3D Secure 2: The Security System that is About to Takeover

27 Jun 2019

Strong Customer Authentication is Coming, How Will it Affect Your Business?

With the e-commerce industry booming, the rise in credit card fraud threatens to damage consumer attitudes towards online purchases. If credit card fraud is a term that completely stresses you out then you may be happy to hear a solution is on its way. A new European regulation called Strong Customer Authentication is set to change the way online payment security runs. SCA is something that will be made mandatory in Europe for all digital purchases made by consumers starting from 14th September 2019[1]. 

In a nutshell, it is a huge effort from the European Economic Area (EEA) to crack down on the rise of digital credit card fraud.

SCA is a part of the Payment Services Directive 2.0 regulation that makes banks open their payment framework and customer data assets to third party so they can develop payments and information services for customers[2]. The SCA regulation makes it clear that authentication must use at least two of three elements:

  • Something the customer knows... (like a password or a PIN). 

  • Something the customer has... (a phone or a hardware token). 

  • Something the customer is... (a fingerprint or face recognition)[3]
     

So, what will it mean for your online business? Although many business owners are worried about the introduction of additional payment steps, it is very important you prepare your business for this. One major reason is that businesses that fail to prepare could soon see that their basket conversion rates drop at a high rate after the enforcement on 14th September[4]. Merchants also need to make sure that they use payment providers that are mainly focused on the customer checkout experience and so will provide a straight-forward and up to date response to SCA[5]. So preparation is a must if you want your customers to be able to checkout easily and securely from September onwards.

It is also important to know that there will be exemptions to this requirement. These include: contactless payments at the point of sale, unattended transport and parking terminals, trusted beneficiaries, recurring transactions, low-value transactions, secure corporate payments, merchant-initiated transactions and transaction Risk Analysis. (To find out about the terms and conditions of each of these exemptions read page 8 of the following link [6]).

3D Secure

You could say 3D secure 2.0 is ahead of its time as it already meets the SCA requirements. You may recognise 3D Secure by one of its commonly known branded names like ‘Verified by Visa’ or ‘Mastercard Secure Code’[7]. 3D Secure is the communication between a customer’s bank and the customer to prove that they are the true cardholder.

The security system was originally created as 3D Secure but after it faced a few challenges it was later improved to become a better version of itself called 3D Secure 2.0. The new version is a lot more user-friendly than the older version and will soon become the most used system of authentication.

How Does This All Work?

Well, it’s actually quite simple:

1. It starts with the card-holder, they type in their card details on their chosen online payment gateway e.g. Paypal, Stripe. 

2. Then that online payment gateway sends messages to a directory server to check that the card has been entered into the 3D secure 2.0 system. 

3. The directory server then responds showing that the card has been entered into the system. If not it checks if the original 3D Secure is supported.

4. If 3DS 2.0 is supported and a frictionless transaction is possible the transaction is authenticated without anything else needed from the customer. If not the authentication is challenged and the customer has to put in a password (or a fingerprint).

5. If 3DS 1 is supported then the consumer is either asked for a password or is automatically approved based on the risk.

6. The outcome of the authentication is then returned to the online payment gateway.

7. The online payment gateway then submits the card details and the 3D secure authentication outcome to their acquiring bank.

8. The acquiring bank then authorises the payment by sending a message to the credit card network and the issuing bank.

9. Whether the response fails or has been successful it then gets passed back up to the card-holder[8][9].
 

Secure Payment Terms You Need To Know

TRA - Transaction Risk Analysis is based on an algorithm (a set of instructions) that are able to see the card holder’s spending and behavioural habits. It also researches the card holder’s location, the merchant location, monetary threshold and the real-time fraud rates and statistics for e-commerce transactions[10].

PCI DSS Compliance- This stands for Payment Card Industry Data Security Standard Compliance. This is a set of policies and tasks that have been created to protect credit, debit and cash payments and stop people’s personal card information being wrongly used. The PCI DSS Compliance has to be upheld by all card brands[11].

ASV- An Approved Scanning Vendor is an organisation that uses a number of data security services to decide whether a company upholds the PCI DSS external scanning requirements. They run an external vulnerability scan of a company's network or website. This scan helps to show any data security changes that need to be made[12].

Chargeback- This is when a customer’s money has been returned to them by the bank that they used to settle a consumer debt. 

Friendly Fraud - This is when a customer files a chargeback instead of trying to first get a refund from the merchant. The card-holder can then challenge the charges to their credit card which then makes the bank have to force a refund as it automatically assumes the merchant made an error. This can be done by the car holder accidentally because they don’t understand the correct way to get a refund and think chargeback is a correct method of doing that. But it has been proven in the past that some cardholders use this knowledge to steal from e-commerce companies[13].

  

Key Dates For 3D Secure

Three-domain Secure (3DS) was first created nearly 15 years ago [14]. From 2007 it had been decided that all merchants who accept Maestro cards have to use 3D Secure. If the merchants did not follow these new rules they would have to pay large fines and could also risk losing their ability to process credit cards [15].

With Strong Customer Authentication coming into place in September, banks will start to decline payments that need strong customer authentication and are not able to give at least two of the three elements mentioned earlier. Merchants accepting Mastercard payments are expected from the 1st of December 2020 to use 3-D Secure 2.0 only [16]. There’s not long to go now, so soak up all the info you can.

Why was 3D Secure 2.0 Created?

Over the years the e-commerce industry has been on the rise with the decline of the high street. Along with this the rate of consumers using their credit cards to make purchases online is growing. With the number of credit cards being used online this meant that the number of credit card fraud cases grew as well. 

So it was decided that a new system needed to be introduced to tackle this problem. The original 3D Secure had its problems meaning an update was needed. Research showed that customers who used 3D Secure found that the system was hard to use. One example of this is the fact that the card-holder, the card issuer and the merchant all had to do their part to make sure the payment was authenticated. 

Also, customers spoke about their concerns about having to constantly create a new password that had to be longer than the last and remember it each time[17]. 53% of consumers forget crucial passwords more than once a week, and lose on average 10 minutes a week resetting their accounts[18]. Another problem has been that because it was not mandatory in all markets and the pop-up window caused some customers become confused. Consumers assumed that it was a risky pop-up that could threaten the security of their payment. This led to a number of customers deciding not to go through with the payment process because it was something unfamiliar to them.

The Benefits Of 3D Secure 2.0 

The main improvement made by 3D Secure 2.0 is that it only needs an extra security step if it decides that the risk of card fraud is higher than the standard risk. This saves the customer time as they won’t have to do this unless the risk of fraud is high, resulting in less basket abandonments online.

There is also no need for customers to use static passwords anymore and also no sign-up system while the customer is shopping online[19]. Which has then meant that there are a lower amount of customers leaving their online shopping baskets before going through with the payment which is a win-win for any business owner.

It’s also quite convenient because of its added mobile, in-app and digital wallet payment methods which the original 3D Secure did not provide. Your customers can now shop on-the-go with ease. 

Before 3D Secure 2.0 the merchant would usually have to pay when a transaction had been challenged by the card-holder. Now it would be an issue for the bank to solve. This helps save the merchants from losing out on money and so has proven popular.

With ‘Verified by Visa’ the merchant will no longer receive a chargeback on their own account. Doing this helps to stop ‘friendly fraud’ when a card holder makes a purchase and files for a chargeback, knowing that the bank will likely take their side [20]. Friendly fraud is a big issue in the e-commerce world and the fact that the chances of it happening can be lowered helps to also lower the rates of fraud overall.

There are also interchange benefits. Interchange fees covers the cost of using card services that banks might otherwise pass onto consumers. These benefits include lower discount rates and sometimes longer payment terms with the acquiring bank[21]. 

This all results in a main benefit of an increase in customer confidence online which in turn leads to more online shopping. There is a lower risk for customers in becoming victims to credit card fraud when shopping online with 3D Secure 2.0 and so customers feel safe to do so and particularly shop and make payments on websites that use 3D Secure 2.0. 

How Secure Payment Influences Customer Behaviour On Websites

Being able to shop online securely is the number one concern for online consumers. In fact, Kaspersky Lab found that 49% of their study participants worldwide felt vulnerable while shopping online or making online transactions, and 62% fear financial fraud on the internet[22]. So having a secure payment system is so important for any e-commerce website owner who wants to help increase sales on their website and improve their customer's shopping experience.

Chargebee.com found that 7/10 consumers make payment decisions based on which payment method is the most secure. So, having 3D Secure 2.0 on your website would mean that people may be more willing to spend on your website rather than a website that doesn’t have a secure payment system like 3DS.

Similarly, Chargebee.com also found that 62% of cardholders in the US are familiar with and currently using Paypal. 69% believe that Paypal’s technology is better at protecting their financial information[23]. This is most likely because Paypal has become a household name in the payment industry, it has been available for years and has gained the trust of many online consumers. Once 3D Secure 2.0 has been made mandatory and practically all e-commerce websites are using it, it could also become as recognisable and as trusted among consumers just like Paypal is at the moment.

A study by Econsultancy.com tested which online security logos were trusted the most amongst users, and the results showed that Norton came out on top at 35.6%. They added that this result was interesting because McAfee, TRUSTe and BBB are actually ‘trust seals’. This means they are concerned with security and business identity. Whereas the rest of the security systems including Norton are SSL Seals which means they are ‘technically’ secure[24].

The results show that consumers trust in online security is often more about familiarity than it is about technical security.

Is My Payment Method 3DS2 Ready?

Yes

Stripe - Stripe already has 3D Secure 2 in use and put it to use when it’s supported by the cardholder’s bank, and fall back on 3D Secure 1 when the new version isn’t supported yet[25].

PayPal -  3D-Secure authentication is used along with other efforts that Paypal take to further support the security and simplicity of the consumers payments[26].

Worldpay - Worldpay has all the tools you need to help you manage SCA, qualify for exemptions and maintain Strong Customer Authentication compliance[27]

Barclays EPDq - They have taken the necessary steps to ensure the 3DS 2.0 mandate is met, as well as exploring options to achieve the right balance between managing fraud risks and reducing disruption in the payment journey[30].

Payzone - Payzone payment gateways also use 3D Secure authentication as additional security for online payments[31]

Coming soon...

Sagepay-Sagepay are in the process of upgrading their gateway to support 3DS2 and to make changes for contactless card machine transactions. They will be certifying their updated gateway with the card schemes and acquirers in the coming months[28]

Klarna- Klarna have not yet got 3D Secure on their system. However they have enabled SafeKey 3D secure for American Express transactions[29]. Safekey is like a version of 3D Secure but only for American Express card users.

After taking in all the benefits for the customers and merchants, there’s no reason why you wouldn’t want to welcome 3D Secure 2.0 into your e-commerce business with open arms.

Instead of waiting for the big day, why not stay ahead of everyone else and begin to use 3D Secure 2.0 in your online business now. 

 

Latest from the blog

View all news »