Using 3-D Secure? Here’s Why You Should Upgrade to Version 2.0 or Later
eCommerce fraud has become an increasingly serious threat as consumers continue to migrate to online shopping. Mastercard studies show that global chargeback volume is expected to hit 615 million in 2021, and the problem continues to grow.
3-D Secure (often shortened to just 3DS) is a security protocol designed to protect consumers from online payment card fraud. The technology has been somewhat effective over the years. However, 3DS products have been plagued by complaints of lower conversion rates and customer frustration.Learn more about 3-D Secure
These concerns led to the rollout of 3-D Secure 2.0, beginning in 2016. The newer product addressed many of the issues with the original 3DS, while also offering new features, too. In this post, we’ll look at how 3DS2 works, how it improves on version 1.0, and why for some merchants, upgrading is an absolute necessity.
- What is Mastercard Identity Check? Can it Help Stop Fraud?
- 3DS2 Adoption: How is the Process Going?
- What is 3-D Secure? Fraud Prevention Solution Explained
- ECI Indicators: How to Understand 3DS Response Codes
- Detecting Credit Card Fraud in 15 Steps
- What is Transaction Risk Analysis? How Does it Work?
- Fraud Detection: Here's How Merchants Can Stop Fraud in 2023
- Credit Card Shimmers: Are You Prepared for “Skimming 2.0?”
- What is Transaction Fraud? How Do You Prevent It?
- How to Prevent Online Fraud With Mastercard SecureCode
Key Benefits of Upgrading to 3-D Secure 2.0
Like we mentioned, 3-D Secure 2.0 was introduced in 2016. The newer version is less of an upgrade, and more like an entirely new product, developed with input from other major credit card brands.
This side-by-side comparison shows some of the key differences you’ll see in 3DS2:
Creating a Frictionless Flow
3DS1 authenticates cardholder information by way of a static password or PIN. Possessing both the card information and the passcode theoretically means the buyer and the cardholder are one and the same.
3-D Secure 2.0 collects roughly 10 times more data during the authentication process. This typically includes a combination of information from the merchant’s site or app, plus input from the customer’s device.
All of this information is compared to existing issuer data. The potential risk level of the transaction is assessed, automatically and in real time.
Based on this assessment, an estimated 90-95% of transactions pass into a “frictionless flow,” which allows the transaction to progress unchallenged. In other words, the result of the risk-based assessment provides enough authentication to approve most purchases with no additional input from the buyer.
In rare cases, Strong Customer Authentication will be necessary. In these cases, the user will be asked to provide a secondary type of identification. The 3DS2 technology facilitates this as well, making the authentication process much more dynamic than before. By providing a smoother, faster, and much more accurate checkout experience, you can get 3DS responses, while benefitting from more conversions and less churn.
Solving the Problem of Passwords: Strong Customer Authentication
The static passcodes used by 3SD1 are better than no authentication at all. However, they offer minimal security. Consumers often forget passwords, or may use ones that are easily circumvented.
Strong Customer Authentication (SCA) is an online payment security requirement mandated by the Payment Services Directive (PSD2). This regulation affects everyone doing business in the European Economic Area (EEA).
Under SCA, many payment transactions now require two-factor authentication. In simple terms, customers must be able to supply two out of three secure elements:
- Something the cardholder knows: Single-use password, SMS code, PIN, security question
- Something the cardholder owns: Payment card, key fob, mobile device, token
- Something the cardholder is: Biometric data like fingerprints, voice or facial recognition
Static passwords do not meet this qualification. Enabling 3-D Secure satisfies all of the requirements for SCA, but upgrading to 3DS2 offers more protection.
There are also several exemptions to SCA. For example, transactions below a certain dollar value, or in which transaction risk analysis is deployed, are not required to meet SCA standards.
3DS1 does not support any of these exemptions. 3-D Secure 2.0 and later, however, is required to work with any SCA exemptions that may apply. For the purpose of compliance with PSD2, merchants must upgrade to 3-D Secure 2.0 or later.
EU’s revised Payment Services Directive will have repercussions for merchants globally. Download our free report to learn about key elements of this directive.Download the FREE Whitepaper
Leveraging Information for Machine Learning
Another feature of 3-D Secure 2.0 is the increased amount of data that it collects and shares, and how issuers can leverage that information to fine-tune the authentication process. 3SD2 allows the merchant to share considerably more data than the original protocol. This can include:
- Shopper’s established buying patterns
- Shopper’s geo-location
- Device ID and IP address
- Previous history with merchant
- Shipping, billing, & email addresses
The more data shared between merchants and issuers, the better the fraud assessments, and the lower the rate of false declines.
That said, the collected data is utilized beyond just authentication. 3DS2 allows customer profiles to evolve with the cardholder, dynamically changing the status quo. New information feeds machine learning, creating a more complete picture of the cardholder. Banks can better-identify deviations from previous purchase patterns.
The information is standardized, and the customer’s profile is updated, as new patterns are incorporated into the profile. This could potentially allow the cardholder to skip the secondary authentication step in future transactions.Learn more about fraud prevention
Native Mobile Integration and Payment Options
The original 3DS only supports browser-based transactions. It was never designed to work with mobile commerce. When 3DS protocols were attempted on mobile devices, there were issues with the pop-up window, page load speeds, and more. Some users found they were unable to access the 3DS authentication page at all.
3-D Secure 2.0 allows merchants to seamlessly integrate the 3DS interface into pre-existing mobile apps. Native authentication screens help maintain the look and feel of the user experience across the entire process. This, in turn, assures the cardholder that identification requests are a valid security measure.
Again, for most transactions, authentication from mobile devices will require no further cardholder input. When necessary, however, biometric authentication can be reliably performed within the app.
3DS 2.0 also works with mobile wallet payment tools like Apple Pay or Google Pay. These work in addition to accepting standard payment cards.
The only resource you need to become an expert on chargebacks, customer disputes, and friendly fraud.Download the Guide
Fraud Liability Shift Parameters
Merchants also benefit from a liability shift on qualifying 3-D Secure transactions. Under normal circumstances, the liability for fraudulent transactions lies with the merchant. After all, you accepted the purchase, so you are responsible for it.
Things change when the cardholder is enrolled in a 3DS program (version 1.0 or 2.0). If the issuer successfully authenticates the customer through 3-D Secure, liability transfers (“shifts”) to the issuer.
Even if the customer claims you charged them for an unauthorized transaction, the issuer will almost always be liable for the fraud. This does not mean, however, that merchants are off the hook: if the customer disputes a transaction using a non-fraud-related reason code, liability will remain with you.
3DS2 also allows sellers to activate a “non-challenge” mode. In situations where you prefer to use your own risk assessment mechanism, you can opt out of the authentication system. Here again, liability will remain with you if the transaction involved ends up being fraudulent.
Should I Upgrade to 3-D Secure 2.0?
As we mentioned, it’s a necessity for merchants and issuers conducting transactions in the European Economic Area (EEA). Even if that doesn’t apply to you, note that Visa deprecated 3DS1 in October 2021, effectively “sunsetting” support for the original version of 3-D Secure technology. Now, all Verified by Visa transactions should use 3DS2.Learn more about Verified by Visa
Mastercard also encourages merchants to embraces the newer technology. With the new 3DS-based product Mastercard Identity Check, merchants can take advantage of 3DS technology.Learn more about Mastercard Identity Check
The bottom line: 3-D Secure 2.0 is simply a better protocol than 1.0.
3DS1 is less secure, less effective, and incompatible with the way consumers shop online. 3DS2 offers more features, including PSD2 compliance, fewer false declines, and better security. It also delivers an improved customer experience.
A More Complete Strategy
If there’s a disadvantage to 3-D Secure, it’s that the program does nothing to prevent friendly fraud . This threat source makes up the bulk of most merchants’ chargebacks. Friendly fraud happens post-transaction; authenticating the customer prior to purchase doesn’t help if the fraud doesn’t occur until after the fact.
The 3-D Secure authentication method does offer valuable protection against fraud. For true chargeback prevention, however, most merchants need a customized, end-to-end solution. They need to be able to separate chargebacks by source—criminal fraud, friendly fraud, and merchant error—then deploy the most effective tools where they will do the most good.
If you’re interested in learning more about 3-D Secure (or any other aspect of chargeback management), contact Chargebacks911 today. We can show you how to take chargebacks completely off your plate and increase your ROI.