Ecommerce is booming in Australia, and customer expectations are higher than ever. That means online businesses need CNP authentication tools that deter fraudsters without sacrificing customer experience. The latest version of the 3D Secure protocol — 3DS2 — aims to satisfy this requirement by enhancing authentication while reducing friction that could drive away customers.
However, 3DS2 awareness and adoption lag in Australia ahead of an October 2022 implementation target set by card issuers, and some retailers have expressed concern that there’s still enough friction in the solution to affect conversions. Getting to know 3DS2 now can help retailers catch up, while also helping them decide whether and how to use 3DS2 as part of a layered approach to fraud control.
What Is 3DS2?
3DS, short for 3D Secure, is EMVCo’s multifactor authentication protocol used for online transactions. Historically, 3DS has been considered effective, but there have been concerns about increased rates of cart abandonment due to the effort it requires on the part of the customer. As of March 2021, 35% of Australian online shoppers said they’d abandoned at least one ecommerce purchase because the checkout process took too long or was too complicated.
3DS2, the latest version of 3DS, was built to increase security and decrease friction. The single biggest improvement in 3DS2 is the range of authentication methods it uses. The previous version of 3DS relied on easily compromised data such as static passwords, but 3DS2 supports methods like biometrics, one-time passwords, and token-based authentication. 3DS2 also has access to more data that can help to determine the risk that a transaction is fraudulent.
These changes could make life easier for customers and harder for fraudsters because the authentication methods 3DS2 uses are simple for legitimate users and more difficult than static passwords for criminals to bypass. The expanded dataset 3DS2 uses means that in the event that criminals manage to take over a victim’s account, their transactions are more likely to be identified as fraudulent and declined. That makes 3DS2 a more valuable component of the fraud-prevention stack than previous 3DS versions.
3DS2 also finally provides native mobile integration. The original 3DS was designed before the widespread adoption of smartphones, and it showed. Authenticating with 3DS on mobile involved redirection and browser popups, with authentication pages sometimes breaking or failing to load. When the page did load properly, it was sometimes viewed with suspicion by customers, since it was clearly not part of the app which they had been using moments before.
By contrast, 3DS2 can be integrated directly into apps, doesn’t require the user to leave the app, and is visually consistent with the rest of the application. That’s critical in an age when the mobile share of ecommerce is growing, and it gives retailers another layer option for their mobile anti-fraud programs.
Potential 3DS2 downsides
Although 3DS2 is a major improvement over its predecessor, it’s not without flaws. The cost per transaction is higher with 3DS2, which can disproportionately impact small and low-margin businesses. And like any tool that introduces multifactor authentication into the checkout process, there’s some risk of false positives and friction-related cart abandonment with 3DS2. Some retailers have addressed this issue by layering 3DS2 with a solution that manually reviews flagged orders to prevent false declines and approve as many good orders as possible. This approach can protect top-line revenue while preventing chargeback-related losses.
There also might be a lingering issue with authentication times. Australian customers are used to very fast authentication compared to consumers in other regions. While 3DS2 has a better rate of successful authentication than 3DS, it also takes longer. One study found that 3DS increased the rate of successful transactions by 13%, but the average time to authenticate rose by four seconds. This increased time to authentication could frustrate or alarm some customers, so retailers using 3DS2 may need to proactively manage customer expectations about order authentication times.
State of the 3DS2 shift in Australia
Most CNP transactions in Australia are protected by 3DS, but not all businesses using 3DS have made the upgrade to the latest version and continuing to use the original 3D Secure won’t be an option for much longer. In mid-October, Visa, Master Card, and American Express will stop supporting 3DS1 transactions. Retailers that haven’t made the switch may be stuck without a way to process card payments until they implement 3DS2.
Not all banks are ready to support 3DS2 either, and the looming deadline for adoption means the banks that drag their feet may find clients switching to competitors that do support 3DS2. The debit card system, however, is ready. In February, EFTPOS announced the certification of GPayments’ 3DS2 solution, offering 3DS2 rollout support to many retailers, acquirers, and payment gateways.
Ultimately, each retailer will need to decide whether and how to make 3DS2 part of their fraud prevention program, after weighing the authentication times, potential friction, and cost against other forms of fraud control. Businesses that choose to implement 3DS2 should also carefully track their checkout abandonment and cart conversion metrics in addition to their fraud and false decline numbers and make adjustments if needed to get the most benefit from the solution with the least possible downside.