The ecommerce security solution known as 3D Secure (3DS) is in the midst of a major image overhaul. The authentication method that once had merchants running from it in terror at the prospect of heavy hits to their conversion rates is now very much central to the fraud protection conversation in the United States.
As is the case with Hollywood B-listers looking to revive their careers, a dramatic makeover is key to the resurgence of 3DS, which first took the stage two decades ago and was branded as a conversion killer because of the extra steps it introduced to identify consumers at checkout.
Today 3D Secure Authentication is central to the law of the land in Europe, where the reviews remain mixed, and is increasingly under consideration by U.S. merchants looking for an extra layer of protection — the same merchants who avoided the original form of 3DS. That version — yes, version 1.0 — was developed at the dawn of the ecommerce era as “Verified by Visa” and later adopted by other card networks, including Mastercard (“Mastercard SecureCode”) and American Express (“SafeKey”).
The technology has been upgraded to what is now referred to as EMV 3Ds in an effort to keep up with the changing landscape of ecommerce and the growing sophistication of fraudsters.
How online merchants use 3D Secure
Online merchants integrate 3D Secure into their checkout processes to add an extra layer of security to card transactions. When a customer initiates a payment, the merchant’s website sends a request to the card issuer or issuing bank to authenticate the transaction using 3D Secure protocols. The cardholder’s issuing bank may then require additional action from the cardholder in order to complete the authentication sessions; this additional action step is referred to as the challenge flow. This can take the form of entering a one-time password, verifying a push notification to the customer’s banking app or, it may require no cardholder action at all (referred to as frictionless 3DS).
Once the cardholder successfully authenticates the transaction, the issuing bank confirms the authentication to the merchant, and the payment is processed. If the authentication fails or the cardholder does not complete the process, the transaction may be declined or flagged for further review.
3D Secure authentication by the numbers :
While 3D Secure provides an additional level of protection against fraud, it is not a standalone solution for fraud prevention. Online merchants should implement a multi-layered approach to fraud prevention, incorporating tools such as fraud detection algorithms, address verification systems, device fingerprinting, and protection against first-party fraud. By combining these strategies with 3D Secure authentication, merchants can effectively mitigate the risk of fraud and protect their businesses from abuse and unauthorized transactions.
What are the main changes in EMV 3DS
The term “game-changer” is sorely overused but in the case of moving from the original 3D Secure to EMV 3DS, it’s actually an understatement. EMV 3DS provides much more data to the issuing bank than 3DS version 1. That increases the chance the bank can approve the transaction through a frictionless flow, rather than a challenge flow — a better experience for the consumer and a higher likelihood for a conversion for the merchants.
EMV 3DS also means consumers are far less likely to be directed away from a merchant’s site for authentication. The experience was jarring for many and at times had consumers thinking they were being set up for a man-in-the-middle attack, which would result in stolen credentials. The now-common pop-up windows provide a more intuitive experience.
The upgrade also means the authentication process can be completed on a mobile device, something that wasn’t around when 3D Secure first came on the scene.
For a time, post-EMV 3DS, 3D Secure version 1 was still in use, causing a lot of friction. The OG 3DS, however, was finally retired by major credit card companies in the fall of 2022. It’s an EMV 3DS world now.
A look at the main elements of 3DS?
What is frictionless flow and how is it achieved?
Frictionless flow is the Cadillac of experiences for consumers who confront 3D Secure in a transaction. It’s a much more likely outcome thanks to EMV 3DS. It’s a bit what it sounds like. When a shopper hits the buy button their information and a host of other signals are sent to the issuer. Based on that intelligence — and the issuer has more intelligence thanks to EMV 3DS — the bank might approve the order without requiring a step up — hence, frictionless.
The picture from where 3D Secure is virtually mandated:
The path is a better one for the merchant, which doesn’t risk seeing a cart abandoned due to increased friction. And it’s a better one for the consumer who doesn’t need to take extra steps to buy something they need or want.
What is the liability shift rule in 3D Secure 2?
The liability shift feature of 3D Secure is a critical aspect that provides financial protection for merchants in the case of fraudulent transactions — similar to that provided by the best-in-class commerce protection solutions. In traditional card-not-present transactions, where the cardholder’s presence cannot be physically verified, merchants are liable for chargebacks resulting from fraud. But when orders are authenticated through 3D Secure, the fraud liability shifts from the merchant to the card issuer or issuing bank.
Here’s how it works in practice:
- Authentication: When a cardholder places an order on a merchant’s site, the merchant’s system triggers a request to the issuing bank to authenticate the transaction through 3D Secure.
- Verification: The cardholder may receive a prompt to authenticate their identity, for instance, by entering a password, receiving a one-time code or using biometric authentication methods.
- Confirmation: Once the cardholder successfully completes the authentication process, the bank confirms the authentication to the merchant and the transaction continues normally.
- Liability Shift: If the transaction results in a chargeback, the liability shifts from the merchant to the issuing bank, protecting the merchant from financial loss.
By leveraging a liability shift, merchants can ease the financial risks of fraud and focus on what they went into business to do. That’s obviously a positive. But let’s take some time to review both the pros and the cons of 3D Secure as it’s used in the United States today.
3DS benefits
One primary benefit of 3DS is its ability to reduce fraud and mitigate the risk of chargebacks for merchants. According to Visa’s own study, merchants saw a significant reduction in fraudulent transactions after adding 3DS to their fraud protection stack. This reduction in fraud not only helps protect merchants’ revenue but also enhances trust and confidence among consumers.
3DS also offers a liability shift mechanism that can provide financial relief for merchants victimized by fraud while also providing the kind of guarantee that leading future-focused commerce protection providers view as table stakes.
How does a fraud liability shift work?
Under the liability-shift feature, if a transaction receives secure authentication through 3DS and is later found to be fraudulent, liability for the resulting chargeback shifts from the merchant to the card issuer or issuing bank.
In addition to reducing fraud, EMV 3DS introduces enhancements meant to improve the customer experience while still protecting the merchant. For instance, 3DS’s frictionless flow, allows for seamless authentication in some cases without requiring the step-ups that have so frustrated consumers in the past. By relying on signals such as device ID and behavioral analytics, merchants can authenticate transactions in real time without disrupting the checkout process and risking conversions.
In an era when the Merchant Risk Council reports that a significant percentage of merchants rely on multiple fraud tactics and solutions, 3D Secure can provide a robust supplement to solutions that are more comprehensive or which provide complementary protection.
3D Secure’s potential upsides comes with downsides
3D Secure includes other authentication flows
Additionally, beyond its role at checkout, 3D Secure can provide non-payment authentication, which can play a role in protecting changes in ecommerce accounts.
Non-payment authentication can be deployed when a user adds a payment method to an account, for instance.
The idea is to determine whether the person initiating the action is indeed the authorized cardholder and to prevent access to the account by fraudsters. By integrating 3D Secure protocols into these interactions, merchants add an extra layer of security to protect the account.
If 3D Secure’s non-payment authentication is triggered when a user tries to add a new credit card to an online ecommerce account, for instance, the cardholder may get a prompt asking for a one-time passcode that’s been sent to the cardholder’s email or phone. If the account owner and the cardholder are the same person, they would comply and voilá — they can add the new card.
If the credit card details are in the hands of a fraudster, they won’t have the passcode, so they won’t be able to access the account. They will, however, have valuable information: The knowledge that the credit card credentials they have are indeed viable for use in fraudulent transactions.
Disadvantages of 3DS
Despite its benefits, 3DS also comes with its share of challenges. While the new, improved version of 3DS is just that, the potential friction endured by consumers — entering a one-time passcode or otherwise authenticating themselves — is still a lasting concern for merchants.
Online customer experience vs. friction with 3D Secure:
Entering a password or receiving a one-time code, can lead to a higher rate of cart abandonment as customers might find the process cumbersome. The Baymard Institute found that 22% of U.S. consumers who abandoned carts did so because checkout was “too long and complicated.”
The experience in Europe, where consumers and banks alike, are much more familiar with 3D Secure is instructive. When Signifyd surveyed European consumers across three countries, significant portions of them said their purchases had been stymied by a regional regulation requiring Strong Customer Authentication powered almost universally by 3D Secure.
In the UK, 36% of those surveyed said they’d given up on a purchase due to frustration over authentication steps. In France, 45% of shoppers had thrown in the towel on a purchase and half of Italian consumers have given up in the face of step-ups.
Given the potential for losing sales to frustrated consumers, merchants should be more thoughtful than ever about their payment layer and the checkout experience they offer. Retailers that choose to rely on 3D Secure should focus on optimizing every aspect of the checkout experience that remains within their control. It might be a time to over communicate with customers, letting them know that they might be required to authenticate their identities when making purchases. Also consider explaining why the request might come their way, so they know you are not only protecting your business, but also looking to ensure that their payment methods are being presented by authorized users.
3D Secure authorization comes with downsides:
Likewise, merchants should be mindful of the track record of the various issuing banks they deal with. Some are more welcoming to 3D Secure than others. For some banks, 3D Secure’s liability shift — a shift to them — is a potentially costly imposition. And for some issuers, orders arriving on the 3DS rails are immediately suspect. The thinking: Merchants use 3D Secure to take their best shot on orders that they wouldn’t approve if the liability were theirs. Given that the liability for fraud will be the issuer’s problem under 3D Secure, why not give it a try? Either scenario could result in a high preponderance of lost sales.
Why do some U.S. issuers see 3D Secure orders as suspect?
A November 2023 report by Datos Research indicates that issuers have good reason to view 3DS orders in the U.S. and Canada warily.
”In unregulated markets such as North America, 3DS usage averages 2.7% of all CNP transactions, yet fraud rates on 3DS-protected transactions are nearly six times higher than for all CNP (card-not-present) transactions,” Datos’ “CNP Fraud and the Role of 3-D Secure” report explains. “This is largely because the majority of merchants in unregulated markets send only high-risk transactions across the 3DS rails, which in turn prompts issuers to employ more draconian authorization strategies, which also adversely impact authorization rates.
“The inverse is true in regulated markets such as Europe and Australia, in which 25% to 50% of CNP transactions are protected by 3DS, and fraud rates are three times to six times lower than for all CNP transactions”
All of which raises something of a warning for online retailers: Be wary of fraud protection providers who enthusiastically encourage the use of 3D Secure. It could be a sign that they don’t have the confidence in their own technology to offer a liability shift and would prefer to offload that responsibility to 3D Secure.
How does 3DS work at a technical level?
Let’s dig into the technical details of how 3DS works and what the technical stack behind it looks like.
What are the core components of 3D Secure?
- ACS (access control server): Hosted by the card issuer (bank), the ACS is responsible for managing the authentication of cardholder transactions in real time. It evaluates transaction risk, prompts the cardholder for additional verification when necessary, and verifies any authentication data received.
- 3DS Server: Implemented on the merchant’s server, the 3DS Server interacts with the ACS via the network directory server to facilitate authentication requests and receive responses. It captures card details and transaction data and sends them to the ACS via the directory server for verification.
- DS (directory server): Operated by the card network (Visa or Mastercard, for example), the DS acts as a routing intermediary between the 3DS Server and the ACS. It identifies the correct ACS for a given card number and routes authentication requests and responses accordingly.
What is the operational flow of 3DS fraud prevention?
- Transaction initiation: When a cardholder purchases from a 3D Secure-enabled merchant, the 3DS Server captures the card details and transaction data.
- Enrollment verification: The MPI sends a request to the DS to verify whether the card is enrolled in 3D Secure. The DS checks the card number against its database and identifies the appropriate ACS.
- Authentication request: If the card is enrolled, the DS forwards the authentication request to the network DS and ultimately the corresponding ACS. This request includes transaction details and any other relevant data (such as device ID, merchant category or transaction amount).
- Risk assessment and challenge: The ACS assesses the risk level of the transaction based on issuer-created rules, historical data, and transaction specifics. If the risk level is high or if additional verification is required by issuer-created rules , the ACS prompts the cardholder for additional verification. This can involve entering a password, an OTP, or biometric validation as part of the challenge flow.
- Authentication response: After the cardholder completes the challenge (if presented), the ACS sends an out-of-band authentication response back to the 3DS Server through the DS. This response includes an authentication result (successful, unsuccessful or attempted) and a cryptogram or token that validates the transaction’s integrity.
- Authorization request: Following successful authentication, the merchant submits an authorization request to the card issuer through normal payment processing channels. This request includes the authentication result and the cryptogram or token from the ACS.
- Transaction completion: The card issuer finalizes the transaction authorization based on the authentication and transaction data, and the merchant completes the sale if authorized.
Advanced features in 3D Secure 2.0
Some of the more advanced features of EMV 3DS include non-payment authentication for enhanced security, as well as the following:
- Enhanced data exchange: Unlike its predecessor, 3D Secure 2.0 facilitates the exchange of a rich data set between the merchant, the ACS, and the cardholder device. This includes contextual information about the transaction, such as browser data, device ID, and historical payment data, which allows for more sophisticated risk-based assessments.
- Adaptive authentication: Depending on the risk level, transactions can be authenticated using frictionless authentication (low-risk transactions processed without direct cardholder interaction) or challenge-based methods (high-risk transactions requiring active cardholder participation).
- Non-payment authentication: This feature can be deployed when a user adds a payment method to an account to determine whether the person adding the card is an authorized cardholder or a fraudster.
- Integration with mobile and smart Internet of Things (IoT) devices: 3D Secure 2.0 is designed to be more mobile-friendly, supporting native mobile apps and IoT device transactions and providing seamless integration for a wide range of consumer devices.
Can 3D Secure help with friendly fraud?
No matter one’s assessment of the effectiveness of 3D Secure in instances of payment fraud — and it’s always a good sign when a solution provider is willing to put its money where its mouth is — it’s good to keep in mind that it provides no protection for the growing scourge of friendly fraud, more accurately known as first-party fraud.
MRC’s recent retailer survey found that 60% of merchants saw an increase in first-party fraud in the past month. And half of those said they saw an increase of 25% or more in the incidence of first-party fraud. And survey data indicates that a significant population of consumers have no compunction about lying in order to keep a product and score a refund.
Finally, the way 3DS communicates with consumers can cause confusion and anxiety. Authentication occurs on a communication channel separate from the transaction itself — a step-up consisting of a pop-up window, for instance, interrupts the shopper’s checkout with a distraction and delay that could ultimately upend the purchase.
And, of course, there is the situation we mentioned above in which the cardholder and the account owner are not one in the same. If the cardholder is a family member looking to add their own card to the account, the cost is some frustration and inconvenience. If the “cardholder” is a fraudster who’s illegally obtained it, the cost could be much higher with the criminal tipped off to the fact the stolen card is valid.
Little-known facts about 3D Secure authentication
Despite being widely used in Europe and becoming a more common topic of conversation in the United States, there are still little-known facts about the solution that merchants should be aware of.
Breaking down 3-D Secure by card brand
Visa, Mastercard and American Express each have their own 3D Secure programs — called Visa Secure, IdentityCheck and Safekey respectively. The authentication method used — one-time passcode, push notification, frictionless delivery, etc. — can vary by issuer. The goal for everyone is to enhance security for online transactions while ensuring a smooth checkout process for cardholders.
Is 3D Secure alone enough to protect a business from fraud?
While 3D Secure offers valuable protection against certain types of fraud, it is not sufficient on its own to safeguard a business from all fraudulent activity. Fraud rings are profit-oriented enterprises that constantly deploy new tactics and find new targets, often in response to the barriers erected by merchants and commerce protection providers.
To effectively combat fraud, online merchants need to implement a comprehensive fraud prevention strategy that includes multiple layers of protection, a strategy that is widely employed by merchants, according to the Merchant Risk Council. The MRC’s 2024 “Global Ecommerce Payments and Fraud Report” found that globally online retailers have on average deployed more than one AI or machine learning fraud solution.
Comprehensive fraud protection should generally include AI-driven fraud detection solutions that analyze transaction data in real time to identify suspicious patterns and decline fraudulent orders automatically. The newest breed of fraud protection reviews thousands of signals in each order to build an understanding of the identity and intent behind each order.
Merchants need also to deploy technology that protects them from first-party fraud chargebacks and returns fraud and abuse — the fastest-growing revenue stream for wayward consumers and professional fraud rings alike.
In conclusion, 3D Secure authentication offers significant benefits for online merchants, including reduced fraud and liability shift protection. However, it is not a standalone solution for fraud prevention and should be used as part of a comprehensive fraud prevention strategy. By combining these strategies and including 3D Secure in their fraud protection stack, merchants can mitigate the risk of fraud and protect their businesses from abuse and unauthorized transactions.
______________________________________________________
Looking for the best way to protect your online business from fraud? Let’s talk.