3D Secure Authentication (3DS)
Maximizing protection and conversion during these unprecedented time of uncertaintyPer Due Inc.1, the projection for eCommerce sales was to reach $632 billion by 2020, increasing online fraudsters' incentives to innovate their tactics.1 As people continue to stay home and transact more on a digital level during lockdown, we expect the projected numbers will further increase.
It is logical to expect new digital identities and also expect increase in transactional volume for existing digital identities. This creates more opportunities for fraudsters to blend into the new trends. If more action isn't taken, it is projected that CNP fraud losses by banks and other merchants in the United States could total more than $12 billion by 2020.2
These numbers above indicate the need to get secure transactions and keep fraudsters at bay. In this article we will learn more about risk-based workflows with or without 3DS.
What is 3DS?3DS or 3D-Secure is a secure protocol designed to ensure enhanced security and stronger authentication for customers when they use their debit or credit cards for online purchases.
Benefits for merchants include reduced fraud risk and a shift in fraud liability from merchant to issuer. Version 1 of the 3DS protocol was developed in 1999 and as technology evolved, shortcomings in the protocol became apparent. 3DS 2.x was developed to address the 1.x shortcomings, and contains developments that includes additional contextualized data (100+ fields) that can be supplied by the merchant to the issuer, consistency in the way authentication screens are presented to the customer, mobile friendly options, and the ability for specialist third-party device and digital identity intelligence vendors to enrich the risk decision process -- better identifying trusted, returning customers while providing enhanced protection against fraudulent activity.
Is 3DS SCA compliant?PSD2 mandates the principles of strong customer authentication. PSD2 is not enforced yet but will be at some time and we need to be ready.
A combination of a minimum of two of the following authentication factors are required for a successful transaction:
- Something the customer knows: OTP (one-time password), SMS code, PIN, password, security question, etc.
- Something the customer owns: Mobile device, wearable device, etc.
- Something the customer is: Biometric data like a fingerprint, iris scan, or facial or voice recognition.
What does a 3DS-enabled customer experience look like?The transaction is assessed for risk by the credit or debit card issuer's 3D Secure service provider. 3DS is used to authenticate the online payment event. If the transaction is determined as high-risk, the transaction goes through a challenge or is declined.
In other words, it prompts the cardholder to verify their identity using one of the three authentication factors chosen by 3DS provider. If the transaction is deemed as low risk, no further action is required on the cardholder's end. Once authenticated, the transaction is then submitted for final authorization and approval.
Do merchants have a choice in the USA?Merchants struggle between friction and conversion and because 3DS does create some amount of friction, some merchants do not prefer the 3DS security protocol.
If they do not use 3DS, they take the responsibility and control the level of risk they are willing to accept as per the merchant's risk and consumer appetite. If they decide to implement 3DS, there is a fraud liability shift from the merchants to card issuers, but they do incur a cost as a result of pushing the transactions through 3DS. Yes, they pay for this level of security but they also know that they will not be taking any fraud loss or incremental operational cost to manage chargebacks. It also means the merchants will be leaving money on the table and will no longer control the level risk of they are willing to take on.
How do merchants ensure an effective balance between fraud, friction, and customer authentication?Whether the merchants implement 3DS or not, it is important for them to evaluate risk-based workflows for these two reasons:
- If the merchant is 3DS-enabled, there is a risk assessment undertaken on the online event, and 3DS enables merchants and card issuers to make an informed risk decision
- If the merchant is not 3DS-enabled, they need risk-based workflows even more to reduce the fraud losses and operational cost
- Device and digital identity related attributes: Whether applied by the merchant directly as part of their own risk assessment, or through 3DS as part of the card issuer, risk assessment device and digital identity analysis could provide a whole new set of data of components.
- Decisioning: Merchants should use deep and rich information to make that risk assessment -- whether that is all the information the merchant has (including data such as delivery address, webpage activity, etc.), or the extended amount of data shared with the card issuer through 3DS. For additional insights, merchants can go one more level up and leverage data from their peers by leveraging existing consortiums.
When it comes to decision making, speed and accuracy are most relevant. Leveraging more data as mentioned above can bring accuracy. To ensure speed, merchants can use machine learning models, passive authentication capabilities like behavioral biometrics and flagship models.
- Ease of deployment: The capability to deploy multiple types of customer journeys based on risk score can create an additional layer of fraud protection. This will also ensure routing the user down an appropriate path based on this outcome and enabling merchants and / or card issuers to strike an effective balance between fraud and friction.
1Due Inc.: https://due.com/blog/addressing-rising-payment-fraud-rates-u-s/
With the industry anticipating a PSD3 for some time, the European Commission (EC) published, on 28th June, its proposed revisions to the EU Payment Services Directive (PSD2) producing the planned PSD2, and proposals for a Payment Services Regulation (PSR). The proposals can be found here along with several impact assessment documents. The proposals will ensure consumers can make eCommerce payments safely in the EU, both domestically and across border. Better choice for the consumer is also a focus.
On this webinar, we will delve into the proposed changes, what they mean and the impact on the industry.
One size does not fit all. That's the same when we talk about SCA from a merchant perspective. Shoppers are different and each transaction is unique from a security standpoint. In this session we will discuss the outcomes of applying SCA in a selective & optimized way to boost conversion, while minimizing fraud exposure.
Hear from the FIDO Alliance and its stakeholders to get a deep-dive into the topic of passwordless authentication. Hear how major merchants and online service providers are actively collaborating on making web logins more secure and usable for all consumers. We will discuss challenges with legacy approaches; the move away from passwords; and new technologies that are emerging to support this. We will look at this in the context of consumer preferences and regulations.
This session will delve into the real impact of identity-based attacks, drawing from ITRC's work providing assistance to victims of identity compromise, and ITRC’s published research reports. It will cover insights on the latest data breaches that fuel identity fraud, and attack trends across ecommerce, social media, online dating, etc. The session will explore how bad actors circumvent multi-factor authentication to gain access to accounts and conduct malicious scams.
There are no related Surveys
With the industry anticipating a PSD3 for some time, the European Commission (EC) published, on 28 June, its proposed revisions to the EU Payment Services Directive (PSD2) producing the planned PSD2, and proposals for a Payment Services Regulation (PSR). The proposals will ensure consumers can make eCommerce payments safely in the EU, both domestically and across border. Better choice for the consumer is also a focus.
There are dozens of different tools designed to prevent chargebacks. In theory, multiple options should make it easier than ever to keep risk in check. But sometimes, new additions just add to the noise of an already complicated situation.
To help remove the complexities, the Midigator team will give a simplified, easy-to-understand explanation of each of the different tools on the market today.
- Identity verification (AVS, 3D Secure, card security code)
- Prevention alerts (Ethoca alerts, Verifi CDRN)
- Order validation (Visa Order Insight, Mastercard Consumer Clarity)
- Acquirer refunds (Visa RDR, Mastercard Collaboration)
With a detailed understanding of the pros and cons of each technique, you’ll be able to create a strategy that is just right for your business.
- Learn how each of the different prevention solutions work
- Consider pros and cons of each technique
- Understand most relevant KPIs
- Review cases studies for ROI
With the upcoming 3DS1 decommission planned in Oct’22, it’s important for merchants to plan their authentication strategy to not just process EMV 3DS transactions but optimize the entire payment experience.
To find out, join Gautam Pande – Director, Product Management, Identity Solutions at Mastercard to provide key considerations ahead of the 3DS1 Decommission & share updates of the Identity Check platform to enable seamless digital commerce
- Find out what to expect after the decommission date
- Be able to understand key changes in EMV 3DS 2.2
- Understand Mastercard’s Smart Authentication Platform
- Preview the Identity Check Express and the customer journey
On October 1st, a new regulation on recurring payments in India defeated almost any SaaS business -local or domestic. The Reserve Bank of India implemented new rules for recurring online transactions, making Additional Factor Authentication (OTP verification) mandatory for recurring payments. And this is just the latest example. How does Spotify guarantee that users in Argentina will not have their subscription disrupted because a local credit card didn’t fit their global payment infrastructure? How do you make sure entertainment subscribers in emerging markets enjoy the same outstanding customer experience as subscribers in the established U.S. market, without being kicked out of their subscription due to the unfulfillment of local regulations? Merchants are expected to keep up with tax and compliance rules, navigate the plethora of local payment methods, and stay agile to dodge low transaction rates and high fraud potential. Sound overwhelming? It doesn’t have to be.
dLocal’s session covers the strategies for delivering a seamless customer experience, remaining compliant with regulation and maintaining necessary security protocol. Throughout the session, we will discuss SCA, 3 DS authentication and how to successfully implement subscription payments in emerging markets, such as Brazil, Mexico, Nigeria, and India, where local payment infrastructure gaps exist. We will dive into the specifics of making the most of local cards and bank transfer and tokenization options; subscription logic handling; the use of direct debit in select markets; and the use of alternative payment methods as a payment recovery mechanism.
- Understand the complexities of fraud regulation in emerging markets
- Evaluate the benefit/risk of alternative payment methods
- Gain a bright overview of the current state of alternative payment methods and fraud prevention management in emerging markets such as Africa, Asia and Latin America.
Better fraud prevention, all around.
Many organizations rely on two-factor authentication (2FA) using one‑time passcodes (OTPs) sent by Short Message Service (SMS) to authenticate banking and ecommerce transactions. 2FA performed this way can be fast and easy, but SMS wasn’t designed to be a security tool.
Learn how your organization can leverage voice biometrics to protect customers and your brand by building the highest levels of protection, trust and loyalty.
In Nethone's Frictionless white paper, you will learn:
- How to reduce checkout friction to maximise your revenue?
- How to manage UX friction associated with PSD2/SCA?
- How to prepare for Transaction Risk Analysis (TRA)
- How to keep your customers happy
- How to achieve all this while effectively combating payment fraud
At SEON Technologies we have released new information on the collection countries that are most and least at risk of cyberattacks. We have also taken a close look at the most common types of cybercrime occurring in the US.
Dubbed the Global Cybercrime Report, the report explains how several countries are the safest in the world from fraud and other cybercrime. and why others are not. Our methodology for this research was based on how companies and public infrastructure are all being fairly well protected through both legislation and technology at their disposal.