If you’ve been hearing a lot lately about 3D Secure (also referred to as 3DS), it’s probably in relation to the Payment Services Directive 2 (PSD2), the sweeping new regulations instituted by the European Union. PSD2 represents the EU’s effort to strengthen the security of online transactions and push back against fraud by completely revamping its framework for regulating payment services and payment service providers.
The new PSD2 rules went into full effect on September 14, 2019. A key component of PSD2 is Strong Customer Authentication (SCA), which provides an additional layer of fraud protection on electronic purchases. One of the most straightforward ways to comply with the new SCA requirements is the new iteration of 3D Secure, known as 3D Secure 2.0.
SCA, 3DS, PSD2 – do you feel like you’re drowning in acronyms yet? We’ll try to explain the whole thing.
While 3D Secure is closely associated with PSD2, it has a history and reason for being all its own. In this article, we’ll look at the evolution of 3D Secure, from its origins in the last century to its current incarnation. We’ll clarify the connection between 3D Secure and SCA, and we’ll help you determine whether the EU regulations apply to your business.
We’ll also weigh the strengths and weaknesses of 3D Secure from the perspectives of both e-commerce merchants and consumers.
The Origins of 3D Secure
3D Secure is entering its third decade of existence. The earliest version of the authentication protocol was developed in 1999 by Arcot Systems (now CA Technologies, a Broadcom Company). Visa was an early adopter of 3D Secure, deploying it in 2001.
Over the subsequent years, every major payment card issuer rolled out its own spin on 3D Secure. You may recognize some of the brand names in the table below.
3D Secure Implementation
Visa Secure (formerly Verified by Visa)
How 3D Secure 1.0 Works
The “D” in 3D Secure stands for “domain.” The three domains involved in 3D Secure authentication are:
- The issuer domain, which includes the issuing bank and the cardholder.
- The acquirer domain, which includes the merchant and the merchant’s bank.
- The interoperability domain, which supports the protocol by providing the internet-based infrastructure to connect the other two domains.
3D Secure 1.0 is an XML-based protocol. When a cardholder enters their payment information through a payment portal where 3D Secure is enabled, they will be redirected to either a separate site or an embedded frame. There, the cardholder must provide the correct answer to a security question (such as a password) to verify their identity.
If the cardholder cannot answer the question, the issuing bank will decline the transaction.
The key to understanding 3D Secure is that the second authentication page is served not by the merchant or the payment service provider, but by the issuing bank. If the cardholder has not previously enrolled in 3D Secure, the issuing bank may ask them to register before completing their purchase.
The Benefits of 3D Secure 1.0
As e-commerce took off in the early 2000’s, merchants, consumers, banks, and card issuers all recognized the potential for card-not-present fraud. In those days of online shopping, it was relatively easy for a criminal to make a purchase with someone else’s payment card information. 3D Secure was invented to make it more difficult.
3D Secure requires more than a credit card number, CVC code, and address to approve a transaction. Fraudsters must also be able to answer the issuing bank’s challenge.
Another advantage of 3D Secure is that the liability for authenticating transactions passes from the merchant to the card-issuing bank. The merchant does not collect cardholders’ 3D Secure passwords (since the authentication step takes place on a separate site or frame) and, therefore, is not responsible for keeping the passwords safe from hackers.
The Perils of 3D Secure 1.0
The original version of 3DS added an extra layer of security for fraudsters to penetrate. But in doing so, it also adds an extra step for consumers to complete before their purchases can be finalized – sometimes several extra steps.
Therein lies the major drawback of 3D Secure. Anything that gets between an online shopper and the successful completion of their purchase can lead to abandoned shopping carts. This is called friction. Nearly 40% of U.S. cart abandonments result from long or complicated checkout procedures.
3D Secure directs consumers to unfamiliar sites where consumers are asked to confirm passwords or codes they may not remember. Rather than continuing their purchases and attempting to recover their lost passwords, consumers may simply move on to other merchants.
According to one analysis of millions of transactions, 22% of transactions were lost when authenticated with 3D Secure. Additionally,
- 3DS authentication took an average of 37 seconds.
- Only 9% of transactions were “frictionless” (taking less than five seconds to authenticate).
- Acceptance rates varied by bank, between 68% and 92%.
A different analysis reported that conversion rates dropped an average of 43% in the U.S. when 3D Secure was activated. In certain countries, such as Brazil, conversion rates dropped by more than 50%.
In 2007, as several large banks and retailers began to adopt 3D Secure, the British newspaper the Guardian reported that several of its readers contacted the paper to ask if they were being scammed.
“Understandably, many people shun the Verified by Visa box for fear that it's a fraud,” the paper reported.
The Guardian noted a disconnect between the 3DS verification pages and the conventional wisdom concerning online security: “[E]xperts are constantly warning shoppers never to hand over card details in such circumstances.”
Visa defended its use of redirects and said there had been no phishing attacks copying the Verified by Visa process.
“The verification page may look like a popup, but it is in fact a whole new web page which actually comes from the user's bank,” a company representative said. “We have designed it like that to encourage buyers to sign up as they shop.”
Another issue with 3D Secure 1.0 is that the protocol was developed in an era when mobile commerce was nonexistent. Nowadays, of course, almost everyone has a mobile device (81% of Americans own a smartphone), and many people use their devices as their primary tool for accessing the internet – shopping included.
Until recently, 3D Secure has not kept up with the mobile revolution. Mobile browsers do not support the frames and popups required for some 3DS implementations, and password verification pages are often not optimized for small mobile screens. This can also drive consumers toward more-usable sites.
An Improved Protocol: 3D Secure 2.0
Clearly, 3D Secure was due for an update to bring it into the modern era. Adoption rates for 3D Secure have been middling-to-high in Europe, but abysmal in the United States and other parts of the world. American merchants prefer lower-friction fraud prevention options, such as the Address Verification System (AVS).
In 2016, a consortium of credit card networks called EMVco set out to remedy the faults of 3D Secure and released a new specification dubbed 3D Secure 2.0. The overhauled protocol is slowly gaining ground worldwide, overtaking the original formulation.
The EMVco collaborators designed 3D Secure 2.0 to provide a smoother user experience than the previous version and to adapt to the wide range of devices people now use for online shopping. How does it achieve those objectives?
Here are some of the key features of 3D Secure 2.0:
Elimination of Static Passwords
Consumers found it burdensome to have to remember one more password to get through the original 3DS process. Version 2.0 eliminates static passwords in favor of biometrics (such as a fingerprint or facial recognition) or one-time-use passwords (such as a code sent to the consumer via text message).
A considerable percentage of purchasers (95%, according to Visa) will never see a challenge screen under 3D Secure 2.0. Instead, the new protocol allows risk-based authentication. In other words, after a cardholder enters their information on the merchant’s payment portal, the information is sent to the issuing bank, which decides whether it has enough data to approve the transaction.
While later versions of 3D Secure 1.0 allowed for some risk-based authentication, the updated protocol enables the transfer of much more information. 3D Secure 2.0 uses 10 times more assessment data points than the previous version.
Credit card issuing banks use machine learning technology to assess the risk of fraud. The 3D Secure 2.0 workflow allows them to consider factors such as:
- The cost of the transaction.
- Whether the customer has purchased from the merchant before.
- The customer’s transaction history.
- The customer’s behavioral history.
- Information about the customer’s device.
If the card issuer determines it needs more information, it will put the buyer into a challenge authentication flow. If not, the buyer will enter a frictionless flow; the transaction will be approved behind the scenes without any further involvement from the cardholder.
The original 3DS protocol was designed solely for desktop-based web browsers. The user experience on mobile devices was awkward, slow, or completely non-functional.
3D Secure 2.0, on the other hand, supports all kinds of mobile devices, including smartphones, tablets, and wearables. A special SDK (software development kit) lets developers integrate verification challenges natively into their apps and websites – no redirects, popups, or frames required.
For example, you can enable your mobile app to verify a user’s identity with a fingerprint or face scan without sending them to a third-party verification site.
The mobile SDK also offers integration with mobile wallets, an increasingly popular way to pay.
Is 3D Secure 2.0 Truly Better?
It may be too soon to tell whether 3D Secure 2.0 provides a more pleasant user experience than its predecessor and whether it will cut back on abandoned carts. Visa says the 3D Secure update causes user drop-off rates to decline by 70%, and transaction time is reduced by 85%.
As more merchants and banks adopt the protocol in response to government regulations, more data will become available.
3D Secure and EU Regulations
3D Secure – in either of its forms – is not the only way to prevent card-not-present fraud. It’s not even necessarily the most effective way. But payment card networks are championing 3D Secure as the best way to comply with the EU’s SCA requirements.
What Is SCA?
Strong Customer Authentication is a critical component of the EU’s new Payment Services Directive 2 (PSD2). The SCA regulation went into effect on September 14, 2019, but the European Banking Authority set the deadline for compliance on Dec. 31, 2020.
To comply with SCA and accept online payments, merchants must verify the identity of a customer using at least two of three elements:
- Something the customer knows, such as a credit card number and expiration date.
- Something the customer has, such as a cell phone or software token.
- Something the customer is, verified biometrically, such as with a face scan or fingerprint.
This level of authentication is referred to generically as two-factor authentication.
A 3DS 2.0 verification challenge would meet the requirements of SCA. For example, after a cardholder enters their payment information (something they know), they may be sent a one-time-use passcode on their phone (something they have) via SMS.
Critically, SCA makes allowances for low-risk transactions. Payment processors may perform a real-time risk assessment (like the one built into 3D Secure) and exempt transactions they deem safe.
Transactions under 30 euros are also exempt (although, every fifth transaction below 30 euros from the same payment method will face a challenge).
Does SCA Apply to Your Business?
As a law of the European Union, PSD2 will be enforced only within the European Economic Area (EEA). If both “legs” of the payment – the acquiring bank and the issuing bank – are within the EEA, SCA absolutely applies.
If only one leg is in the EEA – for example, your company is based in the U.S., but a customer living in the EU makes a purchase with an EU-based credit card – the payment is still subject to certain PSD2 regulations, but SCA may not be one of them. Furthermore, the responsibility for compliance falls on the EU-based payment service provider.
The European Commission clarified this in a FAQ released in 2018: “The extension of the scope [from PSD1 to PSD2] has implications primarily for the banks and other payment service providers that are located in the EU.”
If your business is based outside the EU, but you do business with customers who live in the zone, you may want to check with your payment service provider regarding whether you or they need to take action to comply with SCA.
Should You Use 3D Secure to Prevent Fraud on Your E-Commerce Site and Apps?
If you are not required to use an SCA-compliant fraud-prevention system such as 3D Secure, should you?
Perhaps. Card-not-present fraud is skyrocketing, as is its cost. In 2013, fraud as a percentage cost of revenues averaged 0.51%. In 2018, it was 1.8%. To prevent expensive chargebacks, every merchant should have some degree of fraud protection.
At the same time, overzealous fraud protection measures can block legitimate purchases, driving frustrated customers into the hands of competitors. False declines can cost merchants up to 13 times more than fraudulent purchases.
When you rely on 3D Secure for fraud protection, you rely on the rules set by payment card issuers to spot fraud and let legitimate purchases through. The credit card companies may yet prove themselves reliable, but they are not your only option.
The ClearSale fraud protection solution takes a multilayered approach, combining proprietary AI technology and expert manual review for the highest approval rates in the industry.
ClearSale is agnostic in terms of payment methods and will work alongside any other authentication services you or your payment services provider have in place, including 3D Secure.