Payment authentication: 3-D Secure demystified

Why is 3-D Secure considered essential to fighting CNP fraud in the EU and elsewhere, but has only recently started gaining traction in North America after being struck in neutral for years? Reed Taussig, the CEO of Outseer, addresses this question

What the 3DS is going on? While the 3-D Secure protocol is de rigueur for fighting card-not-present fraud in the EU and elsewhere, penetration in North America has been stuck south of 2% for years. But today, that's changing as more credit card companies and merchants recognize the benefits the protocol brings to reducing both fraud and friction. 

Just consider the past year. In 2020, global ecommerce was supposed to grow a sumptuous 15%. In the face of pandemic, it rose 25% instead. And with the increased number of consumers buying online, the focus has been on making the checkout process as hiccup-free as possible.

But it came with a price. In the US, losses from purchases made using stolen credit card information topped USD 6.4 billion in 2020, up from USD 5.5 billion in 2018. That’s an average growth rate of more than USD 40 million in losses per month for 24 months straight. 3-D Secure (3DS) was designed to change all that.

So what exactly is 3-D Secure?

The 3DS payment authentication protocol was first introduced back in 1999. Its purpose: to prevent unauthorized use of credit cards in online purchases. To accomplish that, 3DS involves three parties, or ‘domains’ (thus, the ‘3D’ in 3DS): the acquirer bank, the issuer bank, and the infrastructure supporting the protocol, whether it’s the Internet or software providers.

3DS1 was first deployed by VISA in the early 2000s, and while it was a step in the right direction, it came with notable issues. Among other things, it required credit card users to enrol in the system using static passwords that many would promptly forget. When making a purchase, 3DS assessed 15 rudimentary data elements to verify identity. And because 3DS shifted liability for fraudulent purchases to card issuers, they often took a ‘better safe than sorry’ approach that meant friction was all but guaranteed.

What’s more, a lot changed over the next 15 years – including the adoption of mobile as the go-to channel for Web browsing and purchases. With 3DS1, mobile users who couldn’t remember their passwords were redirected to a bank page that, more times than not, wasn’t optimized for mobile. SMS was used as an alternative, but presented problems of its own. Conversion rates promptly cratered. No wonder the US market has been less than enthusiastic about the protocol.

The rise of 3DS2

3DS2 was introduced in 2016 to address these shortcomings, and is designed to help secure payments while offering an improved checkout experience. 3DS2 is a major improvement because it:

• supports mobile phones and other consumer-connected devices;
• when making a purchase, data is sent first to the issuing bank to see if it needs additional verification;
• only risky transactions require challenges; otherwise, a ‘frictionless flow’ process is initiated. 

Enter: 3DS-2.1 and -2.2

First rolled out in 2019, 3DS 2.1 increases the number of data elements merchants send to issuers at the point of transaction to 100, with 20 required and the rest optional but recommended by EMVCo, the consortium behind the standards. With a richer dataset (including IP addresses, device information, email, merchant risk factors, and more), issuers can make better-informed decisions, faster enabling far more transactions to be handled without friction. 3DS 2.2 covers the same bases as 2.1, but adds the ability to authenticate through their acquirer or digital wallet provider. 

Because of its use of two-factor authentication (including biometrics and token-based models, instead of static passwords), 3DS2 is central to the secure customer authentication (SCA) rules in the EU’s second Payment Services Directive (PSD2). As part of that version, merchants hitting low fraud thresholds can request exemption from SCA requirements from the issuer, providing for even faster transactions.

Catching on in North America

There are several reasons 3DS2 is gaining currency in the US and Canada.

• sure, merchants and issuers doing business in the EU’s USD 300 billion ecommerce market are exempt from PSD2’s SCA requirements, but that could change;
• regulatory fervour is spreading: Mexico, Australia and others have started to adopt SCA regimes;
• it's just a matter of time before state or federal regulations require such standards, too.

It’s also just smart business. According to VISA Research, up to 72% of online shoppers have abandoned a shopping card over security concerns. But 3DS2 has been shown to reduce checkout times by 85% and cart abandonment by 70%.

Best of all, North American issuers, merchants and others can leverage fully-hosted solutions that prevent up to 95% of fraudulent transactions with only 5% requiring challenges. All without the need for additional IT staffing or overhead. Considering the risks and rewards, adopting 3-D Secure 2.x sounds better by the minute.

About Reed Taussig

Reed Taussig is CEO of Outseer, a leading technology company in the fight against payments fraud. He is responsible for the overall strategy and execution of the business. Before joining Outseer, Taussig most recently served as an operating executive at Marlin Equity Partners. Prior to that, he was CEO of ThreatMetrix, a SaaS company and a leader in fraud prevention based on digital intelligence where he drove innovation and led growth. 

About Outseer

Outseer, an RSA company, empowers the digital economy to grow by authenticating billions of transactions annually. Our payment and account monitoring solutions increase revenue and reduce customer friction for card-issuing banks, payment processors, and merchants worldwide. Leveraging 20 billion annual transactions from 6,000 global institutions contributing to the Outseer Data Network, our identity-based science delivers the highest fraud detection rates and lowest customer intervention in the industry.