All about 3-D Secure and 3-D Secure 2.0 (UPDATED)
The most frequent and annoying security issues in e-Commerce are, by far, fraudulent transactions. 3-D Secure is a tool that can reduce the number of fraudulent transactions.
The needs of consumers and merchants change constantly. As a result, 3-D Secure 2.0 has been developed. Whether you are selling physical goods or services on the internet, this post will walk you through:
- What is 3-D Secure?
- Why is 3-D Secure a good feature?
- A small overview of 3-D Secure among issuers
- What is 3-D Secure 2.0?
- The benefits of 3-D Secure 2.0
Development of 3-D Secure
Before explaining what 3-D Secure is, let’s go behind the scenes of what led to the development of 3-D Secure.
Traditionally, a payment made in the webshop of a merchant (a company selling goods or services online) would be checked using only the authorisation process.
Authorisation is the process by which:
- The card details of a cardholder are checked to be valid (validated) by the issuing bank
- The account linked to the card is checked to see if it has enough funds
One can think that the authorisation by itself might be missing something. Basically, anybody could make purchases using a card as long as he or she knows the card details and there is enough money in the account, right? It can become a problem if these details end up in the wrong hands.
The problem is payment fraud: a payment made in the name of the cardholder by someone who didn’t receive permission to do so.
This issue was noticed in the payment industry and a solution was developed: 3-D Secure.
What is 3-D Secure?
3-D Secure is a feature which adds an extra layer of protection to reduce the risk of fraudulent transactions in e-Commerce. 3-D Secure supplements authorisation by implementing the authentication process.
Several globally-known card schemes implement 3-D Secure. Visa offers 3-D Secure in its Verified by Visa program while Mastercard has Mastercard SecureCode.
How it works
Authentication tests the identity of the person making a payment. At checkout, after typing in the card details for a purchase, the person is asked in a pop-up window or inline frame to verify the identity of the cardholder.
This is done by using an authentication method:
- Static password (i.e. a permanent unchanged password)
- Dynamic password (i.e. a one-time password sent to the cardholder via text/e-mail)
- Biometric Feature (i.e. a fingerprint linked to the cardholder’s registered mobile device)
- Scanned QR Code (i.e. an onscreen QR code that needs to be scanned by the registered mobile device, using, for example, the Google Authenticator app)
The authentication method is set by the issuing bank.
If the authentication procedure is successful, the payment is approved (authenticated), if not, the payment is declined.
Since tries always count, attempted authentication trials are recorded. These trials are proof that a merchant, which implements the 3-D Secure feature, tried to authenticate the cardholder but was faced with:
- An issuer that didn’t adopt 3-D Secure
- An issuer that has its processing server down
How it looks
Why is 3-D Secure a good feature?
1. Liability shift
Without 3-D Secure, when a cardholder disputes a fraudulent transaction:
- The merchant is liable for the transaction
- The merchant has to repay the money in the form of a chargeback
But, if the merchant implements 3-D Secure, the liability for fraudulent transactions shifts to the issuer. This shift applies as long as:
- A transaction is authenticated
- Attempted authentication takes place 1
2. Conditional 3-D Secure
Another great thing about 3-D Secure is that it can be customised. You don’t have to go all in.
What does this mean?
You can request to have 3-D Secure activated for high-risk transactions or for transactions of specific amounts. This is called Conditional 3-D Secure, a customisation of 3-D Secure.
Activation of 3-D Secure is usually coordinated between the merchant, payment gateway, and acquirer.
Conditional 3-D Secure has been proven to be very useful in increasing the number of retained customers.
PSD2 becomes effective starting from the 13th of January 2018, and one of its main points is that it will become mandatory for merchants to authenticate transactions. One sure way of fulfilling this criterion is by implementing 3-D Secure. Read more about this in our PSD2 e-book.
Overview of 3-D Secure among Issuers
Issuers worldwide have recognised the value of 3-D Secure as well as the drawbacks of failing to implement it.
We have gathered some data from 2016 and 2017 on the number of issuers part of the EU28/EEA and outside.
A clear increase in the rate of implementation of 3-D Secure among issuers was recorded between 2016 and 2017.
Implementation rate within the EU28/EEA
If in the first quarter (Q1) of 2016 it was recorded that around 25% of the issuers had implemented 3-D Secure, in 2017 in Q1 the implementation rate reached an impressive 80% in just one year.
When comparing Q2 from 2016 to Q2 from 2017, the figures remain pretty remarkable. In 2016, the implementation rate was 40% among issuers, while in 2017 it was recorded to be 83%.
Q3 in 2016 had an implementation rate of about 50%, reaching 88% in Q3 in 2017.
The implementation rate in Q4 of 2016 had a value of 75%, while in Q4 of 2017 the implementation rate passed 90% as estimated by us, amounting to 91.8%.
For Q1 of 2018, it is estimated that the growth of the level of implementation will decrease in magnitude, not passing 95%.
The possible explanations for the upward trend in adoption among issuers from the EU28/EEA are:
- the rapid advances in payment security technology
- the deadline for PSD2
Implementation rate outside the EU28/EEA
The picture is slightly different for the issuers outside the EU28/EEA. In Q1 of 2016, the rate of implementation was just 5%, while in 2017 it skyrocketed to 38%.
The difference between Q2 of 2016 and Q2 of 2017 was not as dramatic, yet still notable. Over 20% of issuers had implemented 3-D Secure by July 2016 in comparison to 54% in July 2017.
Approximately 30% of the market had already implemented 3-D Secure by October 2016, while 56% had done so in Q3 of 2017.
The implementation rate in Q4 of 2016 reached almost 40%. In 2017, the rate in Q4 rose to 67%.
We estimate that the implementation rate in Q1 of 2018 will continue its growth and to be between 75%-80%.
The possible explanations for the upward trend in adoption among non-EU28/EEA issuers are:
- the fast-paced developments in payment security technology
- the increasing efforts put forward by Visa and Mastercard to ensure that the entire European continent is at a homogenous level of security
What is 3-D Secure 2.0?
3-D Secure 2.0 is the newest update of the 3-D Secure feature.
3-D Secure 2.0 was developed by EMVco, a company jointly owned by Visa, Mastercard, American Express, Discover, JCB, and Union Pay.
The benefits of 3-D Secure 2.0
3-D Secure 2.0 uses more contextual data than its earlier versions of 3-D Secure, which leads to the following additional benefits, says Visa:
- Speeding up purchases for low-risk transactions
- Offering greater security for high-risk transaction
- Decreased cart abandonment
1. Speeding up purchases
The amount of contextual data exchanged between cardholder, merchant, and issuer is 10 times bigger than before.
Examples of new contextual data used by 3-D Secure 2.0:
- Device information
- Service information
- Gift card information
- Screen height
Based on the contextual data, for low-risk transactions, issuers will be able to verify the identity of the cardholder without the authentication step.
As a result, customers will spend 85% less time in the checkout process.
The majority of transactions are considered by issuers to be of low-risk (95%).
2. Greater security
For high-risk transactions, issuers will continue performing the authentication step.
The contextual data will help issuers better understand the background of the high-risk transactions:
- From what devices they usually take place
- The purchasing pattern of the cardholder
- During what hours do transactions take place
in order to better detect potential fraud.
3. Decreased cart abandonment
Thanks again to the contextual data, the authentication step may become unnecessary. This is said to lead to a proposed 70% decrease in cart abandonment.
Visa said that it is expecting issuers and merchants to start implementing 3-D Secure 2.0 towards the end of 2017. To offer a smooth transition between versions, Visa will maintain its current rules for merchant-attempted 3-D transactions till March 2019. From April 2019, the new rules linked to 3-D Secure 2.0 will apply.
Mastercard has proposed that all of its issuers must support 3-D Secure 2.0 from 31st of December 2018. Merchants accepting Mastercard payments are expected from the 1st of December 2020 to use 3-D Secure 2.0 only.
To sum up
3-D Secure is a security feature that verifies the identity of the cardholder. This protects businesses from chargebacks by shifting the liability to the issuing bank in case of a fraudulent transaction.
3-D Secure can be “customised” (Conditional 3-D Secure) so the security step can be set only for specific transactions.
The feature also serves as a means of being compliant with the new regulations brought by PSD2.
In terms of adopting 3-D Secure, that rate of implementation among issuers both part of EU28/EEA and outside has steadily increased over time. It is expected that the rate of implementation in Q1 of 2018 among EU28/EEA to slow down and be under 95%, while for non-EU28/EEA to continue to grow substantially, the expected value is approximately 80%.
3-D Secure 2.0 was created to fit the current needs of both consumers and merchants. The role of 3-D Secure 2.0 is that of being an improvement to its previous version. 3-D Secure 2.0 is expected to decrease the checkout process for consumers with 85%, while merchants will see a 70% decrease in cart abandonment, all through the added contextual data obtained by merchants and issuers.
Clearhaus does not support 3-D Secure 2.0 currently. But we will. In the meantime, we are monitoring the adoption rate of issuers.
1 - When either the issuer or the cardholder does not have 3-D Secure implemented.