3-D Secure Fraud Prevention

3-D Secure

What do Verified by Visa, Mastercard SecureCode, and American Express SafeKey have in common??

• They’re all fraud protection tools based on a technology called 3-D Secure (often shortened to just 3DS).
• 3DS refers to the set of protocols including three domains of transactions that are bridged by this protocol: the merchant or acquirer, the issuing bank, and the payment network.?
• The protocols are essentially operating rules designed to protect consumers and merchants by adding an additional layer of security to card-not-present (CNP) transactions.?
• When a consumer is making a digital/online purchase not in a physical store, verifying the transaction and the identity of the consumer becomes increasingly important and challenging.?
• The goal here is to ensure that credit/debit card transactions completed online are made by an actual cardholder.
• Swiftly exchanging the relevant information between the parties involved in a transaction, 3D secure helps limit fraudulent activity and gives a higher percentage of certainty that a transaction is authentic.
• Card networks recommend that both issuing banks and merchants support the protocol.

The Issues with 3-D Secure 1.0

• First entering the payments market in 1999, the obvious issue was that the system was never designed with the proliferation of mobile devices in mind, which have now become a primary mode of online shopping for consumers.
• Moreover, customers were not happy with the amount of friction the system caused each time they needed to complete the payment online. 3-D Secure was not optional but was automatic at the end of a transaction.?
• Customers were required to enroll with static passwords, which some were not able to remember later, this added frustration simply forced them to abandon the checkout process.?
• The alternative to the static password was SMS text message, which was even more frustrating. Shoppers who were abroad were not able to receive the SMS message.
• This was especially pronounced for mobile users who were redirected to a bank page that was typically not optimized for mobile.?
• It also often relied on a pop-up window where the customer had to enter their details, which made the merchant checkout page look even less secure and vulnerable to cyber-criminal attacks.
• This resulted in a negative customer experience, as well as lower conversions for most merchants.

Enter 3-D Secure 2.0 (3DS2)

3-D Secure 2.0 (3DS2) is designed to address the issues that came with 3-D Secure, namely providing a frictionless experience without compromising on the security of the transaction.?

So what does it mean in practice?

• With a 3DS protocol in place, customers must authenticate their identity through a password or a code delivered via SMS or email.?
• After the cardholder submits their data, the merchant transmits it to the issuer for authentication.?
• The issuer then reviews the transaction and assesses the consumer’s risk level.?
• Only if the issuer considers the transaction to be of a higher risk, they ask the merchant to have the cardholder perform additional step-up authentication.?
• Consumers could be prompted to provide biometric information like a fingerprint, facial scan, or a one-time passcode.

Creating a Frictionless Flow with 3-D Secure 2.0

• 3DS1 authenticates cardholder information through a static password or PIN. Possessing both the card information and the passcode theoretically means the buyer and the cardholder are one and the same.
• 3-D Secure 2.0 collects roughly 10 times more data during the authentication process. This typically includes a combination of information from the merchant’s site or app, plus input from the customer’s device.
• All of this information is compared to existing customer data that the issuer has. The potential risk level of the transaction is assessed, automatically and in real-time.
• Based on this assessment, an estimated 90-95% of transactions pass into a “frictionless flow,” which allows the transaction to progress unchallenged. In other words, the result of the risk-based assessment provides enough authentication to approve most purchases with no additional input from the buyer.
• In a few cases, Strong Customer Authentication will be necessary. This is known as "Challenged flow". In these cases, the user will be asked to provide a secondary form of identification. The 3DS2 technology facilitates this as well, making the authentication process much more dynamic than before. By providing a smoother, faster, and much more accurate checkout experience, merchants benefit from more conversions and less churn.

Native Mobile Integration and Payment Options with 3-D Secure 2.0

• The original 3DS only supports browser-based transactions. It was never designed to work with mobile commerce. When 3DS protocols were attempted on mobile devices, there were issues with the pop-up window, page load speeds, and more. Some users found they were unable to access the 3DS authentication page at all.
• 3-D Secure 2.0 allows merchants to seamlessly integrate the 3DS interface into pre-existing mobile apps. Native authentication screens help maintain the look and feel of the user experience across the entire process. This, in turn, assures the cardholder that identification requests are a valid security measure.
• Again, for most transactions, authentication from mobile devices will require no further cardholder input. When necessary, however, biometric authentication can be reliably performed within the app.
• In addition to accepting standard card payments, 3DS 2.0 also works with mobile wallets like Apple Pay or Google Pay.

What does 3DS 2.0 mean for merchants?

• Merchants also benefit from a liability shift on qualifying 3-D Secure transactions. Under normal circumstances, the liability for fraudulent transactions lies with the merchant.?
• Things change when the merchant is enrolled in a 3DS program (version 1.0 or 2.0). If the issuer successfully authenticates the customer through 3-D Secure, liability transfers (“shifts”) to the issuer.
• Reduced chargeback liability is a great win for the merchant because they lose both the revenue from the sale and the value of the inventory with a chargeback.
• Even if the customer claims that the merchant has charged them for an unauthorized transaction, the issuer will almost always be liable for the fraud.?
• This does not mean, however, that merchants are off the hook: if the customer disputes a transaction using a non-fraud-related reason code, liability will remain with the merchant.
• 3DS 2.0 also allows merchants to activate a “non-challenge” mode. In situations where merchants prefer to use their own risk assessment mechanism, they can opt out of the authentication system. Here, the liability will remain with the merchant if the transaction involved ends up being fraudulent.

What does 3DS 2.0 mean for banks?

• As more merchants adopt 3DS2, issuing banks will need to perform greater authentication and authorize a greater share of CNP eCommerce transactions.?
• Banks will also intake more data as a result of this new arrangement. As merchants transmit consumer data for authentication, banks will need to correlate the data and determine the transaction’s risk level.?
• For example, does the customer information provided by the merchant, such as the customer’s email or IP address, match the email and IP address the bank has on file.?
• If not, the bank can request the merchant to perform an additional authentication step.?
• Banks will now own a greater share of liability for fraudulent transactions.?
• At the same time, banks can’t add friction to the merchant’s customer experiences.?
• If their authentication process is too cumbersome or contributes to cart abandonment, merchants will consider switching to a different bank.

Most importantly, 3DS 2.0 is greatly enhancing the customer experience by introducing Frictionless Flow through risk-based authentication.

Note: I learn by reading from different sources and noting down the key takeaways. This article is also part of my notes. If you find any errors or if you have any feedback, please let me know in the comments below.

References

#FraudNugget ?#fraudprevention ?#frauddetection ?#onlinefraud ?#digitalfraud ?#authentication #chargebacks ?#fraud ?#fraudawareness ?#fraudtrends ?