The 3D Secure (3DS) security protocols for the protection of online purchases are a payment protection system created and developed by the leading international payment circuits like Visa and Mastercard, in order to improve the level of security of online transactions with credit and debit cards.
The protocols are applied through the activation of Verified by Visa and Mastercard Identity Check (recent evolution of Mastercard Securecode, 2020) on payment cards, which need 3d secure authentication from the purchaser in order to complete online payments, minimising the risk of the card use by third parties.
3D Secure transactions in 2020-2021
According to Outseer, in 2021 alone, transactions, worth overall $100 billion, have been protected by 3D Secure payments authentication. In Q2 of 2021 the UK and EU have experienced a 46% increase in EMV 3DS transactions share, while in Q3 of 2020, the growth was just at 7%. And an impressive 79% growth was experienced worldwide over the past 18 months, with Q2 YoY growth of 44%.
Moreover, Peter Caiazzi, managing director at TAS Group, an international fintech company, stated that 3D secure authentication’s latest version (3DS 2.0) had a positive impact on friction experienced by customers. Checkout times got reduced by 85% and cart abandonment by 70%. Based on the data presented above, it is safe to say that 3DS payment security protocols are changing the landscape of payments and fraud prevention in the whole world and doing so at an incredibly high speed.
Functions and evolution of the protocols
Now let’s dive into the history and the 3DS payment evolution. Thanks to the introduction of 3D Secure protocols, which dates back to the start of the 2000s¹, the Ecommerce ecosystem has witnessed an increase in the level of security of online payments and, as a direct result, consumer confidence has also gradually grown in a world that was still the prerogative of a few first movers.
The security services have introduced the concept of authentication: to complete a 3DS payment, it was no longer enough to insert just the card details: typically, name and surname, PAN, expiry date and CVV; but it became necessary to type in a password that the purchaser had chosen during the service activation phase or a temporary code received via SMS or generated by a device provided by the bank.
Developments have been minimal over the years and mostly related to the authentication solution with convergence towards SMS, thanks in particular to the constant increase in mobile phones use. However, in 2018 the European PSD2 regulation on payments introduced the concept of Strong Customer Authentication and important changes regarding 3DS protocols, with the objective of making online payments even more secure, also through a more structured 3D secure authentication process.
With the new protocol, username and password are no longer sufficient from a security point of view, but you must authenticate yourself with at least two of the following types of elements:
Information that only the customer knows (KNOWLEDGE)
PIN
Password
Security questions
Something held only by the customer (POSSESSION)
Card
Telephone
Token
Wearable Device
Something that distinguishes the customer (INHERENCE)
Fingerprint
Facial recognition
Voice recognition or iris scan
The most significant change is the introduction of biometrics for the identification of the buyer, a technology now widely available on most smartphones sold and which has improved both the security of access to the device and that of many available actions, for example, purchases from app stores.
The introduction of the 3D Secure authentication has drastically reduced the risk of fraudulent use of cards by third parties, by inserting an element known only by the card-holder. The new European regulation, with the second version of the protocols, which will be implemented by the end of 2020, will further reduce the risks of fraud, making the protocols mandatory, whose management by merchants has actually been optional up until today.
Activation of 3D Secure systems for the merchant
Activation of the 3DS services of credit and debit cards circuits is the responsibility of the issuers; in fact, they activate the functionality on the cards of acquirers, while for the merchant, the reference contact is the acquirer that, before the advent of PSD2, could grant the merchant the deactivation of the protocols that enhance security but may reduce the conversion rate.
In fact, the merchant has always had the possibility to ask the acquirer to disable the protocols, even accepting payments from its customers without insertion of the 3D Secure authentication code, to the detriment of security but favouring a greater probability of the 3DS payment being successful, considering that without inserting the authentication code, the customer has one step less to complete. The new 3DS2 protocols, instead, shift to the issuer (that issued the payment card) the decision whether or not to apply authentication with two or more factors on each transaction, therefore, the acquirer and the merchant become "passive" subjects in the application of 3D Secure authentication, an integral part of the customer journey during the 3DS payment phase.
The new protocols require, in particular, the insertion of more pieces of information in the payment requests connected with the transaction and the acquirer, which enable the issuer to conduct a more accurate analysis of fraud risk and, consequently, meaning a lower probability of authentication being requested for 3DS transactions transactions inserted effectively by the holder of the payment instrument.
Although there are exceptions and exemptions to the application of Strong Customer Authentication, the management of new 3DS2 protocols becomes essential for the merchant who would not be compliant with the regulation and would see the payment requests rejected in the event of non-implementation.
How to manage the new security protocols
The 2.0 protocols offer the merchant the opportunity to insert some additional optional fields to provide a set of additional data to the issuer and help reduce the likelihood of SCA being applied to the 3D secure transactions. In order to do this, it may be necessary to review the customer journey, by adding fields for collecting data, and therefore, may increase the complexity of integration.
In order to provide clarity on PSD2 and protocols, this infographic analyses the changes introduced by the regulation and the functioning of the Strong Customer Authentication in depth; in addition, it contains a comparative table, which compares the old and new 3DS for the protection of online purchases, in order to provide an overview of the substantial changes.
For the optimal management of the new rules of 3D Secure authentication on the Axerve Ecommerce Solutions gateway, it is possible to access the section of the documentation dedicated to the management of the 3DS2 protocols and conduct an in-depth analysis of the initiatives needed to be able to manage the imminent introduction.
