The continued rise in e-commerce fraud as an expected result of the EMV implementation has put a laser focus on existing fraud solutions in the industry - and their shortcomings. 3D Secure was created over fifteen years ago as a way to increase security for online payments, but has seen its fair share of criticism from all parts of the payment spectrum. In October, EMVCo released the long awaited updated specifications for 3D Secure 2.0. Follow along as we highlight what’s new, important and noteworthy in this much anticipated release.
The Background
3D Secure (or 3DS) stands for “Three Domain Secure.” The three domains being the merchant/acquirer, the issuer and interoperability, which is the infrastructure provided to enable the 3DS protocol.
It’s also commonly known by its network-branded names, “Verified by Visa,” “MasterCard SecureCode,” and “AmEx SafeKey.”
At its core, the 3DS protocol allows consumers to directly authenticate their card with their issuer when shopping online - something that has become increasingly more important as use of stolen card information moves to e-commerce.
Until now, that process has typically involved a browser pop-up window, asking users for a static password known only by the buyer and the issuer. The methodology was that since password was stored elsewhere, stolen card details would be rendered useless, since criminals wouldn’t have access to this password.
In reality, it fell victim to most password-reliant systems. Consumers either chose passwords that were easy to remember, and easy to guess, defeating the purpose. Or, they chose passwords that were difficult to guess, and just as difficult to remember.
For years, merchants and consumers alike complained of the difficulties in successfully completing a 3D Secure-authenticated transaction, and cart abandonment that followed. While forgetting passwords was a common issue, another factor came into play - the browser pop-up itself. Because most issuers outsource the process to their access control server vendor, the domain of the pop-up window was usually absent of any bank or card network information that would make them feel it was trustworthy. This also left an opening for phishing schemes to capitalize on, since it was difficult to identify which URLs were secure versus which weren’t.
Eventually, consumers became deterred by the 3D Secure logos themselves. A study by SeeWhy, has showed that 12% of users would consider abandoning their cart when they saw the Verified by Visa and American Express Key logos, and 10% in the case of MasterCard SecureCode.
Why a New Version is Necessary
It’s clear there are long-standing issues that needed to be fixed, but the dynamic nature of payments and fraud specifically, have brought other items to the surface that need securing. In the EMVCo team’s demo, they cited four main reasons in updating the specifications:
- Increase security for app-based purchases and connected devices.
- Create better integration with the merchant, without interrupting their checkout process.
- Encourage more frictionless authentication, where possible. This would include sharing data about the device and the order to authenticate without any interference.
- Put more effort into using dynamic “one-time use” passcodes.
These revamped specs will soon hopefully be put to use across three primary use cases:
- Internet browser payments
- Mobile app payments
- Non-payment authentications, such as loading a card onto a digital wallet.
As we wrote about nearly two years ago, using stolen card information in digital wallets continues to be an issue, as it was when Apple Pay first launched, and we’re happy to see 3DS being applied to help curb this problem.
But, just as we’ve also noted across almost all of our posts, few attempts will ever be 100% successful in preventatively deterring fraudsters from using stolen payment information. The answer to truly combatting this problem is having a two-sided approach - and 3D Secure, a preventative effort, is only half the equation.
Learn more about how Rippleshot’s ABA-endorsed solution, Sonar, can help you quickly catch what gets through the cracks, so you can quickly and effectively stem fraud when it happens.