3-D Secure: Card Authentication & Fraud Protection for Merchants
What do Verified by Visa, Mastercard SecureCode, and American Express SafeKey have in common? They’re all fraud protection tools based on a technology called 3-D Secure (often shortened to just 3DS).
The 3-D Secure system was designed to protect consumers—and you as a merchant—from online payment card fraud. The goal here is to insure that card transaction completed online are made by the actual cardholder.
3DS technology has been an important defense against fraudulent chargebacks over the last two decades. But, while 3-D secure has helped address eCommerce fraud, many merchants have been slow to adopt the technology. They worry that it lowers conversion rates and encourages shopping cart abandonment.
In this post, we’ll look at what 3-D Secure is and how it works. We’ll also see how it’s evolved since first becoming available, the pros and cons of the technology, and whether you should really worry about3DS impacting conversion.
- How Does Address Verification Service Help Prevent Fraud?
- Verified by Visa: How Much Protection Does It Really Offer?
- What are Velocity Checks?
- Can Mastercard Identity Check Help Merchants Stop Fraud?
- 3-D Secure 2.0: What You Need to Know Before Upgrading
- Strong Customer Authentication: What You Should Know in 2021
What Is 3-D Secure?
- 3-D Secure
3-D Secure is a security technology that works like a PIN code for online purchases. The goal of 3DS is to authenticate purchasers as authorized cardholders. This extra layer of verification helps protect both cardholders and merchants from fraudulent transactions.
[proper noun]/*• three • dee ●si •kyoor •/
3-D Secure is a customer authentication protocol created for eCommerce. The system is used to validate buyers at checkout, creating an additional layer of security for online transactions. Card networks recommend that both issuing banks and merchants support the protocol.
You can enroll in 3DS programs through each card brand. If you’re not comfortable doing this yourself, contact your processor or merchant account provider see if they offer 3DS and can help you deploy it in your eCommerce store. There are also third-party providers that can help you implement 3-D Secure verification as part of a chargeback management plan.
The “3-D” in the name refers to the three domains that are bridged by the protocol:
Although based on the same technology, 3-D Secure verification tools vary slightly depending on the card scheme. It also goes by different names, according to the brand:
|Card Network||3-D Secure Brand Name|
|Verified by Visa|
|Mastercard Identity Check
|American Express SafeKey|
|JCB International J/Secure|
What is 3DS 2.0?
As we mentioned, 3-D Secure has been proven to increase shopping security. However, the original release (3-D Secure 1.0, or 3DS1) had inherent flaws. The protocol added friction to the checkout process, for example, and only supported browser-based transactions. This resulted in a negative customer experience, as well as lower conversions for most merchants.
3-D Secure can be effective. It’s still important to deploy comprehensive, multi-level fraud management, though.
3-D Secure 2.0, along with later updates, functions more seamlessly and includes new features. This version of 3-D Secure is required to accept credit cards in Europe (as of this writing, it remains optional in other regions).
This article will discuss 3-D secure broadly without always making a distinction between 1.0 and 2.0. For more information specifically about the newer 2.0 protocol, including an analysis of the differences between the first and second versions, we recommend reading the below article:Learn More About 3DS 2.0
How Does 3-D Secure Work?
3DS1 authenticates cardholder information by way of a static password or PIN. The consumer is typically presented with a pop-up window to enter a pre-established code. The concept was simple, but the execution was lacking.
The newer 3-D Secure authentication serves the same purpose using different means. Nearly 150 points of transaction data are sent to the issuing bank, automatically and in real time. This includes things like IP address, merchant category code, shipping address, and so on.
The issuer compares the transaction data against known customer information such as buying history or payment card address. Artificial intelligence and machine learning assess the fraud threat, and one of five transaction labels will be returned to the merchant:
|Authentication successful||Proceed with purchase.|
|Authentication attempted||An unsuccessful attempt was made to authenticate the customer.|
|Authentication failed||The buyer is not the cardholder.|
|Authentication unavailable||For some reason, the customer identity could not be confirmed or denied.|
|Error||Something went wrong in the authentication process.|
The key benefit of 3DS 2.0 is that 95% of all transactions qualify for immediate approval. There’s no additional direct input required from the customer. With this “frictionless flow,” consumers are often approved without even realizing the authentication check was performed.
A small minority of transactions will be as a riskier. The buyer will be asked to provide additional cardholder information in these cases. This could consist of a one-time password, or perhaps a biometric form of ID like fingerprint or voice recognition (neither of which was supported in 3DS1).
In rare instances, the consumer may be required to go through the older verification process.
How Much Does 3-D Secure Cost?
Fraud protection from 3-D Secure comes at a cost. Merchants will pay a flat fee for every transaction sent via 3DS. In addition, card schemes like Visa and Mastercard impose fees on the process as well.
The price you pay as a merchant will vary depending on your processor, the card network, and other factors. Currently, the price typically falls within $0.20 and $0.35 per transaction in the US. Not surprisingly, the more transactions you send through the 3DS2 protocol, the lower the per-transaction cost will be.
All of which raises the question: is implementing 3-D Secure worth it? Let’s take a look at what you get for your money.
Benefits of 3-D Secure
The technology offers multiple benefits, regardless whether you’re upgrading from the original 3-D Secure protocol, or deploying 3-D Secure payment verification for the first time:
Security and Fraud Prevention
The 3DS2 protocol uses Risk-Based Authentication (RBA) to analyze data and assess the fraud risk of each transaction in real time. Because the risk level is backed by so much information, the process provides a high level of security and lowers the risk of criminal fraud.Learn more about fraud prevention
3DS2’s frictionless flow authenticates most customers in real time, with no additional action needed on the part of the cardholder. Merchants benefit from this enhanced customer experience, as well. Frictionless transactions lead to more conversions and less churn. More combined data points mean fewer false positives.Learn more about the customer experience
Strong Customer Authentication (SCA) is a fraud reduction/online payment security mandate that was an integral part of the revised Payment Services Directive (PSD2). SCA requires transactions in the European Union to have two forms of customer identification.
3-D Secure represents the latest standard in global payment security, and the protocol is a requirement in order to accept credit cards in Europe. The technology involves such a robust transaction analysis that most transactions deploying 3DS2 may be deemed “SCA compliant” even without the secondary identification. 3DS2 supports alternate authentication methods such as biometrics (fingerprint scanning or voice recognition) or single-use passwords/security codes.Learn more about Strong Customer Authentication
PSD2: What It Is, Why It Matters, and What Merchants Need to Know
EU’s revised Payment Services Directive will have repercussions for merchants globally. Download our free report to learn about key elements of this directive.Free Download
Merchants also benefit from a liability shift on qualifying 3DS transactions. Normally, merchants are the ones liable for a transaction when a chargeback occurs. Using the original 3-D Secure technology shifts the liability for chargebacks to the issuing bank.
3DS 2.0 still supports this liability shift, but the coverage differs. Now, this protection only applies if a) authentication was successful; and b) a fraud-based chargeback is filed. If both of these criteria are not met, the chargeback liability stays with the merchant.Learn more about fraud liability
Seamless Support Across Devices
3DS1 was not compatible with mobile devices. 3-D Secure 2.0 allows merchants to natively integrate the protocol into pre-existing mobile apps.
You can reliably conduct 3-D Secure 2.0 payments in both application and browser-based solutions, as well as on mobile and other consumer-connected devices. Also, a 3DS2 payment can be made using payment card, as well as through in-app or digital wallet purchases.Learn about mobile commerce
Finally, 3-D Secure 2.0 also offers a "Non-payment Authentication” option. This lets you validate cardholders without requiring a purchase or processing a small refundable charge.
Disadvantages of 3-D Secure
The 3DS2 protocol has proven to be highly effective fraud deterrent. Are there any disadvantages to using this tool?
If you’re using 3-D Secure 1.0, then yes, there are definitely potential drawbacks. The protocol is not as secure, and is more prone to false positives. Customers can be confused by the pop-up window, or annoyed at the extra step at checkout. Either situation can lead to cart abandonment.
With the current version, however, most of the problems that users (and merchants) had with the original protocol have been addressed. 3DS2 can still cause a small amount of friction in some cases. Even so, it’s minor compared the previous solution.
The 2021 Chargeback Field Report
The 2021 Chargeback Field Report is now available. Based on a survey of over 400 US and UK merchants, the report presents a comprehensive, cross-vertical look at the current state of chargebacks and chargeback management.Free Download
3DS1’s liability shift is still in place, although the protection may be limited, based on which card network you work with. The specifics can vary; it’s always best to check with the card network for details.
Then, of course, there are the fees we mentioned earlier. For high-ticket or high-risk merchandise, the fees can seem small compared to the potential loss. If you deal with lower-priced merchandise and have slimmer profit margins, you’ll need to look closely at your potential ROI.
A More Complete Strategy
The biggest disadvantage to the 3-D Secure program is that it does nothing to prevent friendly fraud, which makes up the bulk of most merchants’ chargebacks. Friendly fraud happens post-transaction; Authenticating the customer prior to purchase doesn’t help if the fraud doesn’t occur until after the fact.
The 3-D Secure authentication method does offer valuable protection against fraud. It works best, however, as part of a multi-level fraud and chargeback management strategy.
Fraud and chargeback prevention and risk mitigation coverage can be increased by deploying multiple complimentary tools, including:
- Velocity limits
- CVV verification
- Address verification
- Fraud filters
These should be backed by fraud scoring, which will allow you to automatically decline orders that present too much risk. This will go a long way to help protect your business against fraud and chargebacks. For true risk mitigation, though, you need a customized, end-to-end solution that can deploy the right tools and tactics where they will do the most good.
If you’re interested in learning more about 3-D Secure—or any other aspect of chargeback management—contact Chargebacks911® today. We can show you how to take chargebacks completely off your plate and increase your ROI.