What Is The New 3-D Secure Specification For Payments and Transactions?
One of the biggest challenges that the payments industry has had to overcome has been balancing fraud prevention while not hindering the customer experience. Fraud prevention isn’t a new development. It’s been a concern for years, which is why Visa developed a protocol known as “3D Secure” over 15 years ago.
Overview of 3D Secure
3D Secure, which stands for “Three Domain Secure,” refers to the three domains involved in the security of cardholder’s information.
- The Acquiring or Merchant’s bank.
- The Card Association’s financial networks, i.e., Mastercard and Visa.
- The Issuing or Cardholder’s bank.
This system merely authenticates cardholder information so that the transaction taking place is diverted to the browser, usually in the form of a pop-up window or inline frame, to the bank that has issued the card and requests a secret password or pin. Since this secret password or pin was only known to the cardholder, it would presumably prevent fraudsters from making unverified transactions.
That’s not to say that was a foolproof system.
As Kaleigh Simmons points out in the Rippleshot Blog, “In reality, it fell victim to most password-reliant systems. Consumers either chose passwords that were easy to remember, and easy to guess, defeating the purpose. Or, they chose passwords that were difficult to guess, and just as difficult to remember.”
“For years, merchants and consumers alike complained of the difficulties in successfully completing a 3D Secure-authenticated transaction, and cart abandonment that followed,” Simmons adds. “While forgetting passwords was a common issue, another factor came into play – the browser pop-up itself. Because most issuers outsource the process to their access control server vendor, the domain of the pop-up window was usually absent of any bank or card network information that would make them feel it was trustworthy. This also left an opening for phishing schemes to capitalize on since it is hard to identify which URLs were secure versus which weren’t.”
Another concern was the fact that cardholders had to first sign up with their bank and activate the 3-D Secure service, such as MasterCard SecureCode, Verified by Visa, and American Express SafeKe.
Because of these issues, technical body EMVCo and PCI Security Standards Council have released EMV 3-D Secure Protocol and Core Functions Specification v2.0.0 (EMV 3DS 2.0 Specification).
What’s New in 3-D Secure Version 2.0?
“3DS 2.0 is essential to introduce improved authentication, and we are excited to be working hand-in-hand with EMVCo to ensure all payment channels,” said PCI Security Standards Council Chief Technology Officer, Troy Leach. “The marketplace is changing every day, and with mobile payments projected to continue to rise, it is of vital importance that the security concerns be addressed in the design of the authentication system to keep up with the evolving threats.”
According to GPayments here are the differences in 3-D Secure version 2.0:
While version 1 will continue to be available, 3-D Secure 2.0 will use token-based and biometric authentication, instead of static passwords. By supporting additional data during a transactions, risk-based decisions will be possible on whether to authenticate or not. The consumer experience will also be simplified and enhanced, starting with the elimination of the initial sign-up process and removing the need for cardholders to use static passwords. Merchants will see fewer transaction abandonments by customers, for the same reasons. EMVCo, jointly owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa, is responsible for the EMV 3DS 2.0 specification and the certification program to go with it.
Specifically, the new version will update the following the specifications:
- Supports specific app-based purchases on mobile and other consumer devices, and traditional browser-based e-commerce channels.
- Improves the consumer experience by enabling intelligent risk-based decisions that encourage frictionless consumer authentication.
- Delivers industry-leading security features.
- Specifies use of multiple options for step-up authentication, including one-time passcodes as well as biometrics via out-of-band authentication.
- Details functionality that enables merchants to integrate the authentication process seamlessly into their checkout experiences, for both an app and browser-based implementations.
- Offers performance advancements for end-to-end message processing. Adds a non-payment message category to provide cardholder verification details to support various non-payment activities.
“Besides security, the consumer experience is central to EMVCo’s work,” said Jonathan Main, Chair of the EMVCo Board of Managers. “In addition to engaging with industry experts, we conducted user testing in multiple markets to understand consumer preferences for verifying their identity online. Feedback has been incorporated into the new global specification to also accommodate country-specific preferences and regulatory requirements.”
Main adds, “The new specification gives industry the flexibility to effectively support new technology developments as consumer payments become increasingly digitized. We would like those interested in the evolution of the EMV 3DS 2.0 Specification to get involved to ensure their long-term requirements are considered for the future.”
What Does This Mean For Payments and Transactions?
According to Alex Rolfe on Payments Cards & Mobile, “Merchants will have the ability to better integrate the authentication process into the shopping experience, providing a more user-friendly authentication experience, which can translate to higher conversion rates and increased sales.”
Additionally, “Issuers will have access to more data, helping them to make more informed transaction decisions. For consumers, paying online will be as fast, simple and convenient as ever. And as always, Visa’s Zero Liability policy guarantees that cardholders won’t be held responsible for unauthorized charges made with their account, online or offline.”