Voice of the Industry

3D-Secure 2.0: How to make it work to your advantage

Tuesday 18 December 2018 10:15 CET | Voice of the industry

Michael O’Connor, Senior Consultant on Fraud & Risk Intelligence at RSA, reveals the way card issuers, issuing processors, and merchants may benefit from 3D-Secure 2.0

EMV 3-D Secure (aka, 3-D Secure 2.0) is a new standard that promises to make the commerce environment an even more frictionless and secure experience. Major networks are on the path to adopting this standard. For example, Mastercard has created a new program called Mastercard Identity Check providing merchants and their banks an easy way to upgrade and enhance current security solutions to determine potential risks and ensure genuine transactions are approved in a seamless manner.

Now that global activation dates for 3D-Secure 2.0 have been announced, it’s time for card issuers, issuing processors, and merchants to ensure all the groundwork has been laid to take full advantage of the changes the updated standard will bring. RSA has been working to educate the payments and merchant communities on how to be prepared, and has also been collaborating with industry partners to test transaction flows ahead of activation. 

Today, global merchant adoption rates of 3-D Secure vary depending on the regions. Overall, 35% of global ecommerce volume runs through 3-D Secure today and it is expected to increase with greater adoption of the updated protocol, as well as the result of regulations such as the PSD2 in Europe.

At the same time, card-not-present (CNP) fraud continues to rise. Specifically, the US, one of the last countries to adopt EMV chip cards, has experienced a spike in CNP fraud after the first full year of implementation. A recent report from the U.S. Federal Reserve Bank confirms that CNP fraud rates have been growing steadily since, with an increase of more than USD 1 billion over just one year, from USD 3.4 billion to nearly USD 4.6 billion. Furthermore, the average value of a fraudulent transaction is significantly higher on average than a genuine transaction, as demonstrated in the graph below.

If you’re a card issuer or issuing processor, being ready for 3-D Secure 2.0 includes having the technology and processes to accommodate the changes that are in store—especially the shift in fraud liability from merchants to issuers.

Fortunately, for issuers, the shift in liability for fraud in 3-D Secure 2.0 is accompanied by the ability to put more robust authentication in place to prevent fraud in the first place. 3-D Secure 2.0 specifically supports token-based and biometric authentication and removes static data elements (such as passwords), making it more difficult for fraudsters to compromise credentials. It also enables risk-based authentication (RBA) decisions, so that the decision to challenge a transaction can be made based on how much risk it presents. The result: more approvals, less fraud, and a frictionless shopping experience for customers.

A risk-based approach to reducing card-not-present fraud is hardly new to many large issuers in Europe. RSA has observed the following global averages as the result of an RBA-driven 3-D Secure program:

Fraud Detection Rate (FDR): 96% fraud detection with less than 5% of transactions interrupted;

basis points of fraud loss: 4.9, or a USD4.90 loss for every USD 10,000 of genuine transactions approved;

false positive ratio: of the 5% interrupted transactions, only 1.3 genuine transactions falsely stopped to block one fraudulent transaction.

In addition to being prepared with authentication capabilities that are appropriate to the challenge and opportunity of 3-D Secure 2.0, issuers and processors need to ensure they have a clear migration path for the transition. We recommend to start engaging with your ACS (access control server) provider who can provide direction and guidance on what is required for migration, as most have already launched early adopter programs and successfully tested 3D-Secure 2.0 transactions flows. For example, RSA worked with Mastercard to successfully process one of the UK’s first end-to-end 3-D Secure 2.0 transaction tests.

If you have not yet engaged an ACS provider, there are some key considerations you should look for as part of your selection process. An effective ACS partner should:

offer a good track record with risk-based authentication;

support a range of stepped-up authentication options;

provide clear, strong results with fraud detection rates, customer intervention rates, and false declines.

To see what your CNP fraud savings could be by moving to 3-D Secure 2.0, RSA has developed a simple calculator to help you quantify the potential benefits for your organization. You can access the online calculator here.

About Mike OConnor

Michael has been in the online payments industry for over 17 years and has held multiple roles spanning online merchants, fraud prevention vendors, issuing banks, and payment gateways. His focus has been on risk management and fraud prevention best practices. He joined RSA over five years ago where he currently leads the go-to-market strategy for RSA’s 3D Secure authentication solutions.

About RSA

RSA, a Dell Technologies business, offers business-driven security solutions that uniquely link business context with security incidents to help organizations manage digital risk and protect what matters most. RSAs award winning cybersecurity solutions are designed to effectively detect and respond to advanced attacks; manage user identities and access; and, reduce business risk, fraud, and cybercrime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive in an uncertain, high-risk world.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: 3D-Secure 2.0, RSA, Mike OConnor, ecommerce, CNP fraud, issuers, merchants, risk-based authentication
Countries: World