3D Secure: A new era for payment authentication and customer experience
Jeremy Bellino | senior fraud and authentication manager | Worldpay from FIS®
July 30, 2019
A leading payment security expert explains how a new protocol, 3D Secure, is helping to secure payment authentication while promoting frictionless customer experiences.
What is 3D Secure (3DS)?
3D Secure is a primary mechanism for authenticating card payment transactions globally. Strong Customer Authentication (SCA) is a requirement of PSD2, the Second EU Payments Service Directive, which regulates payment services and payment service providers throughout the European Economic Area (EEA) and the U.K. SCA requires businesses to use multifactor authentication to verify payments unless certain exceptions apply.
The original 3DS protocol, first introduced in 1999, added friction to the shopper checkout experience (CX) in the form of a static password. Though effective in preventing fraud, the password requirement at checkout resulted in poor user experience. 3DS added friction to the shopper CX and increased cart abandonment rates, reducing customer loyalty and draining merchant revenues. 3DS got the security part right, but the customer experience part wrong.
To address this pain point, EMVCo and the major credit card schemes introduced the next generation of 3D Secure, EMV 3DS, commonly known as 3DS2. This enables one frictionless flow through enhanced risk-based authentication and a range of shopper friendly authentication flows where a payment authentication challenge is required.
Busting the myth of 3D Secure and poor customer experience
The myth of 3DS is that the poor customer experience offered by the first version of the protocol continues to this day. But with 3DS2, the consumer experience is at the forefront of its functionality. 3DS2 is gaining ground and customer experience is the key for its adoption, according to the findings from the Global Payment Risk Mitigation Report by Worldpay from FIS®.
An overwhelming majority of merchants surveyed in the report (82%) report using either 3DS or 3DS2. Rather than being a blocker, the customer experience enhancements to 3DS2 are turning CX into a winner for 3DS2. The most common factor cited by most merchants (60%) was that 3DS2 provided a better CX as influencing adoption of 3DS authentication.
Other factors influencing merchant adoption of 3D Secure included the ability to integrate 3DS into existing technology stacks with little customization (50%), while four in ten merchants cited the relatively low cost of 3D Secure.
The reality of secure payment authentication and exceptional CX
Here are the five primary benefits of payment authentication with 3DS2 that describe the reality for merchants who use the technology today:
1 - More data for better risk assessments
3DS2 lets the merchant send 10 times more data to issuers with each transaction compared to 3DS1. Through the device data collection (DDC) process, 3DS2 can capture details related to the device and environment being used by the consumer. Issuers can use this data to make more informed assessments of transactions and determine whether the shopper is the legitimate cardholder.
If an issuer is confident that the transaction presents a low risk, they can authenticate the payment without any further input from the shopper, known as risk-based authentication. This is commonly referred to as a frictionless flow because the shopper journey is seamless.
For higher risk transactions, issuers will choose a shopper friendly way to authenticate the cardholder (e.g. biometrics), commonly referred to as a challenge flow.
The good news is that merchants already submit most of the data required for payment authentication. In the background, Worldpay from FIS and other parties can now supplement this data to include:
More data and better risk decisions results in less fraud.
2 – Optimized shopper challenges
If an issuer deems a transaction to be high risk, shoppers are presented with a challenge to prove they are the legitimate cardholder.
With 3DS1, shoppers had to input characters from a static password. Since passwords are often forgotten, this scenario often led to cart abandonment. With 3DS2, static passwords are replaced with modern, shopper friendly challenges which are optimized for both browser and mobile environments. These challenges are designed for cardholders to breeze through the challenge experience with minimal friction.
Typically, shoppers will be presented with one of the following challenges:
Enhanced one-time password (OTP)
Issuers use the cardholder's registered mobile device to send an OTP. The shopper receives the text message and enters the password to continue with their purchase. Many devices can automatically read these text messages and populate the password field to further minimize friction.
3DS2 was created with shopper friendly challenges in mind, leveraging technology that is now prevalent with online shoppers. Biometric challenges involve using smartphone capabilities to authenticate shoppers, such as fingerprints or facial ID readers.
Out-of-band authentication (OOBA)
OOBA lets shoppers use their online banking app to seamlessly authenticate their payment transactions. Shoppers are directed to their mobile banking apps and log in as they already do to authenticate payment transactions.
3 – Liability shift
3D Secure is a cardholder authentication protocol backed by the major credit card schemes. It helps card issuers with online shopping authentication by confirming the identity of their cardholder. If the shopper's card is enrolled in a 3DS program and the issuer has confirmed their identity, the liability for fraud-related chargebacks on that payment transaction shifts from the merchant to the card issuer.
For 3DS2, the rules of liability have changed slightly, providing even greater benefits for merchants. If a merchant tries to authenticate a transaction, and the issuer does not take part in either 3DS1 or 3DS2 programs, then the liability still shifts to the issuer.
4 - Integrated with the shopping experience
Optimizing the 3DS experience and embedding it as part of the shopper journey reduces friction, leading to increased sales and increased fraud protection. 3DS2 has been designed to work regardless of how a shopper is interacting with a merchant's website or mobile app.
For browser-based flows, the challenge is embedded into checkout pages through an optimized iFrame. For mobile transactions, Worldpay can provide iOS and Android SDKs that allow challenges to be embedded into checkout flow and automatically rendered for the device in use.
5 - Increased acceptance
Payment authentication allows merchants to reduce the acceptance gap between point of sale (POS) and online/card-not-present (CNP) transactions. As issuers know more about authenticated payment transactions, using 3DS2 could help increase acceptance rates compared with non-authenticated transactions.
To learn more about how 3DS2 is helping merchants protect what they earn, download the Worldpay from FIS Global Payment Risk Mitigation Report. The report offers an overview of the payment fraud landscape merchants face in 2020, an overview of existing payment fraud solutions, and a roadmap with key takeaways for merchants looking to gain more control over their revenues in 2021 and beyond.
How Worldpay from FIS can help
Worldpay offers 3DS Flex, offering a leap forward with a new payment authentication platform that lets merchants leverage these five benefits. 3DS Flex offers a market-leading global 3DS solution with a flexible approach. Merchants can optimize their risk appetite and shopper experience, driving sales uplift while reducing fraud, making it easy for merchants to navigate the complex regulations of PSD2, and other schemes and regional mandates.