In 2001, Visa launched a program designed to make it impossible if not difficult for fraudsters to use stolen cards online. This program was called Verified by Visa and has since been adapted by Mastercard and American Express. The program, now known as 3D-Secure or 3D-S, requires a customer to enter either a password they had previously registered with their bank or a one-time password that was sent to their phone. The logic behind this process was sound - only the cardholder would know the password and/or have access to the registered phone number. Essentially, 3D-S reduced unauthorized transactions by serving as an identity verification tool.
The system proved effective but flaw-ridden. The main criticisms were that the entire process was not very customer friendly and was more of a hindrance than an aid. As a result, some industries such as the airline industry opted out of the 3D-S as they felt that forcing a customer to take this extra step hurt their conversion rate (the number of people you convert from a lead to an actual sale). Other merchants found their online sales tumble as the payment gateways forced customers to sign up for 3D-S to complete a purchase.
Customers also found that the pop-up windows were lacking in security certificates and were easily mimicked by fraudsters, creating concern in the mind of customers, resulting in many of them opting to abandon their online purchases. Furthermore, the popup was not optimized for mobile devices meaning those who tried to make online purchases via their phones either struggled with completing the 3D-S or were just unable to complete the process entirely.
As a result of these general complaints, 3D-Secure was not commercially successful in the United States with many merchants opting to use the more primitive, post-authorization, fraud check system called, AVS or address verification system.
Yet the payment processors and credit card companies knew that 3D-Secure was an effective system to fight fraud and they were committed to addressing the complaints and issues in order to gain worldwide recognition, acceptance and adaption.
Enter 3D-Secure 2.0
3D-Secure 2.0 (3D-S 2.0) was launched in 2016 and promised to be a more intelligent and dynamic method of fighting fraud. Instead of forcing every customer through the 3D-S process for every transaction, 3D-S 2.0 aims to identify fraud by using what is being called Frictionless Flow.
This new process works by enabling merchants to send more data to the issuing bank than was being sent when using 3D-S. This enables identity verification through the use of biometrics like a thumbprint or token-based authentication methods where a customer enters a password into a system, receives a passcode and enters that passcode to complete the transaction. Therefore, instead of solely depending on static passwords or OTPs, a transaction can be approved without any manual input from the cardholder.
Yet the biggest improvement is that 3D-S 2.0 leverages risk-based authentication, a process designed to determine if a customer should be put through the verification process. Once again, this is achieved by allowing more information to flow to the issuing bank. The bank takes multiple data points under consideration when determining if the transaction can be authorized without the need for a customer to be verified. These data points include but are not limited to :
The customer’s historical transactional pattern,
The value of the transaction,
The customer’s historical behavioural pattern,
The location where the transaction originated from,
The device ID and historical usage.
Essentially, the issuing bank would compare the current attempted transaction against the customer’s profile and determine how closely the transaction fits the customer’s established pattern. So if 70-year-old attempts to purchase a pair of RM1000 Yeezys, the 3D-S 2.0 system could force the customer through the verification process UNLESS the customer has an established pattern of buying high-value shoes online.
Another example is if someone uses a new phone to buy movie tickets online, they might get forced through the verification process as the device ID is new to the customer profile.
The benefit to this enhancement is obvious - verification is only required when something is amiss. This means that merchants should not see a dip in their conversion rate as long as the transaction matches the customer’s spending pattern. Even more important is that each time a customer makes a purchase, they train the machine learning module to understand their spending pattern, ensuring that any deviations from that spending pattern are challenged.
Lastly, 3D-S 2.0 is not only mobile friendly but has been built with mobile integration meaning a company/developer can build 3D-S 2.0 right into their mobile app, removing the illusion of it not being safe and massively reducing the number of customers who abandon their transactions.
Yet, 3D-S 2.0 is not without its flaws. It depends on stored and historical to work ie: the system matches what it sees against its records and makes a determination that the cardholder is genuinely performing the transaction, meaning the system works on a best guess basis rather than one of absolute certainty. This caused the European Banking Authority to deny permission for 3D-S 2.0 to be implemented in the EU.
Additionally, there were concerns that a customer’s spending pattern could be mirrored or copied by a fraudster, there would be very little to prevent the transaction from being approved without the need for additional verification.
Yet, these concerns were alleviated with 3D-S 2.2 where it was proven that the system was able to meet the EU’s Strong Customer Authentication requirements. With this enhancement, it does seem like 3D-S 2.2 is now the gold standard for authentication in card-not-present transactions.
This, coupled with the fact that 3D-S 2.2 is now being adapted globally and that 3D-S will be fully phased out by the end of October means that merchants need to start ensuring that they are 3D-S 2.2 ready as soon as possible to avoid being held liable for any chargebacks.
A merchant who has not subscribed to 3D-S 2.2 will be held liable for any chargeback despite the fact that the system will attempt to authorize the transaction via 3D-S 2.0 and, failing which, 3D-S.
If the process of upgrading seems difficult or you are unsure of the process to upgrade, contact us for a free, no-obligation conversation about how you should proceed and what we can do to help you out.
Comments