David Jeffrey, Barclaycard Director of Fraud and Security Products, looks at how the new 3DS2 protocol could redefine how your customers shop online. To find out how we can support your business, call our payment experts on Unique ID:321147/0800 096 8237*.
When it first appeared nearly a decade ago, 3-D Secure quickly became a ubiquitous extra line of security for many online transactions. But while the protocol has been amended and refined over the years, it has failed to keep up with rapid advances in digital technology and shopping trends, particularly mobile payments, and the growing sophistication of fraudsters. In short, the original version of 3-D Secure is no longer fit for purpose.
3-D Secure 2 (3DS2) is an updated version that represents a new approach to security – one that reflects the realities of today’s online and mobile world and the need to balance customer experience with fraud prevention. As such, 3DS2 is a natural fit for PSD2, the regulatory framework that is reshaping European payments. Under the terms of PSD2, companies doing business in Europe must comply with the regulatory technical standards (RTS) for strong customer authentication (SCA).
Apart from supporting the new security standards and providing a firm foundation for compliance, 3DS2 eliminates many of the shortcomings of 3DS1. It is a security platform that is appropriate for today’s world of multichannel payments – a world where authentication is more complex and challenging, and fraudsters are never slow to exploit vulnerabilities.
Clumsy to negotiate, vulnerable to phishing, and unsuitable for mobile commerce, 3DS1 when actively deployed does not make for a happy customer experience – which, of course, contributes to cart abandonment and poor conversion rates. 3DS2 will help to limit these concerns with card-not-present transactions handled smoothly and efficiently whether online, mobile, in-app, or via digital wallets.
Not only will biometrics reduce the risk of fraud, if deployed seamlessly it can also make cart abandonment less likely.
With 3DS2, customers don’t need to remember passwords or negotiate cumbersome pop-up windows. Instead, 3DS2 relies on multi-factor authentication, which will mean a more fortified defence from fraud while maintaining a smooth checkout experience.
The increased use of biometrics opens up new ways of authentication, such as fingerprint and iris recognition, addressing the increasing needs to adapt to mobile and in-app shopping environments. Not only will biometrics reduce the risk of fraud, if deployed seamlessly it can also make cart abandonment less likely.
A significant advantage of 3DS2 is that it promotes risk-based authentication. This is achieved through context-rich information that helps to assess risks. Key data can be gleaned from the transaction itself and the merchant’s and the cardholder’s risk profiles. Examples include the card holder’s email and postal addresses, the transaction amount, the number of transactions within a specified period, as well as browser, country details, behavioural profiles and many more.
Together, these datasets provide a detailed profile picture that can lead to more informed decisions, with low-risk and non-suspicious transactions being allowed to go unchallenged. For example, if a consumer initiates a low-value transaction from a device that has previously been used to authorise payments, in the country where the card is registered, it could be deemed low risk and require no authentication.
On the other hand, if the same card was used for a high-value transaction from a different device in a different country, it would be considered high risk and so trigger authentication.
The more data is shared, and the better the quality of that data, the more it will help to streamline the payment process while reducing fraud. Whereas 3DS1 was based on as few as 10 data points, 3DS2 generates over 100 to determine the validity of a transaction. When everyone in the payments chain provides more data to support a transaction, the result will be swifter checkout times, enhanced security, improved sales and a better customer experience.
One of the benefits for merchants is that when 3DS2 is applied, they will not be liable for fraudulent transactions unless an acquirer exemption was applied. Currently, when the cardholder or issuer disputes an online transaction (on the basis that it is fraudulent), merchants will refund the loss in most cases. With 3DS2, liability will shift to the card issuer/cardholder.
3DS2 is due to be in place for issuers and acquirer/gateways by April 2019, ready for the arrival of strong customer authentication in September 2019. It is an important evolution for a protocol that has been serving the payments industry for nearly 20 years, and which will now support the aims of PSD2 and promote fast and secure payments in the mobile era.
Like all regulation, Strong Customer Authentication (SCA) brings new challenges. But with the right strategies in place, merchants can be compliant, help reduce fraud and offer secure payments. For more information, see our whitepaper: Demystifying the payment landscape: PSD2, SCA and the security challenge.
Speak to our payment experts today