Risk & Fraud

The 3D Secure Name Game – Setting the Record Straight

By: David Ver Eecke, Sr. Fraud Product Manager

3-D Secure, 3D Secure, Verified by VISA (VBV), Mastercard SecureCode, American Express SafeKey, Discover ProtectBuy, Secure Online Transactions (SOT), 3DS, 3DS 1.0, 3DS 2.0, EMV 3-D Secure, and Mastercard Identity Check – you may have heard a few of these names mentioned over the years.

This bountiful cornucopia of branding all references the same set of protocols developed in 1999 to enhance the security of online ecommerce transactions. Even with the best intentions, it seems that all of the rebranding over the years has caused considerable confusion in the industry and with consumers. All too often, the first introduction to 3D Secure occurs after one experiences loss due to the increase in 3D secure ecommerce fraud.

That’s where 3D Secure 2.0 and One Time Password (OTP) come in to further enhance the security of online transactions, as well as mobile ecommerce transactions. This new protocol will give credit unions greater protection and control over ecommerce transactions, while providing a seamless member experience, free of unnecessary declines or alerts.

What is 3D Secure 2.0?

3D Secure 2.0 or three domain secure refers to the three partners required to process a secure payment: the issuer (the credit union issuing the card); the acquirer (the financial institution of the merchant to which the payment is being sent to); and the network where the transaction is being processed. The 3D Secure protocol is a set of standards first developed by Visa in 1999 and later as a cooperative effort by all the major global networks to ensure that all of the parties in a transaction can communicate and effectively secure and authenticate a member during an ecommerce transaction. The 2.0 version promises to be the biggest improvement to the protocol, as it will support the transmission of more data, simplify the member experience at checkout, and enhance the security of the transaction with Risk Based Authentication.

Why is 3D Secure 2.0 important?

With EMV maturing in the U.S. market and opportunities for card present fraud drying up, one avenue the fraudsters are turning to is online and mobile. This has led to increased card-not-present (CNP) losses around the globe and in the United States. In fact, the total CNP card fraud losses are expected to reach $5.9 billion in 2020, almost double compared to $3.2 billion in 2015, the year liability shifted to merchants for card present transactions1.

The original 3D Secure protocol used static passwords and required members to register online for an account. This often led to abandoned transactions and frustration due to forgotten passwords or incomplete registrations. In fact, in some cases fraudsters had enough information to impersonate a member and complete the 3D Secure registration leading to large losses for credit unions. While static passwords and inconvenient popup boxes have been recently replaced by Risk Based Authentication, the 3D Secure protocol continues to evolve and will further enhance online transaction security with the 2.0 specification.

With increasing fraud losses from CNP transactions, it’s understandable that credit unions would want to be more aggressive with fraud strategies to curb losses. However, member experience is an increasingly important consideration, as members expect a seamless checkout experience that isn’t cumbersome or hampered by declines. Traditionally, CNP transactions are subject to more aggressive decline rates, due to the fact that the member isn’t present at the point of sale, making them less inconvenient and embarrassing. The statistics show that false declines on CNP transactions often range from 15% to 20%, compared to 2% to 3% for CNP transactions2. When you add that to the increase in mobile and ecommerce transactions, it can all add up to upset members and increased CNP losses, as members now expect a smooth transaction experience for all of their transactions.

The Future of Secure Online Transactions

Luckily, this is where 3D Secure 2.0 can help significantly increase approval rates for CNP transactions, while providing additional security to prevent unauthorized transactions. Further, when 3D Secure 2.0 is coupled with OTP, which allows a unique code to be sent to a member’s trusted mobile device, this helps strengthen member authentication and convenience. Also, the new protocol will add ten times more data to be exchanged and will support many different payment channels such as in-app purchases and internet connected devices, such as Google Home and Amazon Alexa. All of these are not possible with the current 3D Secure 1.0 protocol.

Data, Data, Data

As with many things these days, it’s all about the data; 3D Secure 2.0 is no exception. The amount of data supplied by merchants and issuers has increased dramatically, which will help authenticate members and identify suspicious transactions more readily. 3D Secure 2.0 promises to provide ten times more data than the previous version. Data elements such as IP address, device type, order information and details will help secure transactions like never before. As an added benefit, the additional data exchanged will also help improve risk model fraud detection effectiveness and eliminate unneeded false positives.

In 1999, when the original 3D Secure Protocol was developed, who could have predicted the increase in ecommerce activity and the prevalence of the smart phone? Thankfully, the new 3D Secure 2.0 protocol will enhance the security of ecommerce and mobile transactions while providing a seamless member checkout experience. It is truly a modern security protocol designed for the way the web works today and in the future.

1,2 Aite Group, 3D Secure 2.0: Key Considerations for Card Issuers