3-D Secure 2.0 – Securing online payments in an ever-changing landscape
With the increasing global movement towards online purchases and mobile payments, banks and businesses need to proactively adapt to this changing payment landscape in order to continue to provide customers with a trusted and secure means of transacting. Research conducted by AusPayNet in 2017 shows that Card-Not-Present (CNP) fraud represents over 80% of fraud on Australian issued cards. The payment industry must respond to this trend and have security in the forefront of their minds to ensure customers do not lose confidence in transacting. Further to this, if the growing rate of CNP fraud (13% year on year) is not addressed, regulators will be forced to get involved and establish frameworks and legislation in an attempt to bring fraud losses down.
Since the introduction of micro-chipped bank cards and all of the security benefits that EMV capability provides, fraudsters shifted focus in attempts to exploit the relatively less secure online payment environment. As such, banks, merchants and card schemes reacted with the implementation of the 3DS protocol. This security solution or set of rules involve the three domains of a transaction (3-D) – Issuer Domain, Acquirer Domain and the Interoperability Domain (schemes). Most commonly known as Verified by Visa to Indue clients, it added an additional layer of security for online/e-Commerce transactions by authenticating the cardholder at the end of the keyboard or mobile device through the use of static passwords or identification questions. With all the major card schemes mandating the implementation of 3DS on both the card issuer’s and merchant’s ends, it became increasingly inevitable that fraud trends would evolve in efforts to continue to exploit online transactions. In addition, to reflect current and future market requirements, the payments industry recognised the need to create a new specification that would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-Commerce transactions.
3-D Secure 2.0
For this reason, it is critical that the industry stay one step ahead of the game without compromising the convenience and speed that online shopping offers. 3DS 2.0 is the next generation of online security. It will leverage much of what the industry established as part of the original 3DS implementation; however, the updated version will introduce a much more data-rich transfer of information between the merchant and the card issuer at the time of the transaction enabling the issuer to authenticate the cardholder more accurately. The key difference for card issuers will be the departure from using static questions to authenticate cardholders and the adoption of one-time passwords (OTP). When a cardholder is at an online store checkout, the 3DS 2.0 service provider will assess the legitimacy of the transaction and should it be deemed as high-risk, the cardholder will be prompted to provide a OTP that will be sent to his or her mobile device. The implementation of this new fraud prevention solution will provide both consumers and merchants with confidence that transactions are genuine, which will help to drive transaction volumes up and cart abandonment down.
What does 3DS 2.0 offer the marketplace?
- supports specific app-based purchases on mobile and other consumer devices
- improves the consumer experience by enabling intelligent risk-based decisioning that encourages frictionless consumer authentication
- delivers industry leading security features
- specifies use of multiple options for step-up authentication, including one-time passcodes, as well as biometrics via out-of-band authentication
- enhances functionality that enables merchants to integrate the authentication process into their checkout experiences, for both app and browser-based implementations
- offers performance improvements for end-to-end message processing
- adds a non-payment message category to provide cardholder verification details to support various non-payment activities, such as adding a payment card to a digital wallet
What are the benefits of 3DS 2.0 to each of the ecosystem stakeholders?
- Merchants will be able to implement a consistent approach across multiple platforms and digital media when confirming the authenticity of a transaction. EMV 3DS based solutions can achieve this during the purchasing process, minimising the risk of potential checkout abandonment.
- Issuers will be able to improve frictionless authentication due to richer data exchanges. By supporting new devices/channels, solutions compatible to the EMV 3DS Specification will encourage cardholders to make purchases using their preferred medium without compromising on security.
- Consumers seek increased convenience and security during e-Commerce payments, and solutions based on the EMV 3DS Specification will offer these benefits, adding efficiency with minimal to no impact on the applications and payment flows that consumers are using and experiencing today.
Visa has now mandated the implementation of 3DS 2.0 by April 2019 after being originally planned for April 2018, but extended due to industry requirements. Indue has commenced engagement with Visa and RSA to support the implementation of this new security initiative for our clients. Indue will be reaching out to clients and partners shortly to provide an overview of the project.