All you need to know and tell your customers.
The European Union has been making headway in its implementation of the new security standard enforced by the Second EU Payment Services Directive (PSD2). Several countries have already adopted the new guideline, while others rushed to do so before the end of 2021 to keep up with tight deadlines.
The new PSD2 standard enforces new Strong Customer Authentication (SCA), which implies introducing and applying a new version of a 3DS protocol designed to revamp the international and internal payments framework.
The new Strong Customer Authentication requirement of the revised Directive on payment services (PSD2) demands all payments, regardless of their sizes, to be processed under PSD2 rules. The need for compliance with the new requirement has led to the upgrading of the standard 3D Secure protocol to 3DS 2.0. All merchants were obliged to use the 3DS 1.0 version prior to the adoption of the PSD2, making the application of the updated standard a new challenge that not all are ready for.
Recourse Into History
The 3D Secure system was launched in 2001 after being adopted under the names Verified by Visa and MasterCard SecureCode. American Express signed onto the initiative several years later, together with JCB, Discover, and others. Although the adoption of all said systems was relatively low across the world, especially in Europe and the US, where it stood as low as 5%, the system was still required to ensure merchant’s safe transaction processing and fraud prevention.
Low adoption can be explained by poor value added by its application – the main trump card being the shifting of fraudulent transaction liability from the merchants to the issuers.
The biggest challenge and reason for 3DS adoption was that it had a significant impact on customer conversions, given the lengthened purchasing journey process. In essence, the need for additional checks of transactions and buyers before checkout meant that customers would abandon their online shopping carts after being redirected to third-party verification websites.
The addition of another step in the checkout process reduced online shopping convenience and caused many buyers to believe they were being redirected to fraudulent websites. Mobile device users were also affected, as the transition to third-party sites resulted in long load times and ensuing frustration.
The banks, in turn, incurred costs associated with 3DS adoption, as fraud on any authenticated transaction meant that the issuer had to bear the resultant legal responsibility before merchants. The system itself left much to be desired in terms of security, involving static passwords that could be easily breached.
Lastly, laws stated that banks had to bear the costs related to 3DS implementation among users, as well as maintain the Access Control Servicers that processed 3DS messaging and cardholder authentication.
Reasons For Implementation
Though the 3D Secure system was cumbersome and flawed at launch, it was developed for a specific reason – relieving the pain points merchants experienced with transaction fraud.
Subscription chargeback issues were also addressed, as the latter does not involve any proration. Customers could request chargebacks well into their subscription periods, resulting in both chargeback and product or service provision costs incurred within said period. Free trial subscriptions that auto-converted into paid subscriptions were also an issue, as they often resulted in chargeback requests.
3DS 2.0 was created to answer the shortcomings of 3DS 1.0 and add greater value to the system to boost adoption rates. The protocol was developed jointly by Visa and Mastercard in late 2016 and added an entirely new layer of data transfer, increasing it to over 100 elements per transaction.
RBA, or Risk-Based Authentication decisions, were also added to the protocol. They benefited both merchants and issuers by allowing the perceived risk of a transaction to be used as a basis to challenge the cardholder to authenticate their identity, reducing the probability of fraud. The decision to challenge is determined based on data fed through the 3DS 2.0 protocol, where transactions deemed to be low-risk pass through a so-called frictionless flow with passive authentication, resulting in a smooth customer journey.
Mobile users are the primary target audience of 3DS 2.0, as it was designed to operate on such devices as a native in-app payment system. The system also supports such mobile-based authentication methods as biometrics, eliminating the need for passwords and many other identity verification methods. Such security layers make 3DS 2.0 supporting applications more resilient to hacking, fraud, and personal credential compromise.
The combination of benefits given by 3DS 2.0 results in fewer payment disruptions, a smoother payment process, adds smart fraud detection mechanisms and allows for native integration into both web and mobile applications at virtually no charge to issuers.
Means of Implementation
For SCA requirements to be fulfilled, merchants applying 3DS 2.0 have to request their customers to provide two out of three forms of identification – something they know, something they have, and something they are.
The first can be a password, PIN code, or personal fact that was included as a secret question during account setup. The second usually involves a mobile device that can receive an SMS verification code or an email account. The third can be anything from a fingerprint, face recognition features to voice or retinal patterns, an integral identity part.
Thus, fraud is virtually eliminated from the payment process, as users will have to provide verifiable and credible personal information. From a statistical and probabilistic point of view, it is implausible that a fraudster would go through the trouble or have the physical ability to acquire any two of the aforementioned personal verification factors to pass a transaction.
Still, researchers stated that in 2021 cyber-criminals have not given up their efforts at bypassing 3DS protocol security layers and have increasingly resorted to phishing attacks. By applying sophisticated social engineering and preying on weaker or more vulnerable representatives of society, the attackers are trying to access personal credentials and circumvent the security imposed by 3DS.
Nevertheless, Gemini experts state that 3DS 2.0 is more resistant to fraud, and the many data elements it transmits are sufficient to prevent or detect fraudulent transactions.
Though much more secure, 3DS 2.0 faces some challenges, the first of which is customer education. Many shoppers are unaware of the new requirements and are unwilling to read the fine print in the information sections on the websites they visit. All customers actually perceive is the addition of another cumbersome step in the payment process that many will find annoying, bothersome, or simply suspicious. A survey conducted by Netcetera states that over 30% of users have close to no understanding of what PSD2, 3DS, and Strong Customer Authentication requirements are.
The Secretary-General of Ecommerce Europe has stated that the adoption of 3DS 2.0 across the EU will likely result in higher cliff-edges. Both merchants and issuers will face a new set of challenges, including enrollment difficulties and availability, usability issues, and others.
Despite the shortcomings, the implementation of 3DS 2.0 adds more benefits in the long run, as it is tailored for the growing adoption of mobile and wearable devices as an instrument for making payments. Should merchants focus on educating users and highlighting the benefits of secure, seamless payments, the adoption issues can be overcome and reversed.