Prevent CNP Frauds with PCI 3DS

Over the last few years, e-commerce and digital payments have become a comfortable cosmos for millions of shoppers worldwide. Card-Not-Present (CNP) transactions, in particular, constitute a major chunk of online payments.

Card-not-present transactions

Essential to both in-store and online businesses, CNP payments reduce the risk of customer churn and cart abandonment. Imagine a customer does not have a physical credit or has a visibly battered card that cannot be scanned. They can still pay for the purchase using the CNP facility across the counter or telephone or digital channels.

But like most things in life, CNP payments are a double-edged sword. They are highly sophisticated yet so vulnerable to security breaches. When a scamster gets hold of the credit card number, name, three-digit security code (CVV), and expiration date, stealing cash and identity becomes a cakewalk.

As of 2021, CNP frauds were 81% more common than card-present scams, resulting in tremendous costs to banks and merchants.

Cost of payment fraud

The cost associated with payment fraud is immense for banks, merchants, and payment service providers. They’ll have to deal with customer refunds, additional chargeback fees, fines, and investigation charges. Though the amount is usually refunded to the victim, it still causes distress and mistrust.

Best way to prevent CNP fraud — PCI 3DS

The way to avert CNP fraud is to implement stringent controls that validate the identity of the cardholder. PCI 3D Secure plays a significant role in enabling identity validation and access control, thereby reducing the costs and inefficiencies associated with payment fraud in a CNP scenario. Banks and card payment service providers need to comply with PCI 3DS protocols to fortify transaction security.

What is PCI 3DS?

PCI 3DS is an advanced EMV messaging procedure that authenticates cardholders when making online purchases. It facilitates seamless data exchange between merchants, cardholders, and card issuers, thereby providing an additional layer of security to avoid CNP fraud and make e-commerce secure.

Key components of PCI 3DS Core Security Standard

The PCI 3DS Core Security Standard serves as a framework for EMV 3DS functions to execute security controls. It supports the integrity and confidentiality of 3DS transactions and pertains to institutions that leverage 3DSS, DS, and ACS, the key components of the PCI 3DS security standard.

Here’s a quick peek into what each component means.

• 3DS Server (3DSS) contributes the functional interface between the 3DS requester environment and the DS.

• 3DS Directory Server (DS) holds the list of valid card ranges for which authentication may be available. Further, it also coordinates communication between the 3DSS and the ACS systems to ascertain whether authentication mechanisms are available for a particular card number and device type.

• 3DS Access Control Server (ACS) comprises the authentication rules and is managed within the issuer domain.

The physical and logical security requirements for the PCI 3DS Core Security Standard are structured as follows.

Baseline Security Requirements

• These are technical and operational security requirements that reflect general information security principles and practices common to industry standards.
• These requirements should be considered for all types of environments.

3DS Security Requirements

• They provide security controls specifically intended to protect 3DS data, technologies, and processes.

Difference between PCI 3DS and PCI DSS

The PCI 3DS and PCI DSS are two separate standards intended for varying requirements and entities. The PCI 3DS applies to environments where 3DSS, ACS, and/or DS functions are performed, whereas PCI DSS applies wherever payment card account data is stored, processed, or transmitted.

If you want to know more about PCI DSS, check out our blog on the 12 REQUIREMENTS OF PCI DSS.

Most 3D secure entities possess both PCI 3DS and PCI DSS responsibilities. In some cases, a 3DS entity does not store, process, or transmit any payment card account data. For instance, in the case of EMV payment tokens, the 3DS entity is involved ONLY in 3DS transactions. The 3DS entity may not be subject to PCI DSS in this scenario. In all other cases, entities should refer to their acquirer and/or the payment brand(s) to determine their compliance obligations to a PCI standard.

So, are you looking to get PCI DSS certified and compliant? We can help.

M2P has extensive experience in ensuring compliance for numerous players in the card payment industry. Write to us at business@m2pfintech.com, and let’s get started!

Here’s to more dynamically authenticated 3DS transactions!

Subscribe to our newsletter and get the latest fintech news, views, and insights, directly to your inbox.

Follow us on LinkedIn and Twitter for insightful fintech tales curated for curious minds like you.