3-D Secure Now and Then
What is 3-D Secure?
3-D Secure is an additional security layer for online credit and debit card transactions. Introduced in 1999, 3DS was intended to reduce fraud for online transactions. It works by allowing the cardholder’s bank to prove that the customer attempting a purchase is the legitimate user of the credit or debit card. The basic concept of the protocol is to tie the financial authorization process with online authentication. This additional security authentication is based on a three-domain model. The three domains are:
- The merchant/acquirer domain: the bank and the merchant to which the money is being paid.
- The issuer domain: the bank which issued the card being used.
- Interoperability domain: the infrastructure provided by the card scheme to support the 3-D Secure protocol. It includes the Internet, merchant plug-in, access control server, and other software providers.
The benefit of 3DS is that it is an additional layer of security that reduces the risk of chargebacks. If a chargeback does occur, the liability will usually be shifted to the cardholder’s bank, as that is where the successful authentication occurred. A transaction using 3-D Secure will initiate a redirection to the website of the card-issuing bank for authorization. The issuer can use any kind of authentication method, however, the most popular method is to use a password tied to the card.
Examples of 3DS Version 1 include:
- Verified by Visa
- Mastercard ID Check
- American Express SafeKey
What are the challenges of 3DS?
When 3DSv1 was first introduced, technology that we now take for granted – such as smartphones – had not yet been invented, or were not widely available. While 3DSv1 has been a powerful and widely adopted anti-fraud solution, it has not been without issues. Consumers consistently dropped out of the payment flow as 3DSv1 lacked native in-app and mobile flows. Static passwords were easily forgotten and caused friction, increasing cart abandonment rates. There were also extra operational costs for issuers as customers needed support to reset static passwords.
As payment processing became more sophisticated many banks have moved to a risk-based approach so that shoppers are not always challenged. However, with a static password, there is always the risk of phishing. This happens when a consumer is directed to a page that is run by fraudsters, who then take the details and make purchases on your card.
How is 3-D Secure Versions 2 (3DSv2) different?
3-D Secure 2 addresses the pain-points of 3-D Secure 1. It has a smoother and more consistent user experience across all devices and provides data exchange that will help to prevent fraud and reduce friction.
When a cardholder makes an online payment under 3DSv2.x it creates over 100 data points. This information is shared between the merchant and the issuer. This data is then used by the issuer to generate a risk profile of the payment making the payment more secure. What makes this different is that it will happen in the background rather than asking the user to enter random characters from a static password. This lack of friction will greatly improve the customer experience and should result in less checkout abandonment.
If the transaction is deemed to be a too high risk the consumer will be prompted with further authentication checks. Under PSD2 Strong Customer Authentication (SCA) this type of enhanced payment authentication must replace a static password with ‘two of three factor’ authentication; ‘what you know’, ‘who you are’, or ‘what you have’. By placing biometrics (fingerprints, facial recognition) at the center of the verification process, the authentication is immediately better equipped to manage the authentication process. Which is essential to the online retail customer experience.
While all transactions must be processed via 3DSv2, Visa thinks that Strong Customer Authentication (SCA) will only be needed for approximately 5% of transactions.
What payments will be excluded from 3DSv2 SCA?
Low-value transactions: Exemptions will be granted for transactions under 30 EUR. However, issuers may demand SCA after five transactions or in case the aggregated amount exceeds 100 EUR.
Subscription and recurring transactions: Subscription or recurring transactions with a fixed amount are exempted from the second transaction onwards. SCA is required with the initial transaction or if the amount changes.
Mail Order and Telephone Orders (MOTO): MOTO transactions are not covered within the new standard.
At the moment most major card schemes support both 3DSv1 and 3DSv2 so that stakeholders can respond to each message version and increase successful transactions for customers. However, this is changing, and soon 3DSv1 will no longer be supported. You can find out how the card schemes are implementing 3DSv2 here.
How can I prepare my eCommerce for 3DSv2?
Staying on top of the changes and updates in the payment industry can be challenging. If you have created your own gateways, relying on payment service providers to keep you informed on critical updates – such as 3DSv2 or the VISA recurring payments – is not a sustainable solution. A way to avoid this issue is to use a payment orchestration platform. It may seem counterintuitive to bring another provider into the mix, however, a payment orchestration platform’s sole role is to function as a technological layer between your eCommerce and your payment providers. This buffer not only saves you time and energy when it comes to the general management of your payment stack, but is also a form of protection.
3DSv2 is already in use, and many of IXOPAY‘s clients have adopted it in order to provide their customers with a more intuitive checkout solution. As a best-of-breed payment orchestration platform, IXOPAY is also PCI-3DS certified and makes sure that all the connections are up to date and compliant with new regulations. For businesses to thrive, communication is key; we ensure that our clients are kept up to date on industry changes and other issues that may affect their business. This allows platform users to focus their attention on their core business. To find out more about what IXOPAY can do for your business, get in touch with our sales team who will provide you with a platform demo.
IXOPAY is prepared, are you?Get in touch!
IXOPAY is a payments orchestration platform enabling independent, flexible and global payment processing. As a highly scalable and PCI-DSS certified “fintech enabler”, IXOPAY fulfills the needs of large merchants as well as those of “white label” clients: payment service providers (PSPs), acquirers and independent sales organizations (ISOs). The modern, easily extendable architecture offers smart transaction routing & cascading, state-of-the-art risk & fraud management, fully automated reconciliation and settlements processing, comprehensive reporting as well as plugin-based integration of acquirers, payment service providers and alternative payment methods (APMs).
IXOPAY is part of the IXOLIT Group, founded in Vienna, Austria in 2001. With local entities in Austria and the USA, IXOLIT supports national and international customers across various industry verticals. The owner-led and -financed company has grown from 2 to more than 65 employees and is focused on building innovative solutions for eCommerce.
Please find more information about IXOPAY here: https://www.ixopay.com