Select Page

3D Secure: Your Barrier against Cyber Attacks

Oct 28, 2021

2020–21 signified not just hopeful resilience, digital transformation, and the rise of cashless societies.

It witnessed a massive tug of war.

A tussle between quick, convenient digital payments and the need to secure transactions against cyber attacks. And the struggle to prevent payment frauds while trying to increase transaction success rate, decrease authentication time, reduce checkout time, lower cart abandonment rate and keep customers loyal.

Rise of Payment Frauds

With over 36% of online shoppers opting for prepaid cards (digital wallets), 32% credit cards, and 21% debit cards, there is a tremendous rise in the value and volume of card payments. Sophisticated cybercriminals are finding novel ways to hack into networks to steal identity, money, and data.

In Q2 2021 alone, card fraud attempts rose by 23% QoQ. As merchants and online businesses are the primary target of fraudsters, losses from future card frauds are expected to hit over $40 billion by 2027.

Payment security, best customer experience tool

Though consumers are super doped about the convenience, seamlessness, and speed that card-based transactions offer, they are highly wary about losing money, data, or identity to cybercriminals.

Shopping websites without secure credit card checkouts and card payment processing infrastructures are usually easy to infiltrate, manipulate and steal from. Such vulnerable ecommerce websites lose business in a heartbeat as customers seek to steer clear of security issues, even if the products are economically priced.

The need to protect consumer data and money has propelled digital security into the limelight. Today payment security is the best customer experience tool for businesses. Infact, it is a key differentiator for banks, fintech firms, and other financial institutions to thrive in the digital age.

3D Secure to the rescue

Before the advent of 3D Secure, typical Card Not Present (CNP) scenarios were a super sensitive, vulnerable affair. The physical absence of cardholders and credit cards exposed online transactions to systemic risks and CNP frauds. As the customer had to enter only the card number and CVV without secure validations, it was easy for fraudsters to steal the CVV and billing address. And merchants found it challenging to verify purchaser identity.

Just then, 3D Secure (3DS) came to the rescue of both businesses and consumers by providing that extra layer of authentication. It tied financial authorization with Strong Customer Authentication (SCA) to reduce fraud and meet regulatory requirements.

Envisioned and developed by Visa Inc in 2001, 3DS emerged as the best tool to combat cyber threats involving card-related fraud, theft, and data breaches. Soon other network giants integrated VISA’s 3D security standard with their branding principles to deliver MasterCard Secure Code (MasterCard), SafeKey (American Express), ProtectBuy (Diners Club International/Discover), and J/Secure (JCB).

What is 3D Secure?

The acronym of 3D Secure is 3 Domain Secure. It is an additional security authentication that involves a three-domain model.

  • Acquirer domain (bank and merchant)
  • Issuer domain (card issuer)
  • Interoperability domain (card infrastructure, network, merchant plug-in, access control server, and other software providers)

3D Secure is instrumental in verifying the cardholder’s identity before payment authorization. The goal is to shield the card from unauthorized usage.

For merchants, it helps transfer the liability of fraudulent transactions to issuers. For the user, it acts as a crucial layer of authentication that authorizes and secures transactions.

How does 3D Secure work?

3D Secure hinges on XML communication across a secured channel using Internet Security Protocol (ISP) and Secure Sockets Layer (SSL)/ Transport Layer Security (TLS).

Here’s the process 3D Secure follows.

  • The issuer must enroll the card for 3DS authentication
  • Simultaneously, the merchant must implement the 3D Secure protocol by installing a Merchant Plug-In (MPI)
  • The MPI will communicate with the card issuer to validate if the card is enrolled in the 3D Secure service
  • If the card is enrolled and the merchant receives a positive response, a window opens, prompting the cardholder to enter the authentication response (example: password)
  • If the password is correct, the transaction will be approved, and the payment will go through
  • If the password is wrong, the transaction will be declined

3D Secure and Liability Shift

One of the primary advantages 3D Secure offers merchants is full liability shift for fraudulent transactions. Gone are the days where merchants were liable for chargebacks because of fraud.

Today 3DS enables successful liability shift that cannot tax the merchant with misleading chargebacks. If the cardholder denies making fraudulent transactions and files a dispute, the card-issuing bank will take responsibility and not pass chargeback to the merchant.

Why 3D Secure 2.0?

The liability shifts that merchant enjoyed in 3D Secure 1.0 often came at the cost of conversion rates and resulted in higher cart abandonment rates. The 1.0 version lengthened checkout processes and did not have mobile-friendly processes and integrations. Hence customers became irate and abandoned carts to move onto greener pastures that offered quick yet secure checkouts.

That is when EMVco announced 3D Secure 2.0 in 2015.

EMVco is a six-member organization that includes American Express, Discover, JCB, MasterCard, UnionPay, and Visa. It has been instrumental in drafting and releasing 3DS specifications suited to new-age businesses.

EMVco released the first 3DS 2.1.0 in November 2017, and its updated version 3DS 2.2.0 was released in December 2018.

What is 3D Secure 2.0 all about?

Though every business aims for a higher conversion rate, it shouldn’t be at the expense of security.

The good news with 3D Secure 2.0 protocol is that merchants can enjoy both higher conversions and lower fraud risk. It provides the best of both worlds by facilitating better exchange of information between acquirer, issuer, and interoperability domains.

The new 3DS 2.0 protocol addresses all the gaps meted out by 3D Secure 1.0. It delivers a seamless customer experience without the need for password authentication, as required by the older version. The 2.0 version accelerates purchase completion, lowers checkout hassle and shortens waiting time. And consumers did not have to go through the hassle of remembering multiple passwords.

Versatile token-based biometric authentication

3DS 2.0 simplifies the transaction validation process by leveraging token-based biometric authentication such as face or voice recognition. It does not depend on the static password for validation, and it supports non-browser devices such as wearables, digital wallets, and in-app purchases.

Furthermore, the primary highlight of this improved protocol is that it offers improved risk assessment comprising over 100 data points. The greater the amount of information the system analyzes while authenticating a transaction, the better the chances of avoiding fraud.

Experts say that the 3DS 2.0 can reduce the checkout time by 85% and cart abandonment rates by 70%.

3DS 2.0 also provides for separating the card verification process from the payment flow. The validation occurs earlier than the actual payment, and thus master authorizations happen much faster. Merchants/ mobile wallets that save cards information for faster payments will benefit from this functionality.

Access control Server (ACS) functions as oxygen to the 3D Secure protocol. It is the server that allows merchants to validate a cardholder’s credentials for payment authentication. It is an authentication, authorization, and accounting (AAA) platform that enables centralized access to network resources across devices, users, and groups.

ACS is the domain on which the issuing bank operates. They issue cards to consumers who, in turn, use the card for purchases online. The issuing banks need ACS for the following purposes.

  • Get 3D Secure inputs
  • Process the inputs to authenticate the cardholder
  • Notify authentication status
  • Accept/decline the transaction

To deploy and run 3D Secure, card issuers and program managers must integrate with a full Access Control Server.

Advantages of 3D Secure 2.0

The updated version was released primarily to address the gaps in 3DS 1.0. Check out its advantages below.

Strong and frictionless customer authentication

Asking customers to remember passwords may result in cart abandonment as forgetting passwords is a usual occurrence. So, customers often choose vulnerable passwords that are simple to remember and easier to crack.

To address this roadblock, 3DS 2.0 employs dynamic authentication such as biometric ID and out-of-band authentication such as mobile one-time passwords (OTP). It extends the scope for in-app purchases by reducing non-payment scenarios such as adding new card to the digital wallet and so on. These changes result in an improved user experience.

Data elements

3D Secure 2.0 enables businesses and payment providers to send additional data elements on every transaction to the cardholder’s bank. The data points include payment-specific and contextual data that can be used by the issuing bank to assess the transaction’s risk level. The issuing bank usually chooses either one of these responses while analyzing the data points.

  • Frictionless flow — If the data element is enough for the bank to trust that a particular transaction has originated from the genuine cardholder, the transaction will go through the “Frictionless Flow”. The transaction authentication will also be completed without any additional inputs from the cardholder.
  • Challenge flow — If the issuing bank decides that it needs more proof, then the transaction will be routed towards the “Challenge flow” where the customer will be asked to provide additional details for payment authentication.

Risk-based authentication

It is a process of determining if there is a risk attached to a particular transaction. Based on the risk level, the transaction will go through frictionless or challenge flow. The additional data elements available at the time of the transaction helps both the issuer and merchant to make an informed decision that will guide them towards the correct 3DS flow. The risk categories are based on elements such as the following.

  • Transaction value
  • Customer status (New or existing)
  • Transaction history
  • Customer behavior history
  • Device information

We can also diversify the benefits according to the players involved in the 3D Secure ecosystem.

  • Issuers can improve their “frictionless authentication” angle by leveraging the exchange of data to make smart decisions for risk assessment
  • They can decide whether the cardholder needs to be challenged
  • The cardholder can even enjoy the benefit of choosing their preferred payment mode without worrying about security
  • Merchants can offer easy-to use service across devices and platforms during transaction authentication
  • Simultaneously, they can address the problem of high cart abandonment rates
  • Customers will experience a service that is completely convenient and secure, independent of the device they use

3D Secure will provide these benefits without any impacting the customer in any way.

What makes 3D Secure 2.0 so popular?

The first version of 3D Secure was designed during the beginning of the internet revolution, while 3D Secure 2.0 came after the rise of digital platforms and smartphones.

3DS 2.0 provides an improved user experience that does not require page redirects. Merchants can directly embed the “Challenge Flow” within mobile and web checkout flows. These mobile Software Development Kits (SDKs) available for shopping apps offer in-app authentication and avoid browser redirecting.

  • 3D Secure 1: Mobile authentication flow with browser-redirect
  • 3D Secure 2: Improved mobile authentication flow within the app

SCA, PSD2 & RBI

Strong Customer Authentication (SCA) is a regulatory requirement of the second Payment Services Directive (PSD2), as set forth by the European Union. 3D Secure 2.0 complements Strong Customer Authentication (SCA) that is the mandatory part of the latest Payments Service Directive 2, in short known as PSD2. It is an upgraded security protocol that authenticates online payments using the minimal combination of the following data elements.

  • Something the customer knows: One-Time password (OTP). SMS code, PIN, security question or password.
  • Something the customer owns: Smartphones, credit or debit card, token or wearable device
  • Something the customer is: Biometric data like facial scan, voice recognition, iris scan or fingerprint.

But SCA also offers some exemptions when implementing the 3d Secure authentication in the following scenarios.

  • Low-value transactions
  • Low-risk transactions
  • Recurring transactions

If an entity is operating in the Europe region, then SCA and PSD2 guidelines needs to be implemented. And 3D Secure 2.0 will help businesses stay compliant to PSD2 regulations.

Its not just the countries in the European Union, India too has made 3D Secure a mandatory requirement. Reserve Bank of India guidelines necessitates the usage of 3DS password to ensure a secure online shopping experience. This step will thwart misuse of a lost/ stolen card, as the user will not be able to transact without entering the correct 3DS password associated with the card.

How can you enable 3D Secure for your business?

As a merchant, its highly imperative that you enable 3D Secure for safe card payments and greater customer loyalty.

But don’t worry about the hassle of deploying 3D Secure functionalities by your own.

Armed with 3DS 1.0 and 3DS 2.0 capabilities, we can help protect your card transactions using our Access Control Server (ACS). Our API-led ecosystem facilitates frictionless card enrollment and data updates from independent card issuing systems.

For increased success rate and customer convenience, we deliver seamless Additional Factor of Authentication (AFA) options as follows.

  • One-Time Password (OTP)
  • Swipe to Pay
  • Biometric authentication
  • V-OTP (Voice OTP)

To increase your revenue potential, we also enable EMI conversions on the ACS page. Our insightful dashboard provides you instant access to product metrics and funnel charts. You can also customize the ACS page design for greater brand recall with custom events for enhanced monitoring.

Why M2P?

Our proprietary seamless authentication process enables issuers to increase success rates by 3–4% and decrease authentication time by almost 60%.

Our cloud-native platform comes with an incredible go-to-market speed of 3 to 4 weeks and a minimal cost of ownership.

Can’t wait to increase your transaction success rate and decrease authentication time?

Want to know more about personalizing the ACS experience for your consumers?

Drop us a message at  business@m2pfintech.com

Our expert team will get in touch with you as soon as possible.

Subscribe to our newsletter and get the latest fintech news, views, and insights, directly to your inbox.

Follow us on LinkedIn and Twitter for insightful fintech tales curated for curious minds like you.

0 Comments

Submit a Comment

Your email address will not be published.

You May Also Like…