Heidi Bleau

3D Secure 2.0: Why It Pays to Be Ready

Blog Post created by Heidi Bleau Employee on Nov 6, 2017

Given that it was introduced to the world in the early 2000s, it probably comes as no great surprise to learn that the 3D Secure protocol isn’t optimized for mobile or, indeed, designed to deliver the fast, frictionless checkout that ecommerce customers now expect. And that’s not all—while use of smartphones, tablets, and digital wallets has boomed, so too has fraud.

 

The latest release of the 3D Secure protocol (also referred to as EMV® 3D Secure or 3D Secure 2.0) is designed for customer experience first, yet it addresses the need for more secure transactions across a number of devices. Because this release addresses many of the issues associated with 3DS 1.0.2 and comes with a list of new benefits for merchants, we expect uptake to be high—so banks and other issuers need to adopt in good time too, or accept the liability shift without any of the benefits of adoption.

 

What’s new?

The enduring challenge for fraud management teams is to improve payment security without imposing on the shopping experience for their customers. Make things too difficult for them, and cart abandonment could end up losing retailers more money than fraud itself. 3D Secure 2.0 helps strike the right balance by:

  • Eliminating active enrollment. Cards can now be enrolled automatically, avoiding the need for a lengthy sign-up process.
  • Leveraging rich data. Having much more data to analyze with each transaction means more accurate risk assessment and fewer orders challenged. This is probably the primary benefit of the protocol for issuers.
  • Offering device-agnostic support. Software development kits (SDKs) allow merchants to integrate authentication with a whole host of devices, from smartphones to wearables to gaming consoles, making 3D Secure truly ready for the Internet of Things (IoT).
  • Supporting smarter, broader authentication. Static passwords are out, while one-time passwords, biometric IDs and out-of-band authentication are in—as are authentication for in-app purchases and digital wallets.
  • Faster authentication. Performance improvements for end-to-end processing, better integration with merchant apps and sites, and smarter authentication all contribute to smoother and faster checkout.

 

What’s in it for issuers?

As already mentioned, issuers are a primary beneficiary of the much richer data exchange that comes with 3D Secure, because it enables better fraud detection. As merchants upgrade or sign up for the first time, they immediately benefit from the associated liability shift—whether or not their customers' issuers support the new protocol. From the issuer's perspective, why face the liability shift without benefit of better fraud detection? Embracing 3D Secure 2.0 is just common sense.

 

It isn't the only reason to get on board. Happy customers spend more, and one way to make customers happy is to couple a great customer experience with better security and fraud prevention.

 

Finally, adoption of 3D Secure 2.0 can help in addressing many information security requirements common to a variety of national and industry-related regulations, helping both merchants and issuers ease the burden of regulatory compliance.  For example, many of the guidelines set forth in the EU’s Payment Services Directive II (PSD2) are on par with the latest 3D Secure protocol.

 

Great! When can we start?

MasterCard and Visa are both expected to publish their program rules and guidelines by the end of this year, and 3D Secure 2.0 is expected to be mandated first in Australia as early as April 2018. The latest timelines and major milestones can be viewed here.

 

Our customers don’t need to wait to enjoy the benefits, though: we’ve been delivering many of the key features of 3D Secure 2.0 for a decade. Leveraging RSA’s risk-based authentication technology, some issuers already have eliminated cardholder enrollment and static passwords, offer biometric authentication, transaction signing and out-of-band authentication, and much more—across web and mobile channels. The results speak for themselves - achieving a 97% detection rate at a 5% intervention rate.

Outcomes