Using 3-D Secure? Here’s Why You Should Upgrade to Version 2.0 or Later
eCommerce fraud has become an increasingly serious threat as consumers continue to migrate to online shopping. Mastercard studies show that global chargeback volume is expected to hit 615 million in 2021, and the problem continues to grow.
3-D Secure (often shortened to just 3DS) is a security protocol designed to protect consumers from online payment card fraud. The technology has been somewhat effective over the years. However, 3DS products have been plagued by complaints of lower conversion rates and customer frustration. These concerns led to the rollout of 3-D Secure 2.0, beginning in 2016.
The newer product addressed many of the issues with the original 3DS, while also offering new features, too. In this post, we’ll look at how 3DS2 works, how it improves on version 1.0, and why for some merchants, upgrading is an absolute necessity.
- Verified by Visa: How Much Protection Does It Really Offer?
- 3-D Secure: What You Should Know Before Upgrading
- What are Velocity Checks?
- Can Mastercard Identity Check Help Merchants Stop Fraud?
- Strong Customer Authentication: What You Should Know in 2021
- How Does Address Verification Service Help Prevent Fraud?
Key Benefits of Upgrading to 3-D Secure 2.0
Like we mentioned, 3-D Secure 2.0 was introduced in 2016. The newer version is less of an upgrade, and more like an entirely new product, developed with input from other major credit card brands.
This side-by-side comparison shows some of the key differences you’ll see in 3DS2:
Creating a Frictionless Flow
3DS1 authenticates cardholder information by way of a static password or PIN. Possessing both the card information and the passcode theoretically means the buyer and the cardholder are one and the same.
3-D Secure 2.0 collects roughly 10 times more data during the authentication process. This typically includes a combination of information from the merchant’s site or app, plus input from the customer’s device.
All of this information is compared to existing issuer data. The potential risk level of the transaction is assessed, automatically and in real time.
Based on this assessment, an estimated 90-95% of transactions pass into a “frictionless flow,” which allows the transaction to progress unchallenged. In other words, the result of the risk-based assessment provides enough authentication to approve most purchases with no additional input from the buyer.
In rare cases, Strong Customer Authentication will be necessary. In these cases, the user will be asked to provide a secondary type of identification. The 3DS2 technology facilitates this as well, making the authentication process much more dynamic than before. By providing a smoother, faster, and much more accurate checkout experience, you benefit from more conversions and less churn.
Solving the Problem of Passwords: Strong Customer Authentication
The static passcodes used by 3SD1 are better than no authentication at all. However, they offer minimal security. Consumers often forget passwords, or may use ones that are easily circumvented.
Strong Customer Authentication (SCA) is an online payment security requirement mandated by the Payment Services Directive (PSD2). This regulation affects everyone doing business in the European Economic Area (EEA).
Under SCA, many payment transactions now require two-factor authentication. In simple terms, customers must be able to supply two out of three secure elements:
- Something the cardholder knows: Single-use password, SMS code, PIN, security question
- Something the cardholder owns: Payment card, key fob, mobile device, token
- Something the cardholder is: Biometric data like fingerprints, voice or facial recognition
Static passwords do not meet this qualification. Enabling 3-D Secure satisfies all of the requirements for SCA, but upgrading to 3DS2 offers more protection.
There are also several exemptions to SCA; for example, transactions below a certain value. 3DS1 does not support any of them. 3-D Secure 2.0 and later, however, is required to work with any SCA exemptions that may apply. For the purpose of compliance with PSD2, merchants must upgrade to 3-D Secure 2.0 or later.
PSD2: What It Is, Why It Matters, and What Merchants Need to Know
EU’s revised Payment Services Directive will have repercussions for merchants globally. Download our free report to learn about key elements of this directive.Free Download
Leveraging Information for Machine Learning
Another feature of 3-D Secure 2.0 is the increased amount of data that it collects and shares, and how issuers can leverage that information to fine-tune the authentication process. 3SD2 allows the merchant to share considerably more data than the original protocol. This can include:
- Shopper’s established buying patterns
- Shopper’s geo-location
- Device ID and IP address
- Previous history with merchant
- Shipping, billing, & email addresses
The more data shared between merchants and issuers, the better the fraud assessments, and the lower the rate of false declines.
That said, the collected data is utilized beyond just authentication. 3DS2 allows customer profiles to evolve with the cardholder, dynamically changing the status quo. New information feeds machine learning, creating a more complete picture of the cardholder. Banks can better-identify deviations from previous purchase patterns.
The information is standardized, and the customer’s profile is updated, as new patterns are incorporated into the profile. This could potentially allow the cardholder to skip the secondary authentication step in future transactions.Learn more about fraud prevention
Native Mobile Integration and Payment Options
The original 3DS only supports browser-based transactions. It was never designed to work with mobile commerce. When 3DS protocols were attempted on mobile devices, there were issues with the pop-up window, page load speeds, and more. Some users found they were unable to access the 3DS authentication page at all.
3-D Secure 2.0 allows merchants to seamlessly integrate the 3DS interface into pre-existing mobile apps. Native authentication screens help maintain the look and feel of the user experience across the entire process. This, in turn, assures the cardholder that identification requests are a valid security measure.
Again, for most transactions, authentication from mobile devices will require no further cardholder input. When necessary, however, biometric authentication can be reliably performed within the app.
3DS 2.0 also works with mobile wallet payment tools like Apple Pay or Google Pay. These work in addition to accepting standard payment cards.Learn more about mobile commerce
The 2021 Chargeback Field Report
The 2021 Chargeback Field Report is now available. Based on a survey of over 400 US and UK merchants, the report presents a comprehensive, cross-vertical look at the current state of chargebacks and chargeback management.Free Download
Fraud Liability Shift Parameters
Merchants also benefit from a liability shift on qualifying 3-D Secure transactions. Under normal circumstances, the liability for fraudulent transactions lies with the merchant. After all, you accepted the purchase, so you are responsible for it.
Things change when the cardholder is enrolled in a 3DS program (version 1.0 or 2.0). If the issuer successfully authenticates the customer through 3-D Secure, liability transfers (“shifts”) to the issuer.
Even if the customer claims you charged them for an unauthorized transaction, the issuer will almost always be liable for the fraud. This does not mean, however, that merchants are off the hook: if the customer disputes a transaction using a non-fraud-related reason code, liability will remain with you.
3DS2 also allows sellers to activate a “non-challenge” mode. In situations where you prefer to use your own risk assessment mechanism, you can opt out of the authentication system. Here again, liability will remain with you if the transaction involved ends up being fraudulent.Learn more about chargeback reason codes
Should I Upgrade to 3-D Secure 2.0?
As we mentioned, it’s a necessity for merchants and issuers conducting transactions in the European Economic Area (EEA). Even if that doesn’t apply to you, note that Visa deprecated 3DS1 in October 2021., effectively “sunsetting” support for the original version of 3-D Secure technology.
The bottom line: 3-D Secure 2.0 is simply a better protocol than 1.0. 3DS1 is less secure, less effective, and incompatible with the way consumers shop online. 3DS2 offers more features, including PSD2 compliance, fewer false declines, and better security. It also delivers an improved customer experience.
A More Complete Strategy
If there’s a disadvantage to 3-D Secure, it’s that the program does nothing to prevent friendly fraud . This threat source makes up the bulk of most merchants’ chargebacks. Friendly fraud happens post-transaction; authenticating the customer prior to purchase doesn’t help if the fraud doesn’t occur until after the fact.
The 3-D Secure authentication method does offer valuable protection against fraud. For true chargeback prevention, however, most merchants need a customized, end-to-end solution. They need to be able to separate chargebacks by source—criminal fraud, friendly fraud, and merchant error—then deploy the most effective tools where they will do the most good.
If you’re interested in learning more about 3-D Secure (or any other aspect of chargeback management), contact Chargebacks911 today. We can show you how to take chargebacks completely off your plate and increase your ROI.