3D Secure, Friend or Foe?


February 16, 2017

Content by Sam Spall, Payments & Cards Network
Transcribed by Layla Durrani, Payments & Cards Network

Sam Spall

As a monthly contributor to the MRC Blog, my goal is to provide helpful resources for other industry professionals. I'd like to clarify that I am a recruiter in the industry -- not a Risk and Fraud Manager, but I have had the privilege to learn a lot from my candidates and clients. In my posts I like to focus on issues that are trending and share a little about what I know.

What is 3D Secure?

3D Secure is an additional layer of security for online credit and debit card transactions. In most current implementations of 3D Secure, the issuing bank or its ACS provider prompts the buyer for a password that is known only to the bank/ACS provider and the buyer. Since the merchant does not know this password and is not responsible for capturing it, it can be used by the issuing bank as evidence that the purchaser is indeed their cardholder.

A major goal behind the implementation of 3D Secure is to fight chargebacks. Because the merchant does not capture the password, 3D Secure ensures liability shifts from the merchant to the issuing bank. As we know, chargebacks are a primary threat to eCommerce companies, both large and small. If a chargeback is filed then the merchant is at risk of losing products or services that have already been sold, the associated payment, the fees incurred for payment processing, money for the chargeback penalty, and/or even possible commissions for currency conversions. Needless to say, eliminating chargebacks is a goal for every merchant. Once a fraudster finds a loophole, they can take advantage again and again.

Currently, the use of 3D Secure is controversial. Is it a useful tool or does it do more harm than good?

What are the pros of 3D Secure?

If a company is facing an overwhelming amount of chargebacks, it may be a wise decision to turn 3D Secure on for a short period of time. This could be done for every transaction but should be checked manually. This is certainly time consuming but it can pay dividends in the long run. I know several companies which have done this and their fraud prevention strategy is now much stronger because it provided them the knowledge to decipher the broken link in the chain. Turning on 3D Secure allows you to have transparency. The key element of 3D Secure lies within the password which is only known by the consumer and/or bank. This additional layer of security is much harder for fraudsters to crack and reasonably ensures only legitimate transactions are coming in.

What are the cons?

3D Secure can deter customers causing card abandonment and lowering conversion ratios. Let's say you're booking a trip. You complete all the necessary information and finally get to the payment page -- not a speedy process. All seems well and then the page disappears. As a consumer you start to feel worried, that maybe something has gone wrong. All of a sudden, a pop up appears and asks you to verify your information. Fraudsters are deterred because they are unlikely to know the password. Fraudsters generally operate in a way which means they have hundreds of lines of data (card details, billing addresses etc.) which they can input very quickly and submit hundreds of transactions at lightening speeds. But to the consumer, this pop up doesn't look friendly. It looks suspicious. They ask themselves, is this a scam? Is a fraudster trying to harvest my information? It is also possible that consumers feel offended when asked for additional detail or furthermore, do not know their password. Often, consumers feel discouraged and quit the process altogether.

Another scenario is that the box pops up for a second and then vanishes without asking for any additional detail, which is also a little alarming. Obviously, this is considered the friction effect and can deter non-fraudulent consumers from shopping with that company again, which subsequently reduces traffic to the website. 3D Secure may lower the amount of fraudulent transactions but it may also lower your revenue and reputation on the market. A good rule of thumb to reduce friction is to ensure marketing and payments departments work together to offer a built-in, attractive API payment system and communicate to the customer that they will be prompted for a password as an extra layer of security.

3D Secure 2.0

As technology continues to advance, so does 3D Secure. 3D Secure 2.0 will now support mobile, authenticating payments in apps and wallets, as opposed to just desktop devices. 3D Secure 2.0 is intended to be more seamless, embedding the password prompt into the checkout page itself rather than redirecting to a suspicious pop up.

However, 3D Secure is still a work in process. UK merchants are the first to begin implementing this authentication tool. There is more to learn and as more merchants begin to adopt it, we await the results to see if 2.0 proves skeptics wrong.