts as a backup to the new protocol, 3DS2, but will be phased out by the end of 2022 in the European Union.

3DS2 – 2019

This improved method of 3D Secure has been vastly improved and takes into account mobile users, who now use secure banking apps to authenticate purchases, compared to before, where it was done by SMS or email. Today, more than 50% of transactions are done on mobile, so it is in merchants’ best interest to optimize their checkouts to be as frictionless as possible. In addition to this, EU legislation requires that merchants update their payment flows to add this extra step of authentication. 

A 3DS2 transaction can now be initiated from a web browser, mobile app or connected device and was designed specifically to support native mobile experiences, including biometric authentication methods such as fingerprints or facial recognition. 

A hallmark of 3DS2 is that it uses much more data to make decisions than before. Now, 150 data points are collected with each transaction, compared to just 15 before. This technology acts as a gatekeeper and decides whether or not to approve a transaction. Some data points that are collected to make this decision include: browser IP address, browser language, shipping postcode and many others. 

The vast majority of transactions deemed low-risk are approved without any additional verification required from the consumer, which qualifies as a “frictionless approval.” This reduces friction and improves the user experience, all while ensuring secure transactions. For the remaining riskier transactions, the consumer may be asked to authenticate with a password or biometric identification. And of course, some transactions may ultimately be deemed as fraudulent, which means the technology is doing its job!

Benefits

There are many benefits to using the updated version of 3DS. We must emphasize the fact that for EU-to-EU payments, merchants have no choice: it is European legislation and merchants must comply. Luckily, as a Payment Service Provider, SlimPay ensures that its merchants have a higher level of protection from fraud and are compliant with the European directive. 

More data for better assessments—with 10x more data as discussed above, card issuers can better assess risk and authenticate a payment directly, or ask for more authentication information if needed. For low-risk transactions—upwards of 90% of all transactions—the consumer is sent to a frictionless checkout, where no one-time password, biometrics or other authentication method is required. 

Enhanced user experience—consumers have a much more fluid payment journey, and many times are not asked to provide additional authentication if the transaction is trusted. For any payment that is deemed more risky, consumers will be asked to authenticate with biometrics (fingerprint or facial recognition) or a one-time password. By using data to their advantage, card issuers have higher acceptance rates and offer a frictionless payment journey to a majority of transactions. 

Liability shift—merchants avoid liability for chargebacks in the case of fraud. Liability is shifted from the merchant to the card issuing bank when the customer authenticates using 3DS and any fraudulent charges occur. This gets merchants out of the messy business of chargebacks, which leave 27% of consumers with a negative image of the merchant, no matter the outcome. 

Reduced risk of fraud—one of the biggest benefits of 3DS is that it reduces the risk of card fraud. By providing an extra layer of security, merchants accept payments from customers who actually match the cardholder name and are legitimate. Even in the case of card details being stolen, fraudsters would also need to have access to the consumer’s banking app and/or text messages in a short frame of time. Although nothing is impossible, the risk of fraud is much lower using 3DS. 

Happier merchants — with reduction in fraud cases, the merchants get an opportunity to increase sales and decrease disputed transactions.

Exceptions to 3D Secure

For one-off payments only, PSD2 provides for a number of cases where the payer is exempt from strong authentication.

Payments under €30

All payments below €30 are subject to this exemption. Approximately 50% of all online transactions fall under this exemption. However, these exemptions are not valid if the total amount debited on the card since the last authentication is greater than €100, or if more than five transactions have been carried out on the card since the last authentication.

Fixed amount subscriptions

When a payer makes a series of recurring payments of the same amount to the same merchant, strong authentication will only be required for the first payment: there will be no authentication for subsequent payments. This is the case, for example, for recurring subscriptions that are done with a card, instead of a direct debit payment. 

Trusted beneficiaries

A payer can choose to add a merchant to their list of trusted beneficiaries to avoid authentication for future payments.

Low risk payments / Risk analysis

Exemption initiated by the issuing bank: the card issuer can apply a TRA (Transaction Risk Analysis) exemption, even if a merchant has not requested it. 

Exemption at the initiative of the PSP: payment service providers (SlimPay is a PSP) can ask not to strongly authenticate a transaction under certain circumstances, in the event that their fraud rate does not exceed certain predefined thresholds.

Out of scope transactions 

Merchant initiated transactions (including variable subscriptions)

  • Payments for which the amount is not initially known. These are payments made when the cardholder is not present, using stored card data.
  • To benefit from this exemption, the storage of the card data must be authenticated.
  • The merchant must also obtain the agreement of the payer (mandate) to be authorized to subsequently debit their card

One-leg payments

  • When the payer’s bank or the merchant’s bank is outside the EU, no authentication will be performed.

Mail Order / Telephone Order (MOTO) payments

  • Payments by mail and telephone are not considered electronic payments and therefore, do not have to use 3DS2 to authorize the payment.

3DS is a secure protocol that is in place to protect not only consumers, but also merchants and card issuers. Over the last two decades, 3D Secure technology has evolved to match modern spending habits and combat rising levels of card fraud.

As more consumers move their shopping to online, merchants will need to be vigilant as fraudsters will continue to find ways to exploit security flaws and carry out fraudulent transactions.